Colorado Privacy Act (CPA)

Learn the rights, rules, and requirements established by the Colorado Privacy Act, and what your business needs to do to comply.

What is the Colorado Privacy Act (CPA)?

The Colorado Privacy Act (CPA) is the third major state-wide privacy act, joining the California Privacy Right Act and Virginia’s Consumer Data Privacy Act. It brings together elements of both these laws and international rules such as the GDPR. It’s mainly about businesses keeping customers informed but does require advance consent for processing sensitive data and an opt-out system for selling data.

The CPA became law on 8 July 2021 and takes effect from 1 July 2023. A “sunset” mechanism means two further changes automatically take effect in 2025: the removal of a grace period for fixing violations and the introduction of a “universal opt-out” mechanism for data sales.

What are the CPA's goals?

The CPA’s introductory summary says it is designed to create and uphold privacy rights for consumers and make data controllers act in ways that help consumers’ exercise those rights. It’s also designed to reduce the risk of harm to data subjects and to make clear that not following the CPA is classed as a deceptive trade practice.

What rights does the CPA establish for data subjects?

The CPA sets out five rights regarding personal data:

  • The right to opt-out of their data being sold or used for targeted advertising or profiling.
  • The right to know about the data use and access the data.
  • The right to correct inaccuracies.
  • The right to delete data.
  • The right to get a copy of the data in a readily usable, easily transferrable format. They can exercise this right up to twice in a calendar year.

Whenever a data subject asks to exercise any of these rights, the data controller must respond as soon as possible. If they cannot do so within 45 days, they must tell the data subject they will need longer. In this case, the deadline extends to a maximum of 90 days.

Data subjects must be able to exercise these rights without creating an account and without facing discrimination on price or service.

The data controller must take several steps to maintain these rights, notably to produce a privacy policy that covers:

  • The types of data it collects.
  • The purposes for which it processes data.
  • How to exercise the CPA rights.
  • The types of data it shares with third parties.
  • The types of third-party recipients.

What type of data is protected?

The CPA covers personal data. This means “information that is linked or reasonably linkable to an identified or identifiable individual.” It doesn’t cover:

  • Data about somebody in an employment or commercial context.
  • De-identified data.
  • Data that is already public knowledge.

The CPA has specific rules for sensitive data, as detailed below.

What are the consent management requirements of the CPA?

In most cases the CPA doesn’t require consent for data processing, instead emphasizing making data subjects aware of the data processing.

The CPA does require advance consent for processing sensitive data. This covers three types of data:

  • Data that reveals a person’s “racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status.”
  • Biometric or genetic data processed to uniquely identify an individual.
  • Data about somebody known to be a child.

The wording of the CPA makes it very clear that this consent must be meaningful. It must be specific to the processing in question, involve a positive and unambiguous indication, and be based on the data subject having sufficient information to make the decisions. Controllers cannot do anything that could trick people into giving consent such as burying it away among more general terms and conditions.

The CPA does have an opt-out system for data sales (which means exchanging data for anything of value, not just for money.) Controllers don’t have to get consent to sell data but must stop doing so if the data subject asks.

Initially, the law leaves it somewhat open how the data subject can make this request. A “universal opt-out option” will be developed by 2023 and take effect in July 2024. It will likely mean users can click one button to opt-out from data sales by all controllers.

What is the scope and jurisdiction of the CPA?

The CPA applies to any organization that meets criteria for both location and the number of data subjects:

  • The location criteria is that the organization either does business in Colorado or that it produces products or services which it targets at Colorado residents. (This means they are among the intended audience, not that Colorado is the sole or primary market.)
  • The data subject criteria is that the organization controls or processes the data of at least 100,000 Colorado consumers in a year. This falls to 25,000 if the organization makes any money (or gets any discounts) from selling personal data.

The revenue of the organization does not matter.

There’s no exemption for non-profit organizations. Broadly, most government data processing is exempt, as is processing of data already covered by a federal data law such as HIPAA.

Does your organization need to comply?

If you meet the location and data subject criteria, you will need to comply with the CPA whenever you process personal data about a Colorado consumer.

Both the Attorney General and District Attorneys can enforce the CPA. Until 2025 controllers accused of a violation have 60 days to put things right; if they don’t do so, they face a penalty of up to $20,000 per violation. As things stand, after 2025 any violation could lead to a penalty with no grace period.

Unsure about your website's compliance? Get compliance and data security  scorecard from our team of experts.