The Colorado Privacy Act: What you need to know about CPA compliance

What is the Colorado Privacy Act?

The Colorado Privacy Act is a comprehensive privacy law protecting Colorado residents’ data rights. The law gives Coloradans the right to know what data organizations are collecting and extensive control over how those organizations obtain, use, and share that data. It applies to most businesses and nonprofits doing business in Colorado or with Coloradans. The CPA goes into effect on July 1, 2023, with certain measures coming into effect one year later, on July 1, 2024.

Who enforces the CPA?

The Colorado Attorney General enforces the CPA, along with Colorado district attorneys. While Colorado citizens may contact the AG with concerns about how businesses are upholding their rights, the CPA does not grant citizens the right to initiate legal actions.

Who does the CPA apply to?

The CPA applies to organizations that do business in Colorado or sell “products or services that are intentionally targeted” at Colorado residents, and either:

• Control or process the personal data of at least 100,000 people per year; or
• Do both of the following:
  • Control or process the data of at least 25,000 consumers, and
  • Sell personal data for revenue or discounts.

The CPA looks similar to the California Privacy Rights Act, but differs in key ways. There is no revenue threshold for Colorado’s privacy law, which means a business won’t be forced to comply because of its income. That’s not the case under the CPRA.

On the other hand, while the CPRA only considers personal data sales if they account for at least 50% of revenue, any data sale counts towards CPA applicability.

So for example, a large business that doesn’t deal with personal data might be liable for CPRA compliance but not CPA compliance; whereas a small business that occasionally sells personal data could be on the hook in Colorado, but not California.

Colorado Privacy Act exemptions

The CPA exempts public higher education institutions, as well as organizations governed by the GLBA, HIPAA, and HITECH. However, unlike data privacy laws in Virginia, California, and Utah, the CPA does not have a blanket exclusion for non-profits. Unless they’re in another category exempted by the law, nonprofit organizations must comply.

Data under the CPA

What does the CPA consider personal data?

The CPA defines personal data as information that:

• Is linked or reasonably linkable to an identified or identifiable individual; and
• Does not include de-identified data or publicly available information

Colorado’s privacy law only includes consumer data, and does not apply to HR data or other data about employees, contractors, or business partners.

Additionally, the CPA excludes several types of data:

• Public records
• Publicly available information
• Aggregate data
• De-identified data

The aggregate and de-identified data exemptions give businesses a safe way to use consumer data for secondary purposes, such as studying consumer demand or creating customer personas. By removing personally identifiable information, you can fully harness consumer data while still meeting Colorado data privacy requirements.

How does the CPA define “sensitive data?”

Like other state privacy laws, the CPA has special protections for the most sensitive personal information. This category, called “sensitive data” includes any personal information that reveals:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health conditions or diagnoses
• Sex life or sexual orientation
• Citizenship status
• Uniquely identifying genetic or biometric data
• Personal data from a child under the age of 13

Under the CPA organizations must always obtain consent before processing sensitive data. In the case of sensitive data belonging to a known child, the business must get consent from a parent or guardian.

What consumer rights does the CPA guarantee?

The CPA gives consumers the right to:

• Access
• Correction
• Delete
• Data portability
• Opt out
• Appeal

Right to access

Consumers have the right to know whether you’re processing their data and what data you’re processing, and to access that data.

Right to correction

Consumers have the right to correct inaccuracies in their personal data.

Right to delete

Consumers have the right to request businesses delete their personal data.

Right to data portability

Consumers have the right to receive a copy of their personal data in a usable format that they can read or share as they see fit.

Right to opt out

Consumers can opt out of having their data sold or processed for targeted advertising. They can also opt out of profiling “in furtherance of decisions that produce legal or similarly significant effects.”

Right to appeal

The CPA gives businesses the right to deny user data requests under certain circumstances. For example, if you’ve already de-identified the information and there’s no reasonable way to figure out which data belongs to the user, you’re off the hook.

However, if a business does deny a user request, that user has the right to appeal the denial. The business must review their decision and, if they ultimately deny the request, inform the user that they can contact the Colorado Attorney General with their concerns.

What obligations do businesses have under the CPA?

Maintain transparent privacy notices

The Colorado Privacy Act requires data controllers to post privacy notices which clearly explain how they collect and use consumer data. These notices should cover:

• The categories of data you collect or process
• The purpose of each data type
• What data types you’re sharing with third parties
• What kinds of third parties you’re sharing the data with, and
• How users can exercise their data rights

Obtain consent

The CPA requires you to obtain “freely given, specific, informed, and unambiguous” consent to process sensitive data. Colorado privacy law specifically bars organizations from gaining consent in ambiguous ways, such as:

• Using a broad “terms of use” document
• Having users signal consent by “hovering over, muting, pausing or closing a given piece of content”

Keep it simple. Tell users what data you want from them and what you intend to do with it, ask for their permission, and make it easy for them to say “yes” or “no” with a click.

Process Colorado data access requests promptly

Under the CPA, businesses have 45 days to respond to consumer data access requests. If you need more time, you can take a 45-day extension. However, you must let the consumer know, and explain why you need more time within the first 45 days.

If a consumer appeals your decision, you must respond within 45 days. This time, you have the right to a 60 day extension “where reasonably necessary” — if you let the requester know.

If you ultimately reject the request, you must explain your reason, and let the consumer know that they can contact the Colorado Attorney General if they have “concerns about the result of the appeal.”

Provide an opt-out

Beginning July 1, 2024, businesses are required to provide a universal opt-out for Coloradans. Users should be able to opt out of all targeted advertising, data sales, and significant profiling with one button. However, that doesn’t mean you can wait until then to provide users with opt out rights. You need to give users the ability to easily opt out of these data uses from July 1, 2023 on.

Specify your collection purpose, and stick with it

The Colorado Privacy Act requires businesses to use purpose specification for data collection, and avoid secondary uses. In other words, when you collect personal data, you need to:

• Explain what you intend to do with that particular data type, and
• Only use the data for the purpose you specified.

So for example, let’s say you create an app that collects birthdays when users sign up as a way to verify age. Once you’ve collected the data, you can’t decide to use it to send users special birthday offers. They’ve only agreed to share their data for age verification purposes, so that’s all you can do with the data.

Minimize data collection

The CPA requires users to only collect data that’s “reasonably necessary” for a specified purpose. This practice, called “data minimization,” isn’t just required to comply with the law; it also protects your business in the event of a security breach. Don’t collect sensitive info like Social Security numbers when a name and password will do — the less sensitive data you’re storing, the better for you and your users.

Conduct data protection impact assessments whenever there’s a risk

The Colorado Privacy Act requires you to conduct a data protection assessment whenever processing “presents a heightened risk of harm to a consumer” — if you’re processing data collected after the law went into effect, that is. The law specifically requires DPIAs if you’re processing data for targeted advertising, selling personal data, or processing sensitive data. 

You’re also required to do DPIAs if you’re conducting profiling that presents a risk of:

• “Unfair or deceptive treatment”
• “Unlawful disparate impact” on consumers
• Financial or physical harm
• Intrusion on a consumer’s solitude or privacy
• Any other “substantial injury”

However, DPIAs are a good idea, even when they’re not specifically required by Colorado privacy law. DPIAs create a paper trail, showing that you take consumer privacy seriously, and spelling out what changes you’ve made to protect consumers.

Take security seriously

The CPA includes a “duty of care” rule, requiring controllers to “take reasonable measures to secure personal data during both storage and use.” Make sure your company is limiting who can access personal data, and protecting it with strong security practices.

Have contracts with all your data partners

The CPA requires contracts between a data controller and any data processors that they’re working with. These contractors should spell out the rules and responsibilities of both parties very clearly, including:

• What types of data the processor is processing
• What they are required to do with the data
• The purpose of processing the data
• The duration of the data processing agreement

The contract should also make it clear that the processor is required to “delete or return all personal data to the controller” at the end of their service, and cover any audit requirements the controller is imposing on the processor.

What if I have a data breach?

Colorado has strong breach protection laws, but they’re not governed by the CPA. For commercial entities operating in Colorado or doing business with Coloradans, data breaches are regulated by C.R.S. § 6-1-716.

If you may have suffered a security breach, Colorado law requires that you investigate quickly to see if any personal information has been, or is likely to be misused. If the data has been misused, or misuse is “reasonably likely,” you must notify any Coloradans affected by the breach. Additionally, If the breach affects 500 or more Coloradans, you must also contact the state’s attorney general using the Data Breach Reporting Form.

CPA enforcement

Violations of the CPA are considered “deceptive trade practices,” with penalties specified by the Colorado Consumer Protection Act. This gives the attorney general or a Colorado district attorney the ability to fine businesses up to $20,000 for each violation.

However, the way the law is written suggests that enforcement will focus on remediation, rather than punishment. The Colorado Privacy Act instructs the attorney general or district attorney to issue a “notice of violation” to the controller, and give them 60 days to fix the violation, assuming it’s a violation the attorney believes can be fixed.

However, this cure period is only valid until January 1, 2025. Currently, it’s unclear how Colorado privacy enforcement will change after that date.