The CPA
The Colorado Privacy Act is a comprehensive privacy law protecting Colorado residents’ data rights. The law gives Coloradans the right to know what data organizations are collecting and extensive control over how those organizations obtain, use, and share that data. It applies to most businesses and nonprofits doing business in Colorado or with Coloradans. The CPA goes into effect on July 1, 2023, with certain measures coming into effect one year later, on July 1, 2024.
The Colorado Attorney General enforces the CPA, along with Colorado district attorneys. While Colorado citizens may contact the attorney general with concerns, residents can’t initiate legal actions.
The law applies to organizations that do business in Colorado or sell “products or services that are intentionally targeted at Colorado residents, and either:
- Control or process the personal data of at least 100,000 people per year; or
- Do both of the following:
- Control or process the data of at least 25,000 consumers, and
- Sell personal data for revenue or discounts.
Why is CPA compliance so challenging?
The CPA looks similar to the California Privacy Rights Act, but differs in key ways. There’s no revenue threshold for Colorado’s privacy law, which means a business won’t be forced to comply because of its income. That’s not the case under the CPRA.
On the other hand, while the CPRA only considers personal data sales if they account for at least 50% of revenue, any data sale counts towards CPA applicability.
So, for example, a large business that doesn’t deal with personal data might be liable for CPRA compliance but not CPRA compliance; whereas a small business that occasionally sells personal data could be on the hook in Colorado, but not in California.
Under the CPA, businesses are obligated to post privacy notices that clearly explain how they collect and use consumer data. The notices must cover the categories of data, the data’s purpose, what you’re sharing with third parties, and how users can exercise their data rights.
Pro-tip: If you’re already VCDPA compliant, the CPA reads very similarly. Perhaps the most significant difference, though, is that Colorado reserves rulemaking authority to their state attorney general – meaning that the Colorado attorney general will have the power (unlike in Virginia) to issue implementing regulations sketching out what best practice compliance actually looks like.
What are the CPA’s pain points?
Data access requests: Under the CPA, businesses have 45 days to respond to consumer data access requests. If you need more time, you can take a 45-day extension. However, you must let the consumer know, and you must explain why you need more time within the first 45 days.
If you reject the request, you must explain your reason, and let the consumer know that they can contact the Colorado Attorney General if they have concerns.
Universal opt-out: Under the CPA, consumers have the right to opt out of the processing of personal data for targeted advertising or for the sale of personal data. The CPA provides for a “user-selected universal opt-out mechanism.” Beginning July 1, 2024, this mechanism will be mandatory. There isn’t yet clear guidance on specific expectations, but the Colorado Attorney General will talk specifics by July 1, 2023.
Data protection impact assessments: The CPA requires you to conduct a data protection assessment whenever processing “presents a heightened risk of harm to a consumer.” Specifically, the law requires DPIAs if you’re processing data for targeted advertising, selling personal data, or processing sensitive data.
Who is exempt from the CPA?
The CPA exempts public higher education institutions, as well as organizations governed by the GLBA, HIPAA, and HITECH. However, unlike data privacy laws in Virginia, California, and Utah, the CPA does not have a blanket exclusion for non-profits. Unless they’re in another category exempted by the law, nonprofit organizations must comply.
Stay up to date with the Colorado Privacy Act
Get this guide to see how you can prepare for the CPA
