What is the Colorado Privacy Act?

The Colorado Privacy Act (CPA) is a comprehensive data privacy state law providing Colorado residents with the right to opt out of targeted advertising, the sale of their personal data, and certain types of profiling. The CPA will go into effect on July 1, 2023, making Colorado the third state, after California and Virginia, to have a comprehensive data privacy legislation in place.

Similar to the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR), the CPA is the next step in providing increased privacy regulation in the United States.

What is considered personal and sensitive data under the Colorado Privacy Act?

The CPA defines personal data as:

[…]information that is linked or reasonably linkable to an identified or identifiable individual but does not include de-identified data or publicly available information.

The law defines sensitive data as:

Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status;

Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual;

Personal data from a known child.

Who does the Colorado Privacy Act apply to?

The CPA applies to businesses that collect or process the personal data of Colorado residents and that fall under one of the following criteria:

1. Process personal data of 100,000 or more consumers annually.
2. Derive revenue from the sale of personal data and processes the personal data of 25,000 or more consumers annually.

How will businesses need to comply with the Colorado Privacy Act?

A business subject to the CPA will need to comply with various rules and regulations, including:

• Providing a visible notice informing consumers at or before the point of data collection about what personal data is being collected, how it will be used, and whether it will be sold to third parties and conduct data protection assessments;
• Responding to consumer requests to access, correct, or delete their personal data within 45 days;
• Implementing reasonable security measures to protect personal data from unauthorized access;
• Obtaining consumers’ informed consent before collecting or processing sensitive data (such as physical health condition or biometric data);
• Training employees who handle personal data on how to comply with the CPA;
• Complying with the Private Right of Action provision;
• Appointing a Data Protection Officer if the business processes the personal data of 50,000 or more consumers, households, or devices.

What are the consumer rights under the Colorado Privacy Act?

The CPA provides consumers with a number of rights regarding their personal data:

• Right to opt out: Consumers have the right to opt out of the processing of personal data for purposes such as targeted advertising, selling personal data, or profiling.
• Right of access: Consumers have the right to request access to the personal data that a business has collected about them.
• Right to correction: Consumers have the right to request that a business correct any inaccuracies in their personal data.
• Right to deletion: Consumers have the right to request that a business delete their personal data.
• Right to data portability: Consumers have the right to receive a portable copy of their personal data in a readily usable format.

More privacy law resources

• California Privacy Rights Act (CPRA)
• California Consumer Privacy Act (CCPA)
• Utah Consumer Privacy Act (UCPA)
• Connecticut Data Privacy Act (CTDPA)
• New York SHIELD Act
• Health Insurance Portability and Accountability Act (HIPAA)

FAQ.

Does the CPA require a business to conduct a data protection assessment?

Yes, data controllers are required to conduct and document data protection assessments.

Who is a “controller?”

Under the CPA, a “controller” is someone who […] determines the purposes for and means of processing personal data.

Who is a “processor?”

Under the CPA, a “processor” is someone who processes personal data on behalf of a controller.

Who does not count as a consumer under the CPA?

A consumer Does not include an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.

What is the Colorado Consumer Protection Act?

The CCPA is a state law that protects consumers from deceptive and unfair trade practices, including false advertising and other types of consumer fraud.

Updated on: March 31, 2023