With the growing reliance on processing consumer data in all aspects of the US economy, concerns about data privacy are driving more states to enact laws to safeguard data privacy rights.
The Colorado privacy law is among those recently enacted—established to safeguard the data privacy rights of Colorado residents. But what similarities and differences does it contain compared to those in other states? How is the CPA different from Virginia’s CDPA, Connecticut’s privacy law, California’s Data Privacy law, or the Utah Consumer Privacy Act?
Below, we’ll provide an overview of the Colorado Privacy Act (CPA) and how its regulations might apply to your business.
The CPA’s Timeline
Currently, the Colorado privacy law’s effective date is July 1, 2023. However, its enforcement date will vary based on the guidelines provided by the law’s enforcers—the Colorado attorney general and district attorneys.
Regardless, organizations required to comply with the Colorado Privacy Act should review their compliance programs and documents to see how they match CPA’s new data privacy standards.
Which Organizations are Subject to the CPA?
Like other privacy laws, the Colorado Privacy Act’s jurisdiction is based on the location of data subjects whose information will be processed.
For instance, the European Union (EU) General Data Protection Regulation (GDPR) applies to any organization that processes the data of EU citizens—within or outside of the EU. The California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) is similarly required for businesses operating in California or those that process the data of California residents.
When it comes to the Colorado data privacy law, two requirements determine whether a business must comply with the CPA regulations:
- First, the business provides and/or markets its commercial goods or services to Colorado residents.
- Second, the organization handles the personal data of over 100,000 consumers per calendar year or obtains revenue from selling the data of at least 25,000 consumers.
Unlike the CCPA/CPRA, the CPA does not have a monetary threshold for compliance requirements.
The Colorado privacy law also regulates the following types of entities:
- Controllers are the organizations that collect, process or share the data of Colorado residents during the provision of goods or services.
- Processors are entities that handle the sensitive personal data of Colorado residents on behalf of controllers.
- Third-party entities are not controllers or processors but have access to Colorado consumers’ data. They can be persons, businesses, public authorities, or agencies.
Similar to the CPRA, the Colorado privacy law protects both consumers and businesses.
Businesses—whether controllers or processors—must ensure that all activities used to handle data keep consumer data safe. However, the law also helps them avoid legal risks related to collecting and processing data outside the scope of the Colorado privacy law.
Personal Information Covered Under the CPA
The CPA protects personal data that could be “linked or reasonably linkable to an identified or identifiable individual.” Similar to other data privacy laws, the CPA also established categories of “sensitive data,” such as:
- Protected health information
- Biometric data
- Religious or ethnic origin information
- Citizenship status
- Personal data of a known minor
CPA-Codified Privacy Rights
Under the Colorado privacy law, Colorado residents have the right to:
- Access their data if it is handled by a controller
- Correct errors or inaccuracies in their data
- Request controllers to delete their data
- Receive their data from controllers in portable form
- Object to the processing of their data
- Suspend controllers or processors from processing their data
- Opt-out of automated processing that may result in profiling and significant decisions
- Nondiscrimination by controllers when exercising their CPA rights
Rights Response Timelines
Businesses responding to privacy requests must be mindful of several operational timelines:
- Response: 45 days
- Response extension: 45 days
- Process opt-outs: 15 days
- Completion confirmation: without undue delay
- Response to appeal of denied request: 45 days
- Deletion of sensitive data: 12 hours
CPA-Stipulated Business Obligations
When it comes to business obligations, the Colorado Privacy Act requires controllers and processors to:
- Provide a clear and publicly accessible privacy notice that details which data is collected from consumers and for which reasons, how the data will be processed by the data controller, processors, and other third parties—and how the consumers can exercise their CPA rights.
- Require processors to review and sign binding vendor contracts that govern data processing activities and ensure they meet the required CPA requirements.
- Conduct data protection assessments if the consumers’ data will be processed via activities that may present significant privacy risks to Colorado residents.
- Report data breaches that involve Colorado consumers’ data per the guidelines listed in Colorado’s data breach notification law, C.R.S. § 6-1-716.
Most importantly, organizations that process data that is subject to the Colorado data privacy laws must ensure they review updates to these business obligations to minimize gaps in CPA compliance.
How the CPA Addresses Specific Privacy Circumstances
The Colorado Privacy Act also outlines special circumstances that businesses must pay attention to when processing the personal data of Colorado residents:
- Prior to collecting personal data from children (under 13), businesses must obtain consumers’ consent from a parent or lawful guardian.
- Consent must be obtained from data subjects when processing data outside the scope of defined business purposes or the conditions described by the CPA regulations.
- Data subjects may designate authorized agents to act on their behalf when exercising their CPA rights, such as opting out of data processing.
- Controllers can only sell data to third parties when provided consent by the data subject.
- All forms of targeted advertising must be disclosed, providing consumers the right to opt-out or exercise other such CPA rights.
- Profiling is considered a significant privacy risk factor under the CPA.
Exemptions & Limitations to the CPA
Several exemptions and limitations may apply when complying with the Colorado privacy law:
- When processing anonymized, de-identified, pseudonymized, or aggregated data under the CPA, organizations should ensure the data remains so and cannot be associated with a data subject.
- Compliance with the Colorado privacy law should also account for guidelines related to data processing provided within other state or federal laws.
- Exempted organizations under the CPA include those that process data for legal, quality assurance, or security reasons. Essentially, exemptions may apply if an organization handles CPA data for reasons of public interest.
It is best to review these exemptions and limitations with a data privacy partner to ensure you remain compliant with the Colorado privacy laws at all times.
Who will Enforce the CPA?
The Colorado privacy law is solely enforced by the Colorado Attorney General and district attorneys, who can impose penalties on businesses deemed non-compliant with its regulations.
There is currently no authorized private right of action in the Colorado privacy law. When deemed possible, entities can cure alleged violations within 60 days of being notified of the violation.
Consumer Privacy Assurance with DataGrail
Privacy compliance starts with a strong data privacy foundation and remains essential for maintaining a positive brand reputation. Compliance with privacy laws like the Colorado Privacy Act is vital to enhancing your data privacy protections while avoiding legal risks.
With the help of a trusted data privacy partner like DataGrail, you will be well on your way to achieving industry-standard privacy safeguards.
For more information, explore our data privacy platform.
Colorado General Assembly. Colorado Privacy Act. https://leg.colorado.gov/sites/default/files/2021a_190_signed.pdf
Colorado General Assembly. Colorado Revised Statutes 2018 Title 6. https://leg.colorado.gov/sites/default/files/images/olls/crs2018-title-06.pdf
Colorado General Assembly. SB21-190 Summary – Protect Personal Data Privacy.
The National Law Review. And Then There Were Three: Colorado Passes Privacy Law, Effective July 2023. https://www.natlawreview.com/article/and-then-there-were-three-colorado-passes-privacy-law-effective-july-2023