On July 7, 2021, Colorado became the third U.S. state to establish regional data privacy legislation. Colorado included the legislation in Senate Bill 21-190, which was signed into action by Governor Polis.
The Colorado Privacy Act (CPA), also called the Colorado Privacy Law, became effective on July 1, 2023. Colorado’s legislation follows the Virginia Consumer Data Protection Act (VCDPA) and California Consumer Privacy Act (CCPA) as it facilitates personal data rights to residents and consumers across the Centennial State.
Following in the footsteps of the VCDPA, CCPA, and the prior enacted California Privacy Rights Act (CPRA), the CPA grants broader rights to state residents and requires organizations conducting business in Colorado or with residents to follow strict data privacy guidelines. The CPA is included in the extensive Colorado Consumer Protection Act.
Learn how UpGuard helps organizations achieve cybersecurity compliance >
What is the Colorado Privacy Act?
The CPA is a comprehensive set of privacy laws that affords Colorado residents broader data protection rights. The act grants Colorado residents the right to know what types of data are collected from them, why it is collected, and how this information is being used. The Colorado Privacy Act also provides consumers the right to opt out of the sale of their data and access, delete, and correct inaccuracies in their data as they see fit.
According to the CPA, a consumer defines any Colorado resident acting within an individual or household context. The CPA does not protect Colorado residents acting within or on behalf of a commercial or employment context. For example, the CPA would not cover job applicants.
In addition to providing rights to residents and consumers, the CPA also helps offer state-wide definitions of personal and sensitive data. The CPA defines personal data as any information directly tied or logically linked to an individual. This definition excludes public information that is otherwise widely available.
The CPA defines sensitive data as any personal data that may reveal one or more of the following characteristics or is processed in an attempt to identify an individual:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health
- Sexual orientation
- Citizenship status
- Genetic data
According to the CPA, the personal data of any child under 13 also constitutes sensitive data.
What Consumer Rights Are Granted By the CPA?
The CPA grants Colorado consumers various privacy protection rights and the opportunity to learn more about the types of data controllers, and processors are collecting, sharing, and selling. The following is a complete list of the rights that are granted to Colorado consumers and enumerated within the CPA:
- The right to opt out of the sale of their personal data
- The right to opt out of the collection of their personal data for targeted advertising or various types of profiling
- The right to know if a controller is processing or collecting their data
- The right to access the data a controller has collected
- The right to delete the data a controller has collected
- The right to edit the data a controller has collected
- The right to download a copy of their personal data
- The right to data portability or the right to transfer their data from one platform to another (up to two times per year)
Who Must Comply With the CPA?
The laws and regulations in the CPA apply to any organization or entity (including non-profits) that conducts business in Colorado or directly targets Colorado residents to sell commercial products or services and meet either of the following criteria:
- Process the personal data of more than 100,000 individuals during a single calendar year
- Derive revenue or receive discounts on a good(s) or service(s) in exchange for the sale of personal data of at least 25,000 individuals
It’s important to note that the CPA also applies to processors and controllers acting as a service provider, contractor, or vendor that manages, maintains, or provides services on behalf of a separate entity.
What is the Difference Between a Data Controller and a Data Processor?
The main difference between a data controller and a data processor is the authority each maintains over a consumer's personal data.
Controllers are primarily concerned with data collection methodology and purpose. Entities acting as data controllers determine what types of data are collected and how this data is collected from consumers.
For example, big-box retailers are considered controllers because they collect various information when customers make purchases in-person or online. After this data is collected, controllers also determine how this data is managed and used.
Data processors are primarily concerned with data storage and distillation. Entities acting as a processor may sell, store, classify, disclose, analyze, delete, or modify consumer data on behalf of a controller. Processors do not define what type of data is collected or the method by which personal data is collected.
Some data processors may also act as a controller. If a processor starts to determine the purpose and means of a particular data set, then that processor has become a controller concerning that data set.
Under the CPA, processors only possess the authority to process data when commanded by a data controller. The CPA requires controllers and processors to explicitly define their responsibilities and roles related to consumer data in a binding agreement.
Who does the CPA Exclude?
While most entities conducting business in Colorado must comply with the CPA, some organizations are exempt under exceptional circumstances. The following organizations are considered exempt:
- Financial institutions and their direct affiliates that are subject to the Gramm-Leach-Bliley Act (GLBA)
- Air carriers that are subject to regulations set by the Federal Aviation Administration
- National security associations registered under the Securities Exchange Act (SEC,1934)
Personal data maintained in compliance with various federal data privacy laws (or additional federal laws) is also exempt under the CPA. (This includes entities, such as healthcare organizations, who follow regulations set forth by the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act, and others.)
Section 6-1-1304 of the CPA includes a complete list of these exemptions.
How Do Entities Remain Compliant Under the CPA?
The CPA places various new responsibilities on entities conducting business in the state. These new obligations require entities to safeguard personal data, provide transparency to consumers regarding the use of their data, and conduct periodic data protection audits to monitor the security of their processing activities.
UpGuard’s Vendor Risk tool can help you monitor, anticipate, and remediate data protection problems across all your third-party vendors before they become an issue.
UpGuard’s BreachSight product also continually monitors an organization’s compliance across all significant compliance standards and regulations.
Entities must do the following to comply with the regulations set forth by the CPA:
- Transparently share how they collect, store, use, disclose, and sell consumer data
- Transparently share purpose specifications for which they collect, store, use, disclose, and sell consumer data
- Reduce the amount of data they collect and store (data minimization)
- Avoid repurposing data for a secondary use not initially admitted to the consumer
- Follow best practices to ensure data security during their duty of care
- Promptly respond to consumer requests submitted by rights granted under the law (including modification or deletion requests)
- Conduct data protection assessments before selling personal data, processing sensitive data, or processing personal data
Under the CPA, entities are not permitted to do the following:
- Participate in the collection, storage, use, or processing of sensitive data without the individual’s consent
- Utilize personal data in any manner that results in unlawful discrimination
How Do Consumers Exercise Their Rights Under the CPA?
After the effective date of the CPA (July 1, 2023), Colorado consumers can exercise their rights under the law on the website of each business it conducts business with. These businesses are obligated to provide customers with a privacy notice.
The companies must also obtain consumer consent if any of the following actions are to occur:
- Collection and processing of a consumer’s sensitive data
- Processing of personal data for any reason other than the reasons listed when the entity first collected data
- Selling or processing data for advertising after a consumer has opted out of such use
This privacy notice should include what types of data are being collected, why that data is being processed, what data is being shared, and the steps a consumer should take if they want to access, modify, download, or delete their data.
If a consumer’s personal data is being sold or processed for targeted advertising, the business will need to provide notice to the consumer. This notice must contain a detailed explanation with technical specifications of how individuals can opt out of having their data sold.
Consumers are also permitted to be able to opt out of data collection through a universal opt-out mechanism.
Who Will Enforce the CPA?
Enforcing the Colorado Privacy Act is the sole duty of the Colorado Attorney General’s Office and the office’s District Attorneys. The Attorney General’s Office is also afforded sole regulatory responsibilities and rulemaking authority under the law.
Private citizens who feel their data has been mishandled under the rights afforded to them by the CPA are not permitted to file lawsuits or take legal action. Only the Attorney General and District Attorneys are tasked with implementing the CPA and are empowered to enforce the law.
Are Entities Notified if They are in Violation of the CPA?
If a business violates the CPA, contact from the Attorney General or District Attorney will depend on the extent of the violation. If the entity can remedy the offense, the AG or DA’s office will send the violator a letter that discloses the data breach or violation and permits the violator a 60-day cure period to remedy the violation. The Attorney General or District Attorney’s office does not have to send a letter if it determines the entity cannot resolve the breach.
The notification process extended to violators will be effective until January 1, 2025. After this window, violators will not have the right to a 60-day cure period.
Additional State Privacy Laws Around the United States
Since Colorado joined California and Virginia as states that established data privacy legislation, two other U.S. states have followed suit. In 2022, both Utah and Connecticut enacted their consumer privacy acts.
Connecticut’s Personal Data Privacy and Online Monitoring act went into effect on July 1, 2023, whereas Utah’s Consumer Privacy Act will be effective starting December 31, 2023.
Each legislation draws upon precedents set forth by Virginia, California, and Colorado and mimics the language and protection first issued by the European Union with its General Data Protection Regulation (GDPR) in 2016.
