The Colorado Privacy Act: What It Is and How To Stay Compliant

The Colorado Privacy Act is a new piece of legislation aimed at protecting the personal information of consumers in Colorado, and is is a response to the growing concern about privacy in the digital age, as more and more personal information is collected and shared online. The act requires businesses operating in Colorado to take specific steps to protect the privacy of consumers and to be transparent about their data collection practices.

In this blog, we'll take a closer look at the Colorado Privacy Act and its implications for businesses and consumers. We'll explore what the act entails, how it affects companies operating in Colorado, and what rights it gives to individuals. Whether you're a business owner, a consumer, or simply interested in privacy issues, this blog will provide valuable information and analysis.

What Is the Colorado Privacy Act?

The Colorado Privacy Act (CPA) is a privacy-centric regulation that aims to protect the personal data of Colorado residents. It’s inspired by other U.S. data privacy regulations that precede it, such as the California Consumer Privacy Act and the General Data Protection Regulation of the European Union. 

The law gives consumers more control over how organizations use their data. For instance, it gives them the right to have their data deleted, corrected, and even exempted from use for targeted advertising. 

Under the regulation, organizations are obligated to provide information on the kind of data they’re processing and the purpose of processing it, among other requirements. Similar to other privacy regulations, organizations will need to inform consumers of the details of how they plan to handle the data in a privacy notice. 

To better understand the CPA, let’s walk through the legal definitions of some of the most common terms you’ll find in the act:

• Consumer: A resident of Colorado who’s acting in an individual or household capacity. The law doesn’t consider people acting in an employment or commercial context as consumers. 
• Personal data: Any information that can be reasonably tied back to an identifiable individual. Examples of personal data are names, IP addresses, identification numbers, and credit card information. The regulation doesn’t consider de-identified data and publicly available data as personal data. 
• Sensitive data: This is any personal data that could reveal the traits of a consumer. It includes data like race, sexual orientation, religious belief, or even citizenship status. You’re required to get explicit consent before you can collect or process such data. 
• Controllers: These are any entities that determine the purpose of the data that’s being collected and the means of processing it.
• Processors: These are entities that process data on behalf of controllers. 
• Processing: This is any action carried out on personal data. It includes collecting, using, selling, storing, disclosing, analyzing, deleting, or modifying the data. 

When Does the Colorado Privacy Act Come Into Effect?

While the CPA was signed into law on July 8, 2021, it will take effect on July 1, 2023. 

What Businesses Does the Colorado Privacy Act Apply To?

The CPA applies to organizations and individuals that are either located in Colorado or target Colorado residents for sale of their products and services. For the regulation to apply to you, you also need to meet either of these two thresholds:

• Process the data of a minimum of 100,000 Colorado residents annually
• Process the data of a minimum of 25,000 Colorado residents if you derive revenue from the sale of personal data

Businesses That Are Exempt From the Colorado Privacy Act

The CPA has a larger list of exempted entities than most of the other privacy regulations. 

This includes following entities:

• Airlines
• Public utility organizations
• Entities that are covered by the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), Children’s Online Privacy Protection Act, and Family Educational Rights and Privacy Act
• Entities that are subject to the Fair Credit Reporting Act
• Colorado government agencies
• Higher education institutions
• Consumer reporting agencies
• Entities that process de-identified personal data
• Entities that collect/process data for the purpose of Colorado health insurance law or employment records

It’s worth noting that, unlike most regulations, the CPA doesn’t exempt nonprofits and charitable organizations from compliance.

What Are the Responsibilities of Businesses Under the CPA?

The CPA is clear on what businesses need to do to be compliant. Follow the steps below.

Exercise Your Duty of Transparency

Under the CPA, organizations are required to provide consumers with privacy notices (also known as privacy policies) that are clear and reasonably accessible. These privacy notices need to be displayed conspicuously on your website.

Compliant privacy notices must include the following information:

• The types of data you’re collecting or processing
• The purpose of processing the data
• The types of data you’re sharing with third parties (if any)
• The details of any third parties you’re sharing the data with
• Insights into how consumers can exercise their rights under the CPA
• Insights into how consumers can appeal denials of their requests
• A clear and prominent disclosure of your intention to sell or process personal data
• A clear and prominent disclosure of how consumers can opt out of the sale or processing of their data

Exercise Your Duty of Data Minimization

You’re required to limit your data collection practices to only collecting data that’s relevant, adequate, and reasonably necessary to help you achieve the purpose you disclose to consumers.

Exercise Your Duty to Avoid Secondary Use

You’re required to limit your use of any collected data to the purpose you established with consumers. If you need to use the data for secondary purposes, you must obtain consent from consumers. 

Exercise Your Duty of Care

You’re obligated to take any measures you find reasonable to protect consumers’ personal data from unauthorized access. The regulation doesn’t explicitly define reasonable measures. However, it does specify that the security measure you choose should be appropriate for the nature, scope, and volume of the data you’re handling. It should also factor in the size and type of business you’re running.

Avoid Unlawful Discrimination

The CPA prohibits businesses from discriminating against consumers, especially after they’ve exercised their rights under the law. This means that you may not charge such consumers more, offer them a lower quality product or service, or deny them products or services. 

Obtain Consent to Process Sensitive Data

You’re required to obtain consent from consumers before you can process their sensitive data. If the consumer is a child (under 13 years of age), you must obtain consent from a parent or guardian.

The CPA calls for an opt-out data processing model. Essentially, this means that you don’t need consent from consumers to collect their personal data. However, you’ll need consent if you’re collecting sensitive data or using the collected data for another purpose besides what you’ve already disclosed. 

For consent to be legally valid under the CPA, it must be specific, unambiguous, and given freely by the consumer. This means that consent that’s obtained through shady tactics like dark patterns will be considered invalid. 

Create Mechanisms to Handle Consumer Requests

Consumers are allowed to submit requests under the CPA. They can make requests to confirm the data you’re processing, opt out of data processing, correct inaccuracies in the data, or have their data deleted.

The onus is on you to create systems that will accept, track, verify, and honor consumer requests. 

Once a consumer makes a request, you have 45 days to respond by denying the request, accepting it, asking for more information for authentication, or requesting an extension. You’re required to communicate the reasons behind whichever action you take before the 45 days elapse. 

If you choose to take an extension, you’ll have 45 more days to respond to the request. 

If you deny a consumer’s request, you must provide them with a process for appealing the denial. You must also inform them of the best way to contact the Colorado attorney general if they need to raise any concerns about the denial. 

You’re allowed to deny requests if you can’t authenticate them, or the consumer doesn’t provide enough information to support your authentication process. You can also deny requests if the consumer’s request concerns de-identified data.

Perform Data Protection Assessments

The CPA requires you to conduct data protection assessments prior to implementing any data processing activities that could harm consumers. The goal is to identify risks, weigh the benefits of processing the data compared to these risks, and identify the best options for eliminating the risks. 

For instance, you can de-identify the data to eliminate the chances that consumers will be harmed if the data is leaked.

Be sure to document your data protection assessments as you’re required to provide them to the Colorado attorney general upon request. The attorney general can use the data from these assessments to determine your compliance with the CPA.

This requirement to document data protection assessments will apply only to data processing you do after July 1, 2023, when the law comes into effect. 

Rights of Colorado Residents Under the CPA

The CPA grants consumers specific rights to control their data. These rights include:

• Right to access: Consumers have a right to know if your business is processing their data. If it is, they have a right to access this data.
• Right to opt-out: Consumers have a right to opt out of the processing of their personal data for the sake of profiling, targeted advertising, or the sale of their data. The Colorado attorney general is expected to develop the technical specifications for several user-selected universal opt-out mechanisms by July 1, 2023. Users can choose the most appropriate method to opt out of data processing by clicking a single button. 
• Right to correction: Colorado consumers have a right to correct any inaccuracies in their personal data.
• Right to deletion: Colorado residents have the right to ask for the deletion of their personal data.
• Right to portability: Colorado residents have a right to obtain a portable copy of their personal data in a manner that allows them to readily use and/or share their data with third parties. 

Consumers can exercise their rights by making requests to you as a controller. 

How Does the Colorado Privacy Act Define the “Sale” of Personal Data?

The CPA considers a business to have sold data if it exchanged the data for money or other compensation. The regulation doesn’t limit the sale of data to monetary exchange. 

For instance, you could receive a discount at a third party entity by sharing data with that third party. This counts as compensation, and thus a sale of data.

However, the regulation doesn’t consider it as a sale if there’s an exchange of data between a processor and controller for activities that the processor does on behalf of the controller. It also doesn’t consider it a sale if a consumer intentionally discloses their data to third parties with the help of the controller. 

How Does the Colorado Privacy Act Define Targeted Advertising?

The Colorado Privacy Act considers targeted advertising as any advertisement a consumer receives on non-affiliated websites, applications, or online service platforms that is based on the personal data collected from the consumer.

However, the regulation’s definition of targeted advertising doesn’t include advertisements that are: 

• In response to requests for feedback or information
• Based on online applications, website visits, or current search query
• Based on the consumer’s activities on your website or application as a controller

Penalties for Non-compliance With the CPA

The CPA doesn’t specify the penalties or fines that violators will have to pay. However, violations of the regulation are considered a deceptive trade practice. This means that violations will be dealt with as per the Colorado Consumer Protection Act. 

Fines per violation can range from $2,000 to $20,000. CPA violations could also result in criminal charges.

How Is the Colorado Privacy Act Enforced?

The responsibility of enforcing the CPA falls on the Colorado attorney general and district attorneys. They’re responsible for injunctions, penalties, and settlements. Keep in mind, however, that there’s no private right of action under the CPA. This means that private citizens can’t sue businesses for violating their rights. 

Before the attorney general or district attorneys can take any enforcement actions, they’re required to issue the business in question a notice of violation. Once issued, violators have a 60-day cure period, during which they can rectify the violations. 

If they’re still non-compliant after the cure period, the district attorneys or attorney general can proceed with the enforcement actions. 

The 60-day cure period will be abolished after January 1, 2025. Instead, violators will have the option to request interpretative guidance and opinion letters from the office of the attorney general. 

CPA vs. CCPA: What’s Different Between the Two?

The California Consumer Privacy Act (CCPA) was among the first privacy regulations in the U.S. It helped create a solid foundation for the enactment of other regulations like the CPA. 

Most states, like Colorado, made changes to the CCPA to create a regulation that’s customized to their population. Learning the difference between both the CPA and CCPA is worthwhile, especially if your business runs in both jurisdictions. While some rules will be similar across both regulations, others are quite different. 

Enactment Dates

The CPA was signed into law on July 8, 2021, but it will take effect on 1st July 2023.

On the other hand, the CCPA was enacted significantly earlier, on June 28, 2018. It went into effect on January 1, 2020.

California’s CCPA is undergoing a revision, which will change its name to the California Privacy Rights Act (CPRA). The revised version came into effect on January 1, 2023, but enforcement will start on July 1, 2023.

Who Does the Regulation Apply To?

Both regulations require businesses that are located in the respective states or conduct business with the state’s residents to comply with them. 

In the case of Colorado’s CPA, businesses also have to process the personal data of at least 100,000 Colorado residents or 25,000 residents for businesses that generate their revenue from the sale of personal data. The CPA doesn’t have a revenue threshold.

As for California’s CCPA, businesses need to generate an annual revenue of at least $25 million, handle the personal data of at least 50,000 Californians, or generate at least 50% of their revenue from selling personal data. 

Fines for Violations

Colorado’s CPA doesn’t specify fines or penalties for violations. Violations are dealt with under the Colorado Consumer Protection Act, which means fines per violation can range from $2,000 to $20,000. 

CCPA violators have to pay up to $7,500 per intentional violation and up to $2,500 per unintentional violation. 

Unlike the CCPA, Colorado's law doesn’t have a private right of action. While both have a cure period, the CPA’s 60-day cure period is double that of the CCPA.

Opt-out Mechanisms

The Colorado Attorney general is set to announce the specifications for the different mechanisms to opt out of data processing. The CCPA doesn’t define what an opt-out mechanism should look like.