The Colorado Privacy Act (CPA)

Key take-aways from Colorado’s Privacy Act (CPA)

In July 2021, the state of Colorado passed the Colorado Privacy Act (CPA), making it the third state to enact comprehensive privacy legislation in the US, following California in 2018 and Virginia earlier in 2021.

Colorado’s Privacy Act is an opt-out-based data privacy law, meaning it gives Colorado users the right to opt out of having their personal data tracked, sold and used, e.g. for targeted advertising and profiling.

It is similar to California’s CCPA and Virginia’s VCDPA in that respect, and unlike the EU’s GDPR that is a consent-based data law (which requires prior consent before any personal data processing can take place).

Colorado’s Privacy Act will take effect on July 1, 2023, without a grace period, which means your business must be ready for compliance on or before that date.

Quick tip

Important information  to know about the Colorado Privacy Act

• The Colorado Privacy Act protects Colorado residents and imposes data protection requirements on companies or organizations that 1) conduct business in Colorado or produce or deliver commercial products or services that are purposely targeted to residents of Colorado; and 2) control or processes personal data of at least 100,000 consumers a year or control or process personal data of at least 25,000 consumers and gain revenue or receives a discount on the price of goods and services, from the sale of personal data.
• The Colorado Privacy Act defines personal data as information that is linked or reasonably linkable to an identified or identifiable individual.
• The Colorado Privacy Act defines sensitive data as personal data that reveals a consumer’s racial or ethnic origin, religious beliefs, health diagnosis, sex life or sexual orientation, or immigration status; relates to certain genetic or biometric data.
• The Colorado Privacy Act defines a controller as a person that determines the purposes for and means of processing personal data (so, your company or organization for example).
• The Colorado Privacy Act defines a processor as a person that processes personal data on behalf of the controller. The CPA requires them to adhere to the controller’s instructions and cooperate with the controller to comply with its obligations under the act.
• The Colorado Privacy Act broadly defines sale as the exchange of personal data for monetary or other valuable consideration by a controller to a third party, which is similarly broadly defined under California’s CCPA.
• The Colorado Privacy Act imposes a strict opt-in consent standard for secondary uses of personal data as well as the processing of sensitive data: consent is defined as a clear and affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement. It is similar to the EU’s GDPR and Virginia’s VCDPA in that respect. Additionally, parental consent is required to process data of a consumer under the age of 13.
• The Colorado Privacy Act does not exempt non-profit organizations from its scope, unlike other US state data privacy legislations.
• The Colorado Privacy Act will be enforced by the Colorado Attorney General and takes effect on July 1, 2023.

What does Colorado’s Privacy Act say about cookies and trackers?

The Colorado Privacy Act requires businesses to enable users to opt out of data tracking and selling, which means that cookies and trackers that collect and process user data need to be controlled by a consent management solution, giving users the technical ability to say yes or no.

Even though the Colorado Privacy Act does not talk about cookies and trackers in particular, its definition of personal data includes such identifiable data as email addresses and usernames.

Quick tip

The Colorado Privacy Act is explicit about cases where such personal data is being processed: users inside Colorado have the right to opt out of such data processing. Usually, third-party cookies on websites will process personal data, and common uses of such data is targeted advertising. 

In addition to having a consent management solution that can enable users to say no to cookies and targeted advertising, the Colorado Privacy Act also specifies that your website must have a “reasonably accessible, clear, and meaningful privacy notice” for transparency with the user.

A Colorado Privacy Act compliant privacy notice must include:

• Categories of the personal data collected by controller or processor,
• Purposes for processing personal data,
• Categories of personal data shared with third parties,
• Categories of third parties that personal data is shared with,
• How and where consumers can exercise their rights under the Act, including contact information for the controller and information about appealing a controller’s action with regards to consumer requests (though consumers cannot be required to create a new account to make or appeal the response to a request).

In addition, sensitive personal data (such as genetic data, biometric data and information about sexual orientation) must only be processed with the prior and explicit consent of users under the Colorado Privacy Act.

If your website is already in compliance with California’s CCPA, you will be relieved to know that the CCPA opt-out button meets Colorado’s CPA opt-out requirements.

Cookiebot CMP can help you automate compliance on your website with the Colorado Privacy Act, as well as California’s CCPA, EU’s GDPR and many other data privacy laws.

How to be compliant with Colorado’s Privacy Act

You might be wondering if the Colorado Privacy Act applies to your website?

The Colorado Privacy Act only applies to companies or organizations that –

• Does business in Colorado and/or processes the data of Colorado residents,
• Processes personal data of 100,000 or more residents annually, or
• Processes personal data from at least 25,000 residents annually and derive revenue or receive a discount on goods/services as the result of the sale of that data.

Unlike California’s CCPA and Virginia’s VCDPA, the Colorado Privacy Act also applies to nonprofit organizations and charities.

If you are required to comply, the Colorado Privacy Act mandates the following duties for you to follow:

• Duty of transparency – you must provide a privacy notice (see above).
• Duty of purpose specification – you must specify what data you collect and for what purpose.
• Duty of data minimization – you must only collect and use data that is adequate, relevant, and limited to what is reasonably necessary to fulfill the communicated purpose.
• Duty to avoid secondary use – you are not allowed to process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, unless you first obtain the consumer’s consent.
• Duty of care – you must take reasonable measures to secure data from unauthorized access.
• Duty to avoid unlawful discrimination – you are not allowed to process personal data in violation of state or federal laws prohibiting unlawful discrimination against consumers.
• Duty regarding sensitive personal data – you are not allowed to process sensitive personal data from Colorado users without obtaining explicit and informed consent to do so – or, in the case of children’s personal data, without obtaining prior consent from a parent or guardian.

The definition of personal data under the Colorado Privacy Act is “information that is linked or reasonably linkable to an identified or identifiable individual”, and includes such things as:

• Email addresses
• Location data
• Usernames

Sensitive personal data under the Colorado Privacy Act includes:

• Racial or ethnic origin
• Religious beliefs 
• Mental or physical health condition or diagnosis
• Political convictions
• Sex life and sexual orientation
• Citizenship or citizenship status
• Generic or biometric data
• Personal data from a known child
• Racial or ethnic origin

If your website processes sensitive personal data, the Colorado Privacy Act requires you to first obtain the explicit consent of users.

Quick tip

The Colorado Privacy Act rights for Colorado consumers

The Colorado Privacy Act (CPA) empowers Colorado consumers with the following five rights – 

• Right to opt out. Consumers have the right to opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effect concerning them. 
• Right of Access. The consumers in Colorado are entitled to confirm whether a controller is processing personal data about them, and if so, access their personal data. 
• Right to correction. If the consumers have had personal data processed, they have the right to correct any inaccuracies in their data. This right also considers the nature of the personal data and the purpose of the processing. 
• Right to data portability. Consumers have the right to transmit their data to another entity without interference. The consumer has the right to obtain personal data in a portable and readily usable format, making it possible to do so.
• Right to delete. The consumers have the right to delete personal data concerning themselves. 

Not unlike Virginia’s VCDPA, the Colorado Privacy Act also gives the consumers the right to appeal a business’ denial to act within a reasonable time period. 

Under Colorado’s Privacy Act, you have to respond to a consumer request within 45 days. Responding to such requests from your users must happen within 45 days of receiving it (with a possible 45 day delay upon request).

The Colorado Privacy Act does not provide users from Colorado a private right of action, i.e. a way for Colorado residents to bring a lawsuit in the event of CPA violations.

Quick tip

Enforcement of Colorado’s Privacy Act

The Colorado Privacy Act will take effect on July 1, 2023, without a grace period, meaning that businesses need to be ready for compliance from that date.

Much like California’s CCPA, it is the Colorado Attorney General that will enforce the Colorado Privacy Act. 

Enforcement of the Colorado Privacy Act is based on the same ‘cure period’-system as in California’s CCPA. This means that, if you are violating the Colorado CPA, the Attorney General can commence enforcement by sending a notice with the option to correct the violation within a 60-day period. If the violation is not corrected within the cure period, further enforcement action could follow.

Financial penalties for non-compliance with the Colorado Privacy Act are governed by the Colorado Consumer Protection Act, which specified fines ranging from US$2.000 to US$20,0000 per violation. Non-compliance with Colorado’s CPA can also lead to criminal charges.

Conclusion

The Colorado Privacy Act is the third comprehensive data privacy law to be passed in the United States and is very similar to other state-wide bills like California’s CCPA and Virginia’s VCDPA.

If you have a considerable number of users from within Colorado, you are safe to assume that Colorado CPA compliance also applies to you and your business. In that case, you need to employ a consent management solution to enable Colorado users to opt out of having their personal data tracked and shared.

Good news is, if you are already compliant with California’s CCPA, chances are that you don’t need to do much to also become compliant with the Colorado Privacy Act (which takes effect on July 1, 2023).

Cookiebot CMP is an easy-to-use, highly customizable and robust solution that enables compliance with most major data privacy laws in the world, including the EU’s GDPR, California’s CCPA and many others.

Resources

Colorado Privacy Act (CPA) law text

IAPP on the Colorado Privacy Act (CPA)

Colorado Privacy Act Resource Center by Husch Blackwell

The Virginia Consumer Data Protection Act (VCDPA)

More on the Colorado Privacy Act on Usercentrics