Limited time offer:
10% off for 6 months
Promotion ends soon
Get the deal
login.svgLog InStart Free
All Blog Posts

Colorado Privacy Act (CPA): an overview

The Colorado Privacy Act (CPA) is a state-wide law that empower consumers in the centennial state with key data privacy rights. Businesses that deliver goods and services to Colorado users must have strategies in place if they meet the law’s compliance requirements.

Sep 19, 2024

The state of Colorado passed the Colorado Privacy Act (CPA) in July 2021, making it the third US state to enact a comprehensive data privacy law, following California in 2018 and Virginia earlier in 2021. The Colorado privacy law came into effect on July 1, 2023.

We look at the Colorado Privacy Act, what rights it grants to consumers, and what steps businesses must take to comply with its provisions.

What is the Colorado Privacy Act?

The Colorado Privacy Act (CPA) is a state-level consumer privacy law that protects the personal data of nearly 6 million Colorado residents. The CPA imposes data protection requirements on companies or organizations that operate in the state or offer goods or services to residents, known as “consumers” under the law, and process their personal data.

The CPA defines consumers as individuals who are residents of Colorado and acting in an individual or household context. It excludes individuals acting in a commercial or employment context, as a job applicant, or as a beneficiary of another person acting in an employment context.

The CPA follows an opt-out model consistent with other US state-level data privacy laws, and it gives Colorado users the right to opt out of having their personal data tracked, sold, or used for purposes such as targeted advertising and profiling. Businesses aren’t required to obtain consent before collecting consumers’ personal data in most cases, with exceptions for:

  • sensitive data
  • personal data belonging to children under the age of 13
  • processing for secondary purposes, i.e. purposes other than what was previously communicated to consumers

Definitions

The Colorado Privacy Act defines several key terms related to the data it protects and the data processing activities it regulates.

What is personal data under the CPA?

Personal data under the Colorado privacy law means “information that is linked or reasonably linkable to an identified or identifiable individual.”

The definition specifically excludes deidentified data and publicly available information.

The law doesn’t give examples of what constitutes personal data, as some of the other US privacy laws do, but common types that businesses collect could include email address, name, phone number, and Social Security number.

What is sensitive data under the CPA?

Sensitive data is that which requires explicit consent from the data subjects, and can cause greater harm to the consumer if abused or misused. It is a type of personal data that reveals:

  • racial or ethnic origin
  • religious beliefs
  • mental or physical health condition or diagnosis
  • sex life or sexual orientation
  • citizenship or immigration status

Personal data of a known child, and genetic or biometric data that can uniquely identify an individual when processed, are also sensitive data under the CPA.

Who is a controller under the CPA?

The CPA defines a controller as a “person that, alone or jointly with others, determines the purposes for and means of processing personal data.”

“Person” includes an organization, business, or other entity that collects and processes personal data (unless exempt under the law) if they determine why and how personal data is processed.

Who is a processor under the CPA?

The CPA defines a processor as a “person that processes personal data on behalf of the controller.”

Processors must adhere to the controller’s instructions and assist the controller in meeting obligations under the law.

Like with controllers, “person” in the definition of processor also includes an organization, business, or other entity.

The Colorado data privacy law defines consent as “a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data.”

This definition is influenced by the European Union’s General Data Protection Regulation (GDPR).

The law specifies that the following activities are not considered consent:

  • acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information
  • hovering over, muting, pausing, or closing a given piece of content
  • agreement obtained through dark patterns

What is a sale under the CPA?

The CPA broadly defines sale as “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.”

The definition specifically excludes the following disclosures of personal data:

  • to a processor
  • to a third party to provide a product or service the consumer has requested
  • to the controller’s affiliate, including transfer of personal data
  • as an asset as part of a proposed or actual merger, acquisition, bankruptcy, or other transaction, including transfer of personal data
  • that a consumer:
    • directs the consumer to disclose
    • intentionally discloses by using a controller to interact with a third party
    • intentionally makes available to the general public through mass media

What is targeted advertising under the CPA?

The CPA defines targeted advertising displaying ads to a consumer that are “selected based on personal data obtained or inferred over time from the consumer’s activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests.”

Targeting advertising doesn’t include:

  • ads displayed to a consumer in response to their request for information or feedback
  • ads based on activities within a controller’s own websites or online applications
  • ads based on the context of a consumer’s current search query, visit to a website, or online application
  • personal data processed only for measuring or reporting advertising performance, reach, or frequency

Who is the Colorado Privacy Act applicable to?

Like all other US states with privacy laws to date, Colorado includes compliance thresholds that a business must meet for the law to apply.

The CPA applies to businesses that either conduct business in Colorado or produce or deliver commercial products or services that are purposely targeted to Colorado residents, and also meet one or both of the following requirements:

  • control or process personal data of at least 100,000 consumers a calendar year
  • control or process personal data of at least 25,000 consumers a year, and derive revenue or receive a discount on goods or services from the sale of personal data

Unlike California, Colorado has no threshold that depends on annual revenue alone. There is also no minimum revenue or discount required from the sale of personal data for the law to apply.

Exemptions to Colorado Privacy Act compliance

In addition to businesses that don’t meet the compliance thresholds, the following types of businesses are among those exempt for CPA compliance:

  • entities covered by the Health Insurance Portability and Accountability Act (HIPAA)
  • health care facilities or health care providers
  • consumer reporting agencies
  • air carriers
  • national securities associations
  • public utilities
  • higher education institutions
  • financial institutions and their affiliates subject to the Gramm-Leach-Bliley Act (GLBA)

Data that is exempt from compliance includes, among others:

  • protected health information and patient identifying information
  • research data
  • deidentified data
  • employment records
  • data already regulated under other laws, including:
    • GLBA
    • Fair Credit Reporting Act (FCRA)
    • Driver’s Privacy Protection Act (DPPA)
    • Children’s Online Privacy Protection Act (COPPA)
    • Family Educational Rights and Privacy Act (FERPA)

Unlike some other states’ consumer privacy laws, there is no specific exemption for nonprofit organizations or small businesses under the Colorado privacy law. If they meet the compliance thresholds and do not fall under one of the exemptions outlined in the law, the CPA is applicable to them.

Consumer rights under the Colorado Privacy Act

The CPA empowers Colorado consumers with the following five rights:

  • Right to opt out: consumers can opt out of the processing of their personal data for purposes of targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effect concerning them
  • Right of access: consumers are entitled to confirm whether a controller is processing personal data about them, and if so, access their personal data.
  • Right to correction: consumers can request that any inaccuracies in their data are corrected, while taking into account the nature of the personal data and the purpose of the processing
  • Right to data portability: consumers are entitled to transmit their personal data to another entity without interference from the controller, and to obtain it in a portable and readily usable format that makes it possible to do so
  • Right to deletion: consumers have the right to delete personal data concerning themselves (with exceptions)

Not unlike Virginia’s privacy law, the CPA also gives the consumers the right to appeal a business’s denial to act on a request within a reasonable time period.

What does the Colorado Privacy Act say about cookies and trackers?

Even though the Colorado privacy law does not talk about cookies and trackers specifically, its definition of personal data includes such identifiable data as email addresses and usernames that are often collected through cookies.

The CPA requires businesses to enable users to opt out of data tracking and selling, which means that cookies and trackers that collect and process user data need to be controlled, e.g. by a consent management solution, giving users the technical ability to say yes or no, ideally at a granular level.

If your website uses third-party marketing cookies or other trackers that process personal data for the purpose of analytics and advertising, you must be transparent about this in your privacy notice, and you must provide Colorado users with the choice to opt out of the collection and use for these purposes.

Discover tracking cookies on your website

Find out exactly what cookies your website is using with our free cookie audit tool

Scan now

Controllers’ obligations under the Colorado Privacy Act

Under the Colorado data privacy law, controllers are required to meet specific obligations to protect consumers’ personal data.

Consumer rights requests under the CPA

The CPA gives controllers 45 days to respond to an authenticated consumer request. Controllers may take an additional 45 days where reasonably necessary, provided you inform the consumer within the first 45-day period and include the reason for the delay.

Consumers can be asked to use an existing account to verify their identity, but they cannot be asked to create a new account for this purpose.

Controllers must inform the consumer within 45 days if they are not taking action on a consumer request, and share with the consumer the method of appeal. An appeal must be decided within 45 days, with an extension of another 60 days being permitted where reasonably necessary. Controllers must share a written explanation of their decision with the consumer to take an action or not within these prescribed time frames.

Controllers must also inform consumers about their option to contact the Attorney General if they have concerns about an appeal’s result.

Privacy policy under the CPA

Controllers must uphold a duty of transparency under the CPA and provide consumers with a “reasonably accessible, clear, and meaningful privacy notice” or privacy policy. A CPA-compliant privacy notice must include:

  • categories of the personal data collected or processed
  • purposes for processing personal data
  • categories of personal data shared with third parties
  • categories of third parties that personal data is shared with
  • how and where consumers can exercise their rights under the law, including contact information for the controller and information about appealing a controller’s action with regards to consumer requests

Controllers may share this information in a privacy policy or privacy notice published on their website, often through a link in the footer that makes it easily accessible to consumers from any page on the site. The law also requires controllers with an app to publish it on their download page, app store page, and app’s settings menu.

Build your website’s privacy policy for free

Our easy to use privacy policy generator helps you craft a detailed, customized privacy policy for your website within minutes

Generate my policy

Avoid unlawful discrimination under the CPA

The Colorado privacy law prohibits controllers from processing personal data in a manner that violates any state or federal anti-discrimination laws.

The CPA follows an opt-out consent model, meaning that, in most cases, controllers don’t need prior consent to collect and process consumer data. There are certain exceptions where the Colorado privacy law requires you to first obtain explicit, opt-in consent from users:]

  • for secondary uses of personal data, i.e. for purposes other than those that the consumer has already been informed of via privacy notice or other disclosures
  • for processing sensitive data
  • for processing personal data of a known child under age 13

For children’s data, controllers must obtain prior consent from the child’s parent or legal guardian.

If your website is already in compliance with the California Consumer Privacy Act (CCPA), the California privacy law’s opt-out button meets Colorado privacy law’s opt-out requirements.

Universal opt-out mechanism under the CPA

The Colorado data privacy law incorporates a provision for enabling a universal opt-out mechanism, such as the Global Privacy Control (GPC). This mechanism enables consumers to set their data processing preferences once, often through browser settings or a plugin, and have those preferences automatically applied across all websites they visit.

This mechanism helps maintain consistent privacy settings for users and simplifies compliance with privacy laws for businesses.

While recognizing a universal opt-out mechanism is not yet standard across all data privacy laws in the US or internationally, it is increasingly common in newer legislation.

Other states that require a universal opt-out mechanism include California, Texas, Montana, and Oregon.

Data minimization under the CPA

The CPA requires controllers to inform consumers about the purposes of data collection, and to adhere to the principle of data minimization by only collecting personal data that is “adequate, relevant, and limited” to what is reasonably necessary for these purposes.

If you wish to process the personal data you’ve collected for any other purposes, the law requires you to notify consumers of the new purpose(s), and obtain their consent prior to further data collection or processing for it.

Data security under the CPA

Controllers must take reasonable measures during the storage and use of personal data to secure it from unauthorized access or security breach.

Although the law does not specify what “reasonable measures” means, it specifies that controllers’ data security practices should be “appropriate to the volume, scope, and nature of the personal data processed and the nature of the business”. So, for example, the greater the volume of data processed, or the more sensitive in nature, the stronger the security measures need to be.

Data Protection Impact Assessment (DPIA) under the CPA

The CPA requires controllers to conduct and document data protection assessments, also known as Data Protection Impact Assessments (DPIA), under some circumstances, like when they undertake processing activities that present a heightened risk of harm to the consumer, such as:

  • processing personal data for the purposes of targeted advertising
  • sale of personal data
  • processing sensitive data
  • processing personal data for the purposes of profiling that presents a foreseeable risk of:
    • unfair or deceptive treatment of consumers
    • financial or physical injury to consumers
    • physical or other intrusion into consumers’ private affairs
    • other substantial injury to consumers

Controllers must comply with a request from the Attorney General’s office to make a DPIA available in the course of an investigation.

Data processing agreements (DPA) under the CPA

Controllers must enter into contracts with processors before data processing begins. These contracts, while not explicitly referred to as “data processing agreements” under the CPA, serve a similar purpose to those required by other privacy laws, such as the GDPR and the Virginia Consumer Data Protection Act (VCDPA). The contract must clearly outline processing requirements and obligations between the controller and processor, such as:

  • instructions for processing
  • nature and purpose of processing
  • type of personal data subject to processing
  • duration of processing
  • duty of confidentiality
  • conditions under which the processor may engage a subcontractor
  • responsibility of both parties to maintain appropriate data security measures
  • requirement that the processor must delete or return all personal data at the controller’s request at the end of the contract
  • processor’s obligation to allow for, or contribute to, reasonable audits and inspections
  • processor’s obligation to share all information demonstrating compliance with the law

Under most data privacy laws, controllers are ultimately responsible for any data processing violations or breaches committed by processors. However, under the CPA, there are two specific exceptions to this rule.

If a controller or processor lawfully shares personal data with a third-party controller or processor, they are not liable for any violations committed by the receiving party, provided they were unaware of any intent to violate the law at the time of sharing.

If a controller or processor lawfully receives personal data, they are not responsible for any legal violations committed by the disclosing party.

Colorado Privacy Act penalties and enforcement

The Colorado Attorney General and District Attorneys have exclusive enforcement authority under the CPA. Colorado residents do not have a private right of action, preventing individuals from filing lawsuits directly for CPA violations.

Violations of the CPA are classified as deceptive trade practices under Colorado law, which can lead to significant penalties. However, before enforcement actions can be initiated, the Attorney General or District Attorney must issue a notice of violation to the controller and grant a 60-day cure period to address and rectify any violations. If the controller fails to cure the violation within 60 days, the Attorney General or District Attorney may bring an action against them. Notably, this cure period is temporary and will sunset on January 1, 2025, after which businesses may face immediate penalties for violations without the opportunity to correct them first.

Fines and penalties under the CPA

Financial penalties for noncompliance with the CPA are governed by the Colorado Consumer Protection Act, which specifies fines ranging from:

  • USD 2,000 to USD 20,000 per violation in most cases
  • USD 10,000 to USD 50,000 per violation against an elderly person

What are the Colorado Privacy Act rules and regulations?

The CPA Rules were finalized by the Colorado Attorney General on March 15, 2023 to clarify and expand upon the CPA’s requirements. These regulations took effect on July 1, 2023, and include several key provisions, such as:

  • universal opt-out mechanism should not be the default setting for a browser or operating system that comes pre-installed on a device, since a default setting is not an affirmative, freely given, and unambiguous choice by the consumer
  • personal data provided in response to a right to access request must be presented in the language in which the consumer normally interacts with the controllers
  • privacy notices and other disclosure or communications must be reasonably accessible to consumers with disabilities, including through the use of digital accessibility tools
  • privacy notices must be posted online through a link that uses the word “privacy” on the controller’s website homepage, app store page, download page, or app settings menu, as applicable
  • biometric identifiers, digital or physical photographs of a person, audio or voice recordings containing the voice of a person, or any personal data generated from them must be reviewed at least once a year to determine if storage is still necessary, adequate, or relevant for the processing purposes

How to comply with the Colorado Privacy Act

Download checklist

Businesses that meet the CPA’s thresholds must take necessary steps to comply with its requirements.

  • Publish a comprehensive privacy notice on your website, app, download page, or app store page that details your data processing policies. Your privacy policy must inform consumers how they can exercise their rights under the law. Businesses often link to their privacy policy in their website’s footer and on the cookie banner.
  • Provide users with an opt-out mechanism that enables them to opt out of the sale of their personal data or its use for targeted advertising or profiling. You must honor consumers’ rights to opt out exercised through universal opt-out mechanisms.
  • Obtain explicit consent for the collection and processing of sensitive data, data belonging to a known child under 13, and for secondary uses of personal data. A consent management solution like Cookiebot CMP can help you obtain clear, opt-in consent.
  • Collect only the personal data you need for the purposes specified and adhere to the principle of data minimization.
  • Enter into a contract with processors that outlines the rights and responsibilities as specified under the law.
  • Set up a system for consumers to exercise their rights under the CPA and for you to verify their identity. Respond to consumer rights requests within the prescribed time.
  • Conduct a data protection assessment for high-risk data processing activities to protect consumers’ data.

Sign up for a free trial and discover how Cookiebot CMP can simplify your consent management.

Get started today
What is the Colorado Privacy Act (CPA)?

The Colorado Privacy Act (CPA) is a US state-level consumer privacy law that protects the personal data of Colorado residents and imposes data protection requirements on businesses that operate in the state or offer goods and services to its residents.

What is the Colorado Privacy Act’s effective date?

The Colorado Privacy Act came into effect on July 1, 2023.

Who qualifies as a consumer under the CPA?

Consumers under the CPA are defined as individuals who are residents of Colorado and act in an individual or household context, excluding those acting in a commercial or employment context.

What are the Colorado Privacy Act’s thresholds for applicability?

Businesses that conduct business in Colorado or deliver commercial products or services targeted to Colorado residents must comply with the CPA if they control or process personal data of at least 100,000 consumers or of at least 25,000 consumers while deriving revenue from the sale of personal data.

What are the Colorado Privacy Act penalties for noncompliance?

Violations of the Colorado Privacy Act are considered deceptive trade practices and can result in fines ranging from USD 2,000 to USD 20,000 per violation. If the violation involves an elderly person, penalties can increase to between USD 10,000 and USD 50,000 per violation.

How does the Colorado Privacy Act define and regulate sensitive data?

Sensitive data under the CPA includes information that reveals racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship status, and personal data from children under 13. Genetic and biometric data used to identify individuals are also considered sensitive. The CPA requires businesses to obtain explicit, opt-in consent before processing sensitive data.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Resources

Colorado Privacy Act (CPA) law text

IAPP on the Colorado Privacy Act (CPA)

Colorado Privacy Act Resource Center by Husch Blackwell

The Virginia Consumer Data Protection Act (VCDPA)

More on the Colorado Privacy Act on Usercentrics

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.
    wordpress.svgCookiebot™ WordPress Plugin
    wix_20x20.svgCookiebot™ for Wix by Usercentrics