Colorado Privacy Act (CPA)

In July 2021, the Colorado State Governor signed the Privacy Act (CPA) into law. The CPA went into effect on July 1, 2023. The CPA applies to:

  • controllers that conduct business, produce, or deliver commercial products or services that are intentionally targeted to Colorado residents and that satisfied one or both of the following thresholds, namely:
    • control or process personal data of 100,000 consumers or more per calendar year; or
    • derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data of at least 25,000 consumers.
  • controllers that conduct business or produce or deliver commercial products or services that are intentionally targeted to Colorado residents.
  • personal data which is defined as information that is linked or reasonably linkable to an identified or identifiable individual.

What is the CPA about?

The CPA is designed to protect Colorado citizen’s digital privacy by giving them more control over how their personal data is handled. It requires businesses to give notice to customers which explains:

  • What data they collect and process.
  • Why and how consumers can exercise their rights.
  • What data they share with third parties.
  • Who those third parties are.
  • Whether they sell data to third parties.
  • How customers can opt out.

Important definitions in the CPA

  • The CPA defines a consumer as “a Colorado resident acting only in an individual or household context” and explicitly omits individuals acting in “a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.” As is the case under the CDPA, controllers need not consider the employee personal data they collect and process when evaluating the law’s applicability.
  • The “sale of personal information” is defined as “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.” The CPA’s definition of “sale” reflects the CCPA, under which a sale occurs when personal data is exchanged for “other valuable consideration” in addition to “monetary consideration.” In this sense, the CPA is more similar to the CCPA as controllers will be left to ponder what is “other valuable consideration.”
  • The definition of “sale” explicitly excludes certain types of disclosures. These disclosures are:
    • Disclosures to a processor that processes the personal data on behalf of a controller.
    • Disclosures of personal data to third party for purposes of providing a product or service requested by consumer.
    • Disclosures or transfer or personal data to an affiliate of the controllers.
    • Disclosure or transfer to a third party of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.
  • Disclosure of personal data:
    • That a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party; or
    • Intentionally made available by a consumer to the general public via a channel of mass media.”

Consumer rights

The CPA provides five main rights for the consumer:

  1. Right of access. Consumers have “the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data.”
  2. Right to correction. Consumers have “the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.”
  3. Right to delete. Consumers have “the right to delete personal data concerning the consumer.”
  4. Right to data portability. Consumers have “the right to obtain a personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance.”
  5. Right to opt out. Consumers have “the right to opt out of the processing of personal data concerning the consumer for purposes of:
    • targeted advertising;
    • the sale of personal data, or
    • profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.”

The CPA also provides consumers the right to appeal a business’ denial to take action within a reasonable time period. Under the CPA, a business must respond to a consumer request within 45 days of receipt and may subsequently extend that deadline by an additional 45 days when reasonably necessary. When a business elects to extend that deadline, it must notify the consumers within the initial 45-day response period.

When a business fails to take action regarding a request to exercise rights or declines to respond, the CPA mandates the controller provide an appeal process that “must be conspicuously available and easy to use.” If an appeal is denied, the law requires the business to inform the consumer of their ability to contact the attorney general if they have “concerns about the result of the appeal.”

Controller obligations

Controllers must provide consumers with a “reasonably accessible, clear, and meaningful privacy notice.” This notice must include:

  • Categories collected or processed by controller or processor.
  • Purpose(s) of processing the data.
  • How to exercise rights and appeal.
  • Categories of personal information shared.
  • Categories of third parties’ data is shared with.

The Act places several other obligations on controllers:

  • When collecting personal data, a controller is required to “specify the express purposes for which personal data are collected and processed.”
  • Controllers must apply data minimisation policies.
  • Controllers may not process activity “that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities,” and includes multiple examples.
  • In respect of data processing contracts, the CPA requires processing by a processor must “be governed by a contract between the controller and the processor.” These contracts must establish “the processing instructions to which the processor is bound, including the nature of the processing, … the type of personal data subject to the processing, and the duration of the processing,” along with other legal obligations.

Enforcement

The Attorney General in Colorado must enforce compliance with the CPA. The Act also extends this responsibility to district attorneys.

No private right of action exists under the CPA. This right of action allows customers to initiate litigation proceedings under certain circumstances against a business, such as a breach of personal information.

Fines of $20,000 under the CPA may be made against a business for each data privacy offence.

Finding out more

You can read the full text of the legislation on the Colorado General Assembly’s website.