Skip links
colorado-privacy-act

Colorado Privacy Act: The Ultimate Compliance Guide for Businesses

Colorado officially became the third state in the United States to pass data privacy legislation into law and has been effective from July 1, 2023

Colorado Privacy Act (CPA) aims to empower the residents of Colorado by giving them control over their data. 

It instructs businesses to explicitly declare their data collection practices, the purpose of data collection, and its usage. 

But why should Colorado businesses care? 

  • Thriving metro area with a 600,000+ population. 
  • Strategic location near Denver (2.5 million people) and Pueblo (160,000+ people) markets. 
  • The second-largest city in Colorado is El Paso County. 
  • A pro-business environment, easy access to coasts, competitive tax rates (4.63% corporate and personal income tax). 
  • Low cost of living, scenic mountain backdrop, high livability rankings. 
  • Vital employers: Progressive Insurance, FedEx, Lockheed Martin, Verizon. 
  • Unemployment rate of 4%, below the national average. 
     

Colorado is one of the best places in the US for business growth. And with a thriving local economy, Colorado businesses must take advantage of Colorado’s Privacy Law that will not only make their business compliant with state data privacy laws but also help them gain consumer trust and build an impeccable brand. 

What is the Colorado Privacy Act (CPA)? 

Colorado Privacy Act (CPA) is the third data privacy law in the United States that mandates businesses to explicitly collect user consent for data collection while allowing them to opt out, modify or delete their data. 

The Colorado governor, Jared Polis, signed the Colorado Privacy Act into law on July 7, 2021.  

And the Colorado law will take effect on July 1, 2023, unless a petition is filed within 90 days after the legislature was adjourned. 

As Colorado is the third data privacy law in the US, it has the elements and experience of its predecessors, like California’s Consumer Privacy Act (CCPA)/Consumer Privacy Rights Act (CPRA), Virginia’s VCDPA, and Europe’s GDPR

This gives Colorado businesses a balanced approach to data privacy compliance

Essential Definitions in the Colorado Privacy Act (CPA) 

Personal Information 

Any information or data that helps an entity to realistically and reasonably link back to a natural and identifiable person or an individual.  

However, de-identified data and the information available in the public domain are excluded from Personal Information. 
 

Process 

Colorado’s Privacy Law also includes data storage, apart from data collection and its process.

So, businesses must be aware of where their data lives and consistently audit it. 


Targeted Advertising 

Presenting a customer with an ad specifically chosen based on personal data collected or processed over time with the consumer’s usage of different online services or applications that are not linked with the advertiser.  
 

Profiling 

Any automated processing and decision-making that involves personal data to identify, evaluate and predict an individual or a natural person’s economic outlook, health, interests, interests, demographic, behavior, and much more. 


Sale 

Exchanging personal data for monetary or any other intangible value by the controller (business) to a third-party vendor. 


Consumer  

“Consumer” means Colorado residents acting in the capacity of an individual or household context.  

Colorado’s Privacy Law doesn’t include residents acting in the capacity of an employee or commercial context, also including job applicants and someone’s beneficiaries. 


Security Breach 

Unencrypted computerized data through unauthorized acquisition compromises data security, privacy, or integrity of a user’s personal information preserved by an entity. 


Business Threshold for Colorado’s Privacy Law 

If you’re a business based in Colorado or target your products and services to the residents of Colorado and have: 

  1. At least 100,000 or more customers within the calendar year or; 
  1. At least 25,000 or more customers generate revenue by selling personal data that includes discounts on products and services. 


Exemptions 

Well, there’s good news for some businesses. 

Businesses whose data practices are already regulated by the following laws are exempt under CPA Compliance.  

  1. The Fair Credit Reporting Act or FCRA (1970) 
  1. The Family Education Rights and Privacy Act of (1974) 
  1. The Health Insurance Portability and Accountability Act (1996) 
  1. The Children’s Online Privacy Protection Act (1998) 
  1. The Gramm-Leach-Bliley Act or GLBA (1999) 
  1. Higher Education Institutions 


Consumer Privacy Rights under Colorado Privacy Act 

Let’s dig deep and uncover some of the significant privacy rights that CPA gives its residents.  

Consumers, or the parents or guardians of minor children (under 13), have the following rights under the CPA: 
 
1. Consumers, or the parents or guardians of minor children (under 13), have the following rights under the CPA: Opt out of the processing of their data for 

  1. targeted advertising, 
  1. personal data sales, or 
  1. profiling that has an impact on their legal rights or other significant rights, as defined by the CPA, or 
  1. permit another person to opt out on their behalf. 

2. Be aware of the processing of their data by a controller (business collecting user data). 

3. Access, modify, and withdrawal of their personal information. 

4. The right to data portability is to obtain a copy of their data in a commonly used and machine-readable format up to two times a year. 


Key Business Requirements under Colorado Privacy Act 

Consent Requirements: 
 

Controllers, i.e., business, must obtain affirmative consent before processing  

  1. sensitive data 
  1. personal data concerning children 
  1. selling personal data 
  1. targeted advertising 
  1. profiling (with opt-out) 
  1. processing personal data for unnecessary/incompatible purposes. 


Valid consent: 

It must be obtained through the following: 

  1. clear 
  1. affirmative action 
  1. freely given 
  1. specific 
  1. informed, and  
  1. reflect the consumer’s unambiguous agreement.  


What doesn’t constitute valid consent? 

  1. Blanket acceptance 
  1. silence 
  1. pre-ticked boxes 
  1. or consent obtained through dark patterns  
  1. Controllers 

Businesses must disclose primary and secondary purposes for processing when seeking consent.  

New consent is needed for any new specific secondary purposes.  


Limited Processing under Prior Consent 

Controllers with valid consent obtained before July 1, 2023, can continue processing personal consumer data, including sensitive data if the support complies with CPA requirements.

New consent is required if processing purposes change to secondary use. 


Re-seeking and Refreshing Consent 

Controllers can re-seek consent from previously opted-out consumers if valid consent requirements are met.  

Controllers should avoid causing “consent fatigue.” 

Consent must be refreshed if a consumer has not interacted with a controller for over a year. 


Data Minimization 

The CPA Rules address the retention of biometric identifiers, photographs, and audio recordings.  

Controllers must review storage’s necessity, adequacy, and relevance for stated processing purposes at least once a year. 
 

Profiling 

Framework for automated decision-making (profiling) involving personal data, emphasizing transparency, consent, and data protection assessments. 

Consumers can opt out of Solely Automated Processing and Human Reviewed Automated Processing but not Human Involved in Automated Processing. 

Denied opt-out requests require specific information disclosure to consumers. 


Universal Opt-Out Mechanisms 

The CPA Rules specify technical specifications for user-selected Universal Opt-Out Mechanisms.  

An approved public list by January 1, 2024. 

Notice and choice requirements for Universal Opt-Out Mechanisms, with limitations on data collection/use during opt-out processing. 
 

Consumer Loyalty Programs 

Complex interactions of consumer rights, controller obligations, and loyalty programs. 

Required disclosures include personal/sensitive data collected, recipients, loyalty program partners, and program benefits. 

Businesses should review loyalty programs to determine if processing sensitive data is necessary and provide necessary disclosures. 


Data Protection Assessments 

More prescriptive guidance on conducting data protection assessments. 

Involvement of key stakeholders, identification/assessment/addressing data protection risks. 

Assessments are updated when material modifications occur upon request by the Attorney General. 
 

Exercising Consumer Rights 

Controllers can provide request methods that facilitate consumer data privacy rights in other states if specific rights available to Colorado consumers are identified. 

Opt-out requests must be prioritized over other data privacy rights requests. 


Right of Access  

Controllers must provide consumers with specific pieces of personal data collected and maintained, including profiling decisions, inferences, marketing profiles, and reasonably linkable data. 


Notice of Changes to Privacy Policy 

Controllers must notify consumers of material changes to privacy notices through regular consumer interactions.  

Material changes include data processing categories, purposes, controller’s identity, sharing practices, and methods for exercising data rights. 
 

Fines, Penalties, and Other Concerns in Colorado Privacy Act 

Under Colorado Privacy Act, the right to enforce the data privacy law remains with the Colorado Attorney General and District Attorneys. 

Like Virginia’s VCDPA, Colorado’s Privacy Law doesn’t authorize residents to a private right of action for any business violations. 

Though CPA has no pre-set acceptable amount per violation, unlawful business practices can constitute a deceptive trade practice under Colorado Consumer Protection Act, imposing up to $20,000 per violation

CPA allows entities a cure period of 60 days for the alleged violations. This right-to-cure period will cease to exist from January 1, 2025

Instead, Controllers or businesses can request opinion letters and guidance from Colorado’s Attorney General’s office. 


Colorado’s Privacy Compliance with PrivacyPillar 

PrivacyPillar’s Consent Management Platform is what your business needs to get Global level compliance along with State laws like Colorado Privacy Act, California’s CCPA/CPRA, Viriginia’s VCDPA, and Europe’s GDPR. 

With so many legal complexities unnecessarily consuming much of your time, PrivacyPillar’s fast integration helps you get compliance in minutes without writing a single line of code.  

Cookie Consent Management helps businesses to take consumers’ explicit consent to collect their data without hammering their user experience. 

Consent and Preference Management helps your business to understand how your customers want to connect with you and how you can provide the maximum value at minimum cost. 

DSAR Management demonstrates trust and transparency by providing users access to their data and the ability to modify or delete it without interference.  

To learn more about PrivacyPillar’s Data Privacy products, contact one of our experts, who will go in-depth into the technicalities and give you precisely what you need. 

Conclusion 

Compliance with data privacy laws is crucial for businesses in the digital age.  

Non-compliance can lead to severe legal and financial consequences, reputation damage, and customer trust loss.  

By prioritizing data privacy, businesses can build trust, enhance customer loyalty, and mitigate the risks associated with data breaches, ensuring long-term success in the evolving digital landscape.