Colorado Privacy Act (CPA)

What is the Colorado Privacy Act?

The Colorado Privacy Act, or the CPA for short, was designed to protect the personal information of the state’s residents. It is very similar to the California Consumer Privacy Act, which aims to ensure that individuals are aware of what data is collected, why, and the opportunity to opt out.

The legislation will give Colorado residents the ability to access, correct, and delete any information that organizations maintain. The main driver behind this is targeted advertising since many businesses collect personal data to profile customers and provide specific ads.

Compliance with this new law will require most businesses to enhance their security measures and increase transparency into what they are doing with your data. The CPA will apply to all businesses that meet the following criteria:

• Any entity that earns revenue by selling personal data or any business that processes or control the information of 25,000 or more residents of Colorado
• The entity controls or processes information that can be linkable to 100,000 or more individuals that live in Colorado during the calendar year

A unique aspect of the CPA is that it also applies to non-profits, as long as they meet these minimum thresholds.

To determine whether your organization needs to comply with the Colorado Privacy Act, you must first understand its definition of personal data. The CPA defines personal data as any information that can be reasonable linked to an individual. It excludes data that is considered public information found in local, state, or federal government records. Likewise, it does not apply to details kept by an organisation for employment purposes.

In addition, if the data collected is already covered by other laws and regulations, the CPA will not apply. That means if the information is covered under HIPAA, the Fair Credit Reporting Act, or the Gram-Leach-Bliley Act, these requirements will take priority.
You may be wondering, what about data that has been de-identified for business-to-business purposes? If the details you have are not linkable to any one individual and do not meet any of the criteria, as described above, then the CPA will not apply. However, if your organization collects and manages the data of Colorado residents, you will need to prepare to address these new rules.

Consumer Rights Under the CPA

The Colorado Privacy Act significantly enhances the rights that consumers have over their personal information. Like the GDPR in Europe and the CCPA in California, the goal is to make sure that individuals are aware that businesses are collecting their data – and for what purposes the information will be used.

Here is a breakdown of the rights that the CPA establishes for Colorado residents:

The Right to Opt-Out

Perhaps the most notable right established under this legislation is the ability the opt-out of the sale of their data. This addresses concerns about profiling and targeted advertising that leverage sensitive information.

The opt-out rights apply to any sensitive data, including race and ethnicity, sexual orientation, citizenship status, religious beliefs, genetic data, and health conditions. In other words, businesses must give users a choice before they use these details to create targeted ads and profiles.

Much of the advertising done on social media and other online platforms rely on this data to reach a targeted audience, so this will present a big change for many marketers in the state.

Access to Information

Another right that users have under the CPA is the right to access the information an organization has collected. They must be allowed to confirm whether the business gathered or processed their private data – and they have the right to correct or delete anything that they find.

That means that an individual can ask to confirm that the personal data you collected is correct or ask that you delete any information you have on file.

Compliance Requirements

Now that you understand what the Colorado Privacy Act is – and the rights it establishes – let’s dive into how your company can ensure compliance with these new requirements.

For starters, the CPA requires that your business provide a Privacy Notice to all customers. This document must be clear and accessible, so all users are made aware of the practices surrounding the processing of their private information.

The privacy notice must define the type of personal data you collect, why that information needs to be processed, and how consumers can exercise their rights under the CPA.
Similarly, the law imposes data minimization and safeguard requirements to ensure the information you do collect is protected. For example, only details that are reasonably necessary – and that relate to the purposes disclosed – are allowed to be collected.

So, if an organization states they need your details to validate your identity, they cannot turn around and use that data to develop targeted advertising.

Regardless of the reason for collecting data, your organization must first obtain consent from the consumer. This is where the opportunity to opt-out comes in – the user must provide a clear yes or no answer as to whether they want their data to be collected.

Another aspect of complying with the CPA is ensuring that the information you process is safeguarded. Your organization is responsible for implementing security measures based on the volume, nature, and scope of the data that is controlled.

It is important to note that the Colorado Privacy Act does not have a private right of action – but both the state District Attorney and the Attorney General can take civil action. The civil enforcement authority ensures that they can verify that businesses are complying with the regulations.

If there is a violation, businesses have 60 days to remedy it. However, this cure period will only be in place until 2025.