The Colorado Privacy Act

April 18, 2022

By: Angie M. Fletcher

The Colorado Privacy Act (CPA), Colorado’s own set of privacy laws, was enacted in July 2021 and will go into effect July 2023. Following California and Virginia, Colorado will be the third state to establish laws to protect and enforce consumers’ privacy rights. 

The CPA impacts any business producing or delivering commercial products or services in Colorado. More specifically, if a business intentionally targets residents of Colorado and (1) controls or processes the personal data of at least 100,000 individuals or more during a calendar year or (2) derives revenue or receives a discount on goods or services in exchange for the sale of personal data of at least 25,000 individuals, that business will be required to comply with the Colorado Privacy Act. Select businesses, such as air carriers, national securities associations, and businesses that retain employment records, i.e., public utilities, state government, and public institutions of higher education, will be exempt from certain obligations under the CPA. 

Businesses that either control or process consumers’ personal data will be required to take reasonable measures to secure data and prevent breaches, information leaks, and unauthorized access. Similar to other data privacy laws, businesses will be required to conduct a data protection assessment to evaluate the risks in processing or selling personal data. Businesses that share personal data with another business will be required to enter into a data processing contract to describe the roles, authorized actions, confidentiality obligations, and the proper handling of the data.  

The CPA distinguishes personal data from sensitive data and establishes different standards when interfacing with the consumer and their data. A business must obtain a consumer’s ‘opt-in’ consent prior to processing sensitive data.  The CPA considers sensitive data to be a person’s racial or ethnic origin, religious beliefs, mental or physical health condition, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data, or personal data from a known child. Conversely, businesses must offer a consumer an ‘opt-out’ option when the business uses personal data for targeted advertising, selling the data and profiling. Any information that can identify an individual, such as a telephone number, email address, or social security number is considered personal data.  Information that has been de-identified, made available from government records, or is sourced from employment records data is not considered personal data. 

A business that processes a consumer’s personal data must provide a notice detailing the type of information collected, how it is used and shared with other parties, and inform the consumer how and where they can exercise their opt-out rights. The ‘opt-out’ function must be readily accessible to the consumer, such as a browser link or device setting.

Enforcement of the privacy laws vary, but businesses can expect the Colorado Attorney General or the district attorneys to impose fines up to $20,000 for each violation. One of the best ways to protect your business from these fines is to adopt and implement a compliance program which includes a privacy policy that can be accessed by consumers. 

The Colorado Attorney General is currently seeking feedback to improve the CPA. Specifically, the Attorney General seeks to clarify ambiguities in the law and provide further guidance on how businesses can comply with the law. This is an opportunity to provide feedback and ideas on how to improve technology and address open issues in implementing the CPA. Businesses and consumers are encouraged to provide feedback during this rulemaking process, which can be accessed here.

I will be monitoring the progress of the Colorado Privacy Act in the coming months and can assist you and your clients in navigating this new legal landscape.