Regulation

Colorado Privacy Act (CPA)

The Colorado Privacy Act is Colorado’s statewide privacy law that grants Colorado consumers new rights with respect to their personal data. It outlines the responsibilities and privacy protection requirements for covered organizations.

Are you subject to the Colorado Privacy Act?

The Colorado Privacy Act applies to organizations doing business in Colorado or delivering commercial products or services that are intentionally targeted at Colorado residents and meet one or both of the following criteria:

Control or process personal data of 100,000 or more consumers in a calendar year.
Derive revenue or receive a discount on the price of goods or services from the sale of personal data, and processes or controls personal data of 25,000 or more consumers.

Obligations & rights under the Colorado Privacy Act

This data privacy and protection law requires organizations to provide control and transparency to Colorado residents on how their personal information is collected, sold, and disclosed.

Consents & opt-outs

Organizations must obtain the consumers’ consent through a webpage, application, or similar method before data processing and allow the consent to be revoked as easily as it was given. Follow required technical specifications for opt-outs of targeted advertising, sale of personal data, and profiling. The opt-out mechanisms must be provided in a clear, conspicuous, and readily accessible location outside the privacy notice. Under the Colorado Privacy Act, opt-out mechanisms must be recognized by organizations as valid consumer requests beginning July 1, 2024.

Policies & notices

Organizations must provide consumers with a reasonably accessible, clear, and meaningful privacy notice, that includes the categories of personal data collected, the purposes of data processing, and instructions for consumers to exercise their rights. If the organization sells personal data to third parties or processes personal data for targeted advertising, the privacy notice must include information on an individual’s right to opt out of the sale of personal information or of targeted advertising.

Data subject rights & requests

Consumers are entitled to access, correct, delete, and exercise data portability rights without requiring them to create new accounts. Organizations must respond to data subject rights requests within 45 days of receiving the request.

Data protection assessments

Organizations must conduct and document a Data Protection Assessment of each processing activity that presents a heightened risk of harm to consumers, this includes processing data for the purposes of targeted advertising, selling of personal data, and processing sensitive data.

Vendor management

Organizations must execute vendor contracts in order to meet their required obligations, establish a clear allocation of vendor responsibilities, and conduct regular vendor audits.

Whitepaper

The Ins and Outs of the Colorado Privacy Act

The Colorado Privacy Act (CPA) was passed on July 8th, 2023. Get an in-depth brief on the definitions and requirements under the CPA and how to implement a compliant response program for consumer requests.

Download now

Achieve compliance

FAQs

What is the Colorado Privacy Act?

The Colorado Privacy Act is Colorado’s statewide privacy law that grants Colorado consumers the rights to access, correct, and delete their personal data, as well as the right to opt out not only of the sale of personal data but also of the collection and use of personal data. It enforces a proactive obligation on organizations to ensure the protection of personal data, to furnish consumers with clear, comprehensible, and transparent details regarding the utilization of their personal data, and to reinforce adherence and responsibility by mandating data protection assessments during the gathering and utilization of personal data. Finally, it grants authority to the Attorney General and District Attorneys to review and assess a company’s data protection assessments, to levy penalties in cases of violations, and to prevent future infractions.

This privacy act took effect on July 1, 2023.
Who has privacy rights under the Colorado Privacy Act?

The Colorado Privacy Act extends privacy rights to consumers in Colorado but does not encompass individuals in commercial or employment roles, including job applicants or beneficiaries of individuals acting within an employment context.
What is personal information and sensitive personal information under the Colorado Privacy Act?

Personal information refers to data that is associated or reasonably associable with an identified or identifiable individual but excludes de-identified data or information that is publicly available. Examples include a first and last name, identification number, specific geolocation data, or an online identifier. ‘Publicly available information’ denotes data that is lawfully accessible from federal, state, or local government records, and information that a controller reasonably believes the consumer has lawfully disclosed to the general public.

Sensitive personal information refers to data about racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data, or from a known child. Under the Colorado Privacy Act, a consumer’s consent is required before processing their sensitive personal information.

Related resources

View all resources

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.