Colorado Privacy Act (CPA) Summary

06.01.23

This article is a summary of the upcoming Colorado Privacy Act and its potential impacts on Colorado businesses and business owners. 

When is the CPA effective?

July 1, 2023.
 

What businesses does the CPA apply to?

The CPA applies to entities conducting business in Colorado or delivering products or services targeted to Colorado residents that either (a) control or process the personal data of 100,000 or more consumers during a given year, or (b) control or process the personal data of 25,000 or more consumers and derive revenue or realize discounts from the sale of personal data.
 
There is no monetary threshold for applicable entities, meaning the CPA applies to all sizes of companies, so long as the company meets the above criteria.
 
For purposes of the CPA, “consumer” means Colorado residents acting in their individual or household contexts. It does not include Colorado residents acting in a commercial or employment context. “Personal data” means information that is linked or reasonably linkable to an identified or identifiable individual but does not include publicly available information.
 

Are any otherwise applicable businesses exempt from the CPA?

Yes. The CPA does not apply to certain types of entities and data sets that are otherwise regulated by other bodies of law, such as financial institutions and certain types of healthcare-related data. Businesses that are already subject to federal privacy laws should review those laws’ exemptions to see if any apply.
 

What new rights do consumers have under the CPA?

New consumer rights include the right to opt out of the processing of personal data for targeted advertising or for the sale of such personal data. The CPA provides for applicable companies to have a universal opt-out mechanism, which such companies may implement once the CPA goes into effect on July 1, 2023. Beginning July 1, 2024, the opt-out mechanism will be mandatory. The CPA lacks clear guidance regarding the expectations for the opt-out mechanism, but the Colorado Attorney General will promulgate rules detailing the requisite technical specifications by July 1, 2023. The user-friendly mechanism must allow consumers to freely and unambiguously choose to opt out, and such a mere default opt-out setting will be insufficient.
 
Consumers will also be afforded the right to access certain personal data (and to obtain it in a portable, readily usable format) and with the rights to correct inaccuracies and to delete personal data concerning them. Once a consumer submits a request to access, correct, delete, or provide personal data, the receiving entity must respond to the consumer’s request within 45 days of receiving it. Consumers will have the right to appeal an entity’s decision once rendered.
 

What do applicable businesses need to do?

To comply with the CPA, businesses will need to:
 
  1. Provide consumers with clear privacy notices, including an online privacy policy that identifies information such as the categories of personal data that are collected or processed, the purposes for which the data are processed, how consumers can exercise their rights, and disclosures around the selling and sharing of personal data.
  2. Obtain consumer consent prior to collection or processing sensitive data as well as when businesses intend to use personal data for a purpose other than the purpose that the personal data was originally collected.
  3. Conduct data protection assessments for any personal data processing that presents a heightened risk of harm to consumers. The CPA does not offer guidance as to what may or may not qualify as a “heightened risk of harm,” but the Colorado Attorney General may promulgate clarifying rules before the CPA goes into effect.

What is sensitive data?

The CPA distinguishes certain types of personal data as sensitive data and places additional requirements around the processing of such data. The CPA defines sensitive data as any personal data that reveals:
  1. Racial or ethnic origin.
  2. Religious beliefs.
  3. Mengal or physical health conditions or diagnosis.
  4. Sex life or sexual orientation.
  5. Citizenship status.
  6. Genetic information.
  7. Biometric information.
  8. Personal data or a known child.

Please click here to view article on the ColoradoBiz website