Explore the key provisions of the Colorado Privacy Act (CPA) and learn how businesses can achieve compliance in 2024. Discover the implications, requirements, and consumer rights outlined in this comprehensive privacy legislation, signed by Governor Jared Polis in 2021 and enforced from July 2023.
The Colorado Privacy Act (CPA) is Colorado's most comprehensive privacy legislation to regulate how companies that conduct business in Colorado and process the personal information of Colorado residents should handle such data.
The CPA requires businesses to meet certain standards and grants consumers privacy rights and a private right of action in case of CPA violations.
Governor Jared Polis signed the Colorado Privacy Act in 2021, but most of the provisions became enforceable in July 2023.
Colorado was the third state to enact a comprehensive privacy law protecting consumer personal information. It followed the California Consumer Privacy Act (CCPA, amended by the California Privacy Rights Act) and Virginia's Consumer Data Protection Act. It follows the concepts set out in these two laws, which at the same time make it different from the EU's General Data Protection Regulation.
Explore more privacy compliance insights and best practices
The Colorado Privacy Act applies to your business if you do business in Colorado and either:
There are no revenue thresholds like in Virginia and California. The Colorado data privacy law applies to all businesses of all sizes as long as they meet the processing thresholds set out in the law.
In addition, the Colorado Consumer Protection Act does not apply to the personal information covered by:
The data protection law in Colorado defines any type of information that could identify an individual as personal information.
Therefore, personal information can be anything from SSN and personal name to IP address, browsing behavior, and device fingerprints. Anything can be personal information.
The Colorado Privacy Act requires businesses to meet several standards to achieve consumer data privacy compliance and avoid troubles with the Colorado Attorney General's Office.
The most important ones include:
Under the Colorado Privacy Act (CPA), the data minimization principle has two key aspects:
1. Limiting collection, meaning that controllers can only collect personal data that is adequate, relevant, and limited to what is reasonably necessary for the stated purposes of processing. They can't just collect everything they might find useful later; it must be directly tied to a specific reason for using it.
For example, a store collecting your name and address for delivery is fine, but collecting your browsing history might not be if it's not used for personalization directly related to your purchase.
2. Regular review and deletion, meaning that controllers must review whether the collected data is still necessary, adequate, or relevant for the stated purposes at least once a year. This applies particularly to sensitive data like biometrics, photos, or audio recordings.
The purpose limitation principle under the Colorado Privacy Act (CPA) goes hand-in-hand with the data minimization principle and complements it by focusing on how the collected data can be used. Here's what it means:
1. Transparency about data purposes. Controllers must be transparent about the specific purposes for which they collect and process personal data. They must state them in the privacy notice served to consumers. They need to inform consumers explicitly about how their information will be used before collecting it.
2. Processing within specified purposes, requiring controllers to only process personal data for the purposes originally disclosed to consumers and for which their consent was obtained (if required). This means they cannot use the data for other purposes without first obtaining new consent from the consumer. This means they cannot repurpose the data for something entirely different from what they initially stated.
However, the CPA allows for some exceptions, such as processing for legal compliance, fraud prevention, or internal research purposes, under certain conditions.
Businesses targeting residents of Colorado must serve consumers with a meaningful privacy notice. In practice, that's your privacy policy. The Colorado privacy policy aims to inform consumers about your processing activities. It needs, at a minimum, to contain the following:
The Colorado comprehensive data privacy law uses an opt-out approach for most data processing, meaning you can collect and process data without consent as long as you provide a way for consumers to opt-out.
In some cases, you need opt-in consent, meaning you require a positive affirmation from the consumer before proceeding with the processing.
The Colorado Privacy Act (CPA) has specific requirements for when and how consent is needed for processing personal data. It is needed in three cases:
To be valid, consent must meet specific criteria:
Read more about Colorado cookie consent here.
Under the CPA, businesses (controllers) must offer consumers the choice to opt out of specific data processing activities, which include:
To comply with the CPA opt-out requirements, businesses subject to the Colorado state privacy legislation should:
The Consumer Protection Act (CPA) provides individuals, or the parents or guardians of children under 13, with these rights:
Consumers can exercise their rights by submitting consumer requests. You are obliged to list the methods for submitting the requests in your privacy policy. In the event that a consumer submits it in another way, you shall treat it as if it had been submitted properly or guide the consumer on how to do that.
The Colorado Privacy Act (CPA) may not explicitly require data protection impact assessments (DPIAs), but it does strongly suggest businesses carry them out for activities that present a "heightened risk" to consumer privacy.
The CPA outlines specific activities that require a closer look due to their potential privacy implications. These activities include:
Businesses should evaluate the nature, scope, context, and purpose of the data processing to fully understand the potential impact on individuals. Identifying risks to individuals, such as discrimination, reputational damage, or financial loss, is what you need to assess.
Assessing the safeguards in place, such as data minimization practices, encryption, or access controls, can help mitigate identified risks. You also need to weigh the benefits of processing against the potential risks.
To effectively manage these assessments, best practices include documenting the assessment process, outlining the risks identified, evaluating safeguards, and recording the decisions made. It's also important to regularly review and update assessments to reflect changes in business practices or the regulatory environment.
Consumers can file complaints with the Attorney General's office or their local district attorney. The Attorney General or District Attorney may investigate the complaint and take appropriate action, including issuing warnings, seeking civil penalties, or filing lawsuits.
Individuals can also file private lawsuits for injunctive relief, and the NCLC can bring lawsuits on behalf of consumers.
This means that the enforcement of the Colorado Privacy Act (CPA) involves a collaboration between several entities:
The Colorado Attorney General (AG) holds the primary responsibility for enforcing the CPA. They can investigate potential violations, issue subpoenas, and take legal action against violators, including seeking civil penalties of up to $5,000 per violation.
In addition, the Attorney General's Office publishes rules and guidance to further clarify the CPA's requirements.
District attorneys have concurrent authority to enforce the CPA within their jurisdictions. They can investigate complaints and take legal action, similar to the Attorney General.
Finally, private individuals can sue for injunctive relief if they believe the CPA has been violated. They cannot seek monetary damages in private lawsuits under the CPA.
The National Consumer Law Center (NCLC) also plays a role in the CPA enforcement landscape. It has the right to bring lawsuits on behalf of Colorado residents to enforce the CPA. The NCLC can seek both injunctive relief and monetary damages in these lawsuits.
