In this article, we will explore these requirements in detail, including how the CPA compares to other data protection laws such as the GDPR, CCPA, and VCDPA. By the end of this article, you will have a better understanding of the CPA's impact on your business, the cookie consent and opt-out requirements, consumer rights, and potential penalties for non-compliance.
If you are required to comply with the Colorado Consumer Privacy Act (CPA), you don’t need to ask for cookie consent. Many international privacy regulations require you to do so, but you can use cookies and other tracking technologies in Colorado without asking for permission.
However, using cookies and online trackers triggers many CPA requirements, and this article will delve deep into these requirements.
You’ll learn the following:
Explore more privacy compliance insights and best practices
The Colorado Privacy Act (CPA) applies to businesses (referred to as "controllers") that meet the following criteria:
They conduct business in Colorado or produce/deliver commercial products or services intentionally targeted to Colorado residents.
They meet either of the following thresholds during a calendar year:
Unlike the California CCPA and CPRA, Virginia VCDPA, and other US states’ data privacy laws, the CPA has no applicable revenue threshold.
The CPA does not specifically mention cookies or set explicit requirements for cookie consent.
However, the CPA requires obtaining consumers’ consent for sensitive personal information processing, which means an opt-in is required.
Sensitive data includes data related to national or ethnic origin, health data, financial data, sexual orientation, genetic data, biometric data, and so on. To process personal data that belong to these categories, you need consent. It may also trigger the data protection assessment requirements.
You also need to obtain explicit consent for processing the data of a known child. You need consent from the parent or guardian of the child or both the child and the parent - depending on the child's age.
In all other cases, you can collect data via cookies if the consumer does not opt-out. Controllers must be careful and respect the data minimization and purpose specification principles, which means processing only the minimum necessary amount of data for the purposes stated in the privacy notices.
This leads us to the key CPA cookie consent requirement - providing consumers with a privacy notice. Controllers must provide data subjects with clear privacy notices, informing them about the types of personal data being collected, processed, and shared.
If cookies are used, this should include information about cookies and similar technologies on their websites.
Users also have the right to opt out of certain data processing activities. This includes targeted advertising, personal data sales, and profiling. If a website uses cookies for these purposes, it triggers the requirement to provide consumers with clear and conspicuous notice of their right to opt out and an easy-to-use opt-out mechanism. Still, no user consent is needed.
Under the CPA, businesses (controllers) must provide consumers with the option to opt out of certain data processing activities, including:
To comply with these opt-out requirements, businesses should:
The CPA grants several rights to consumers, which are Colorado residents acting in their individual or household contexts. These rights aim to give consumers control over their personal data and protect their privacy. In this regard, the CPA follows the privacy legislation trends set out by California and Virginia laws.
Under the CPA, consumers have the right to:
Parents or guardians of children under 13 can exercise these rights on behalf of the children.
You need to establish processes and mechanisms to allow consumers to exercise these rights, provide clear privacy notices, and respond to consumer requests within 45 days (with the possibility of a 45-day extension if necessary).
In most cases, having an email address to receive requests and knowing where to look for the data would suffice.
The Colorado Attorney General and district attorneys enforce the CPA. They have exclusive authority to ensure compliance with the CPA's requirements. Consumers have no private right of action for violations, meaning that individual consumers cannot sue businesses directly for non-compliance. They can rely only on the Attorney General and district attorneys.
If you ever get in trouble with the CPA, the enforcement procedure would look like this:
1. The Attorney General or district attorneys issue a notice of violation to the business (controller) that allegedly violates the CPA.
2. The business has a 60-day cure period to rectify the alleged violation. This right to cure will sunset on January 1, 2025. After that, there will be no cure period, and fines will be issued immediately.
3. If the business fails to rectify the violation within the cure period, the Attorney General or district attorneys may initiate legal action against the business.
That can lead to penalties of $20,000 per violation.
The CPA shares many similarities with the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), and other privacy protection laws on a state level in the US.
However, it is quite different compared to the EU’s General Data Protection Regulation (GDPR). The most notable difference is in the opt-in v. opt-out principles; the cure period is given to businesses to comply with violations.
In addition, GDPR does not require “Do Not Sell” buttons, considering that the sale of personal data is forbidden.
Secure Privacy is a consent management platform (CMP) that could easily make your business CPA-compliant, although cookie consent is not always required in Colorado.
Secure Privacy software provides a privacy notice functionality that allows you to serve the required privacy notices to consumers easily. Should you use cookies, you can easily honor consumers’ requests related to the right to know, the right of access, the right to deletion, and so on.
