The Colorado Privacy Act 101

The Four Corners of the Centennial State’s new privacy law

Colorado is home to the highest incorporated city in the US (Leadville), the highest paved road in North America (the road to Mt. Evans), and the highest car tunnel in the world (the Dwight Eisenhower Memorial Tunnel).

It’s also the home to the country’s third comprehensive consumer privacy law.

Another interesting fact? Colorado’s borders, along with those of Arizona, New Mexico, and Utah, are part of the Four Corners, the only geographic point in the United States shared by four separate states.

Let’s talk about the four corners of its new privacy law, the Colorado Privacy Act (CPA).

Corner 1: Who the CPA applies to

Before we get too far into the details of the CPA, it’s important to note that there are no federal laws governing the collection, use, or sharing of personal information online. That being said, here are the big players in consumer privacy law:

GDPR: The General Data Protection Regulation was passed by the European Union in 2016, has been in effect since 2018, and is the grandparent of modern digital privacy law.
CCPA: The California Consumer Privacy Act, in effect since January 1, 2020, was the US’s first comprehensive law focused on protecting consumers’ sensitive personal information.In November 2020, California voters approved the California Privacy Reform Act, which will expand upon the CCPA when it goes into effect in January 2023.
VCDPA: Passed by the Virginia General Assembly in early 2021, the Virginia Consumer Data Protection Act borrowed elements of both the GDPR and the CCPA while including some requirements specific to Virginia’s needs.

Now, let’s talk about Colorado.

Similar to both California and Virginia, Colorado’s privacy law applies to businesses that operate in, intentionally target products or services to, or collect data from residents of Colorado. Additionally, businesses must meet one of the following two conditions to be subject to the CPA:

Control or process the personal data of at least 100,000 consumers per year OR
Receive revenue or a discount on goods or services from the sale of personal data while controlling or processing the personal information of at least 25,000 consumers

A few other CPA definitions of note:

Consumer: A Colorado resident acting only in an individual or household context, which means employees are excluded
Sale of personal information: The “exchange of personal data for monetary or other valuable consideration,” potentially putting data sharing in the “sale” category

Data that is already subject to federal laws like the Gramm-Leach-Bliley Act (GLBA) or HIPAA is exempt from the CPA.

How the CPA differs from the CCPA & VCDPA

The CCPA only affects businesses that meet one of the following criteria:

Have an annual revenue of over $25M, OR
Buy, receive, sell or share the personal information of 50,000 or more California residents, OR
Derive 50% or more of annual revenue from selling consumer personal information.

Both the CCPA and the VCDPA stipulate companies have to derive 50% of gross annual revenue from selling data to trigger their eligibility.

There are no revenue thresholds for businesses under the CPA, meaning even small businesses that make very little money or receive few discounts for selling their collected data are subject. The CPA also does not exempt non-profit organizations from compliance.

Corner 2: CPA consumer rights

Many of the consumer protections included in the CPA are similar to those in other privacy laws. Consumers are given the right to:

Be informed when and what types of data are collected
Access the data that has been collected from them
Correct inaccuracies in the collected data
Delete their data from databases
Data portability (receiving copies of their data records in an easily transferable, user-friendly format)
Opt-out of behavioral advertising (targeted ads based on inferred user preferences)
Opt-out of having their data sold (which, under the CPA, could potentially mean shared)
Opt-out of automated profiling (a decision that produces a legal effect)
Appeal a company’s denial to take action on any other rights within a reasonable time

How the CPA differs from the CCPA & VCDPA

The biggest difference between the CPA and its California and Virginia counterparts is the requirement for businesses to offer consumers a universal opt-out mechanism that allows them to exercise all their opt-out options with a single click.

Exactly how that universal opt-out will work isn’t spelled out yet, but the Colorado AG is legally required to put out the technical requirements by July 1, 2023.

Corner 3: CPA business obligations

We know we sound like a bit of a broken record, but many of the requirements the CPA places on businesses are similar to those of other privacy laws. These duties include:

Transparency, in the form of a “reasonably accessible, clear, and meaningful privacy notice” that includes the categories of data collected and the people with whom data is shared
Specifying exact purposes for collection and processing of personal data
Minimal data collection practices
Avoiding secondary use
Implementation of reasonable security measures
Receiving consumer consent via a “clear affirmative act signifying consent is freely given” before processing certain categories of sensitive data
Conducting regular risk assessments
Not processing personal data in violation of a state or federal law that prohibits unlawful discimrination against consumers

Data controllers, who are responsible for determining how and why data is processed, are required to respond to consumer requests within 45 days, with an additional 45-day extension possible in some circumstances.

How the CPA differs from the CCPA & VCDPA

The CPA and VCDPA are fairly similar when it comes to business obligations, but its regulations are closer to the California Privacy Rights Act (CPRA), the CCPA’s replacement starting in 2023.

The standards for what constitutes consumer consent under the CPA are more stringent than those in the CCPA. Colorado’s law also requires that controllers conduct a data protection or risk assessment if they process personal data that has a heightened risk, such as selling personal data or processing sensitive data.

Corner 4: CPA enforcement

Uniquely among US privacy laws, the CPA can be enforced by the state attorney general or by district attorneys. This broader administration capability spreads the load of overseeing compliance and will likely increase enforcement actions without requiring the creation of a new agency.

Another distinct provision in the CPA is the inclusion of a 60-day cure period that allows data controllers to remedy adverse findings and thus avoid action by the attorney general or district attorney. This provision only exists until 2025, giving companies two years to make sure they have all their ducks in a row.

The CPA does not include a private right of action, meaning consumers can’t sue a company as an individual if their personal data is exposed in a breach. This is also one of the only privacy laws without a clearly delineated fine schedule.

That’s not necessarily a good thing. Under the statute, violating the CPA is a deceptive trade practice punishable by up to $20,000 per violation.

As happened in California, it’s likely that the law will be amended and updated before it becomes enforceable on July 1, 2023.

How it differs from the CCPA & VCDPA

Both the CCPA & the VCDPA stipulate that the state attorney general is the only party authorized to initiate actions against violators, and they both have a shorter cure period of only 30 days. The CCPA also contains a private right of action, whereas the VCDPA does not.

Unlike the Colorado law, the statutes in California and Virginia both have strict fine guidelines of up to $7,500 per violation.

How to get your company ready

If your company is CCPA- or GDPR-compliant, your data privacy program probably only needs a few tweaks to be ready for the CPA.

If you don’t have a strong privacy program, the good news is that you have two years before the CPA becomes effective. Starting today (or, okay, this month) will give you time to build an effective, agile program that can adapt to the regulatory updates or changes that will inevitably come your way.

Here are six steps you can take now. For more information, consult our downloadable guide to CPA Compliance.

Track a data record through your entire system

Called a data map or data inventory, this process will tell you if you are collecting data you don’t need, keeping it for too long, or storing it in ways that are not secure.

Fix your security gaps

Strengthen your processes for installing software updates, setting passwords, granting access, use of work devices, etc. If your business collects personal data, it must establish and implement and maintain reasonable technical safeguards of data protection. Performing a cyber risk assessment will help identify areas to incre

Update your privacy policy

Your privacy policy should match your data practices, but it should also be easy for your customers to understand.

Train your employees

One wrong click by an employee can derail your entire privacy program. If you want your compliance efforts to succeed, you need to make privacy training part of your culture. In addition to full-day, company-wide trainings, talk about privacy principles in staff meetings, one-on-one coaching sessions, and team emails.

Tell your customers what you’re doing

Everyone will have to implement privacy programs eventually, but companies that do it proactively have a great opportunity to demonstrate their commitment to their customers and build trust with them.

Plan to manage individual data

Being ready for the CPA means being prepared to meet individual rights requirements. Individuals have the right to be informed when their personal data is collected, to correct inaccuracies in their personal data, and to delete their data from your database. They also need to have the option to receive a copy of their personal data in an easy-to-use format and to opt out of ad targeting and having sensitive data shared or sold.

One more bonus tip

Here’s one more tip for you: hire a privacy consultant like Red Clover Advisors.

We are experts who are passionate about making privacy easier to operationalize to save you time and help you build trust with your customers. We have a variety of programs that can meet your needs and your budget.