Colorado Privacy Act

The Colorado Privacy Act (CPA), which became effective on July 1, 2023, most closely follows the models like the Virginia Consumer Data Protection Act and the dormant Washington Privacy Act. Some less common aspects of the CPO include its application to non-profits, its enforcement structure and the inclusion of a data type called biological data that includes neural data. Additionally, the Colorado attorney general has published implementation regulations, providing more specificity to the CPA.

Schedule a Free Consultation

What you need to know about the CPA:

Does the CPA Apply to You?

The CPA applies to entities that:

  1. Conduct business in or provide commercial products or services intentionally targeted to residents of Colorado (consumers), and 
  2. Annually control or process the PI of either:
    1. 100,000 residents, excluding data solely used for completing payment transactions; or
    2. 25,000 consumers and derives revenue or receives a discount on the price of goods or services from the sale of PI.

You may also be subject to the CPA if you control or process any amount of biometric identifiers or biometric data or personal information of minors.

Where Does the CPA NOT Apply?

Exempt Entities:  Exempt entities include:

  • Air carriers;
  • National Securities associations registered pursuant to the SEC Act of 1934;
  • Public Colorado institutions of higher education;
  • Certain bodies, authority, board, bureau, commission, district, or agencies of the state;
  • GLBA-covered entities.

Exempt Data: The CPA exempts a long list of personal information, including but not limited to:

  • Protected Health Information under HIPAA;
  • Data covered by the Gramm-Leach-Bliley Act
  • Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more;
  • Various forms of credit data regulated by the FCRA;
  • Employment data;
  • Certain data processed by public utilities;
  • Data covered by a wide variety of other federal laws including FERPA data and DPPA data.

Exempt Use Cases: The CPA is not applicable in some circumstances, such as:

  • Processing PI in an employment or commercial (B2B) context (except certain provisions about use of employees’ biometric identifiers)

In addition, the CPA specifies that its law should not be construed to restrict a business’s collection, use, or retention of PI for:

  • Conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
  • Product recalls;
  • Identifying and repairing technical errors that impair existing or intended functionality; and
  • Performing internal operations.

Key Components of CO’s Data Privacy Law

What Constitutes Personal Information Under CPA?

Personal Information (PI), called “personal data” in the CPA, means any information that is linked or reasonably linkable to an identified or identifiable individual. The definition exempts de-identified information and information made publicly available by government records, the media, or the consumer. However, pseudonymous data combined with information that can reasonably link it to an identified or identifiable individual is covered as PI.

What Constitutes Sensitive PI Under CPA?

Colorado’s definition of sensitive PI, called “sensitive data” in CO, consists of:

  • Racial or ethnic origin;
  • Religious beliefs;
  • Mental or physical health condition or diagnosis;
  • Sex life or sexual orientation;
  • Citizenship or citizenship status;
  • PI from a known child;
  • Genetic or biometric data processed for identification purposes;
  • Biological data.
Any Other Categories of Data I Should Think About?

Biometrics

Controllers that process biometric data or biometric identifiers have increased obligations under an amendment passed in May 2024. They must notify consumers, prior to collection, of collection of a biometric identifier, the purpose for collection, length of retention, and whether it will be shared with a processor and for what purpose. They must then obtain consent for the processing. Additionally, controllers must implement a written policy that covers consumer biometric data, which they may need to make publicly available. They are prohibited from selling it or sharing it without consent or a legal obligation, and they must provide appropriate security protections for it at rest and in transit. Notably, the amendment also put in place limitations and consent obligations on controllers’ use of biometric identifiers of employees.

Minors

As of October 1, 2025, controllers that process minors’ personal information online will need to implement certain safeguards. The must obtain consent from the minor or their parent (under 13) prior to using minors’ information for targeted ads, sale or certain profiling; for a purpose not disclosed upon collection; processing their personal information longer than necessary for the purpose; or collecting their precise geolocation.

Absent consent, controllers must also avoid using features that extend or increase a minor’s use of their product or service. And they must use reasonable care to avoid any heightened risk of harm to minors caused by their products and services and conduct a data protection assessment any time they cannot avoid such harm.

De-identified and Pseudonymized

Where a controller processes de-identified data, the CPA requires them to take reasonable measures to ensure the data cannot be associated with an individual, publicly commit to maintaining such data without an attempt to re-identify it, and contractually obligate any recipients of the data to comply with the CPA.

Additionally, the CPA exempts pseudonymous data from access, correction, portability, and deletion rights requests where the controller can show it keeps information that would allow the data to be re-identified separate and subject to technical and organizational controls that prevent its use for re-identification.

Is Consent Needed to Process Sensitive PI?

In a word: YES!

Note: CPA rules require controllers to refresh consent if they have not interacted with a consumer in the prior 24 months.

Is Consent Needed for Any Other Processing?

Parental consent is required to process PI from a known child (under 13) in accordance with COPPA. For minors aged 13-17, consent is required to use PI for targeted ads, sale or certain profiling; for a purpose not disclosed upon collection; processing their PI longer than necessary for the purpose; or collecting their precise geolocation.

Consent is also required for secondary use of information that is not necessary or compatible with the purpose for collection and hasn’t been noticed to the consumer.

Note: CPA rules require controllers to refresh consent if they have not interacted with a consumer in the prior 24 months.

What Needs to Be Included in the Privacy Notice?

Under the CPA, a privacy notice must include:

  • Categories of PI processed;
  • Business purpose for processing;
  • Whether you share or sell PI;
  • The categories of third parties with which PI is shared;
  • The categories of PI that are shared with third parties;
  • The methods for a consumer to exercise their rights (see below) and appeal a decision on their rights request;
  • A method for a consumer to contact the organization;
  • The date of the latest update to the notice.
What Constitutes “Sale” of PI?

Colorado defines “sale” as the exchange of PI for monetary or other valuable consideration by the controller to a third party.

There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to provide a product or service requested by the consumer, the disclosure of PI to an affiliate, disclosure of PI intentionally made public, and the disclosure of PI as part of a merger or bankruptcy.

How Will the CPA Be Enforced?

The attorney general (AG) and district attorneys share enforcement responsibility for the CPA. The CPA provides a 60-day cure period for enforcement, meaning an enforcement agency must give notice and an opportunity for the business to cure the alleged violation(s); however, the cure period will sunset Jan 1, 2025. Violations are considered unfair trade practices and may come as injunctive relief (the company must stop certain behaviors) and/or civil penalties, with fines up to $20,000 per violation, with a maximum penalty of $500,000.

Notably, the Colorado AG also has the power to release regulations, which it did in 2023.

Privacy Rights

 

The privacy rights created under CPA generally align with those provided under other state laws. If the CPA to your business, you must allow consumers to:

  • Right to know whether a business is processing your PI;
  • Right to access PI;
  • Right to correct PI;
  • Right to delete PI about them;
  • Right to obtain a copy of PI (data portability); and
  • Right to opt out of the sale of personal, processing for targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

The CPA requires that businesses respond to privacy rights requests within 45 days of receipt of the request, with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge once every 12 months. Businesses may deny a rights request in certain circumstances, including inability to verify the identity of a requestor. When a business denies a request, the business must notify the consumer within the 45-day timeframe and provide the reason for the denial as well as instructions for how to appeal the decision.

The appeals process must be conspicuously available to consumers and similar to the process for submitting an initial privacy rights request. Businesses must respond to appeals within 60 days of receipt and, if denying an appeal, must provide the consumer with an online method to file a complaint with the attorney general.

Universal Opt Out

 

Colorado requires that controllers recognize universal opt-out signals. Universal opt-out, or global privacy control, is a technical standard that enables users to automatically communicate their privacy preferences, such as opting out of the sale of their personal information, to websites through their web browser or other technologies.

Privacy Impact Assessments

 

The CPA requires that businesses conduct data protection assessments for processing that presents a heightened risk of harm, including:

  • Processing the PI of minors;
  • Processing PI from a known child;
  • Processing for targeted advertising;
  • Processing sensitive PI;
  • Selling PI; and
  • Processing for the purposes of profiling in certain circumstances.

Vendor Contracts

 

Colorado requires controllers to have a contract in place with vendors that dictates obligations with respect to processing PI. Contracts must include:

  • Instructions for processing PI;
  • The nature and purpose of processing;
  • Type of data that is subject to processing;
  • The duration of processing;
  • A duty of confidentiality for individuals who process the PI;
  • Obligation to delete or return all PI at the controller’s direction or when it has completed the services, unless retention of the PI is required by law;
  • Obligation to make available all information necessary to demonstrate the vendor’s compliance with its obligations;
  • Compliance with audits by the controller or independent auditor and to provide a report of the assessment to the controller; and
  • Pass along the same obligations to any subcontractors in a written contract.

Data Minimization

 

Colorado requires covered organizations to limit their collection of PI “to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed.” Where processing is not necessary or compatible with the purpose for collection, organizations must obtain consumers’ consent for the processing.

The regulations require that controllers determine the minimum PI that is necessary, adequate, or relevant for the express purpose or purposes. They also say that PI should only be kept in a form which allows identification of Consumers for as long as necessary.

Data Privacy is Just Good Business

Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.

You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.

Book a Free Consultation