Colorado Privacy Act

What you need to know about the CPA:

Does the CPA Apply To You?

The CPA applies to entities that:

  1. Conduct business in or provide commercial products or services intentionally targeted to residents of Colorado (consumers), and 
  2. Annually control or process the PI of either:
    1. 100,000 residents, excluding data solely used for completing payment transactions; or
    2. 25,000 consumers and derives revenue or receives a discount on the price of goods or services from the sale of PI.
Where Does the CPA NOT Apply?

Exempt Entities:  Exempt entities include:

  • Air carriers;
  • National Securities associations registered pursuant to the SEC Act of 1934;
  • Public Colorado institutions of higher education;
  • Certain bodies, authority, board, bureau, commission, district, or agencies of the state;
  • GLBA-covered entities.

Exempt Data: The CPA exempts a long list of personal information, including but not limited to:

  • Protected Health Information under HIPAA;
  • Data covered by the Gramm-Leach-Bliley Act
  • Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more;
  • Various forms of credit data regulated by the FCRA;
  • Employment data;
  • Certain data processed by public utilities;
  • Data covered by a wide variety of other federal laws including FERPA data and DPPA data.

Exempt Use Cases: The CPA is not applicable in some circumstances, such as:

  • Processing PI in an employment or commercial (B2B) context;

In addition, the CPA specifies that its law should not be construed to restrict a business’s collection, use, or retention of PI for:

  • Conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
  • Product recalls;
  • Identifying and repairing technical errors that impair existing or intended functionality; and
  • Performing internal operations.

Key Components of CO’s Data Privacy Law

What Constitutes Personal Information Under CPA?

Personal Information (PI), called “personal data” in the CPA, means any information that is linked or reasonably linkable to an identified or identifiable individual. The definition exempts de-identified information and information made publicly available by government records, the media, or the consumer. However, pseudonymous data combined with information that can reasonably link it to an identified or identifiable individual is covered as PI.

What Constitutes Sensitive PI Under CPA?

Colorado’s definition of sensitive PI, called “sensitive data” in CO, consists of:

  • Racial or ethnic origin;
  • Religious beliefs;
  • Mental or physical health condition or diagnosis;
  • Sex life or sexual orientation;
  • Citizenship or citizenship status;
  • PI from a known child;
  • Genetic or biometric data processed for identification purposes
  • Biological data.
Any Other Categories of Data I Should Think About?

Where a controller processes de-identified data, the CPA requires them to take reasonable measures to ensure the data cannot be associated with an individual, publicly commit to maintaining such data without an attempt to re-identify it, and contractually obligate any recipients of the data to comply with the CPA.

Additionally, the CPA exempts pseudonymous data from access, correction, portability, and deletion rights requests where the controller can show it keeps information that would allow the data to be re-identified separate and subject to technical and organizational controls that prevent its use for re-identification.

Is Consent Needed to Process Sensitive PI?

In a word: YES!

Is Consent Needed for Any Other Processing?

Parental consent is required to process PI about a known child (under 13) in accordance with COPPA.

Consent is also required for secondary use of information that is not necessary or compatible with the purpose for collection and hasn’t been noticed to the consumer.

What Needs to Be Included in the Privacy Notice?

Under the CPA, a privacy notice must include:

  • Categories of PI processed;
  • Business purpose for processing;
  • Whether you share or sell PI;
  • The categories of third parties with which PI is shared;
  • The categories of PI that are shared with third parties;
  • The methods for a consumer to exercise their rights (see below) and appeal a decision on their rights request;
  • A method for a consumer to contact the organization;
  • The date of the latest update to the notice.
What Constitutes “Sale” of PI?

Colorado defines “sale” as the exchange of PI for monetary or other valuable consideration by the controller to a third party.

There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to provide a product or service requested by the consumer, the disclosure of PI to an affiliate, disclosure of PI intentionally made public, and the disclosure of PI as part of a merger or bankruptcy.

How Will the CPA Be Enforced?

The attorney general (AG) and district attorneys share enforcement responsibility for the CPA. The CPA provides a 60-day cure period for enforcement, meaning an enforcement agency must give notice and an opportunity for the business to cure the alleged violation(s); however, the cure period will sunset Jan 1, 2025. Violations are considered unfair trade practices and may come as injunctive relief (the company must stop certain behaviors) and/or civil penalties, with fines up to $20,000 per violation, with a maximum penalty of $500,000.

Notably, the Colorado AG also has the power to release regulations, which it did in 2023.

Data Privacy is Just Good Business