The Colorado Privacy Act (CPA): Requirements, Enforcement, and More

As the third state to pass a data privacy law, Colorado served as a bellwether of things to come in U.S. privacy law. Naturally, Colorado has its own unique spin on comprehensive data privacy legislation, which can make compliance tricky.  

We’ll dive into the specifics of the Colorado Privacy Act (CPA) in this blog, including what it has in common with other state laws and where it differs. 

What Is the Colorado Privacy Act? 

The Colorado Privacy Act grants Colorado residents rights over their data and places obligations on data controllers and processors. It contains some similarities to the California Privacy Rights Act (CPRA), Virginia's Consumer Data Protection Act (CDPA), and other state laws. It even borrows some terms and ideas from the EU's General Data Protection Regulation (GDPR). 

While there are similarities, such as some form of a right to opt out of data collection and processing, special protections for sensitive data, and the adoption of some privacy-by-design principles, the significant differences are in the details. That's according to Kirk Nahra, a longtime privacy attorney and co-chair at Wilmer Hale.  

The CPRA (California) and CPA (Colorado) define "sensitive data" differently, for example. "Companies will need to take into account these details to reach compliance," Nahra said. We’ll walk through the CPA’s definition of sensitive data, among its other requirements, below. 

What Are the Colorado Privacy Act (CPA) Requirements for Businesses? 

The CPA features a number of requirements that will be familiar to those who have had to become compliant with other data privacy laws. 

Businesses need to provide notice to consumers that explains what data they collect and process, why, how consumers can exercise their rights, what data they share with third parties, who those third parties are, whether they sell data to third parties, and a how consumers can opt out of the sale or processing of data for targeted advertising. 

Generally, the Colorado data privacy law requires opt-out consent; that is, businesses can collect and process data so long as they inform consumers (as described above) and give them a means of opting out of that collection and processing. 

However, businesses need to collect opt-in consent (which requires consumers to make some affirmatory signal before collection and processing of personal data begins) under certain circumstances. A parent or guardian must give opt-in consent before businesses can collect and process data for children under 13. If the business wants to use personal data for a second purpose beyond what it described in its original notice, opt-in consent is again required. And lastly, the business must secure opt-in consent for sensitive data, which includes: 

• Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status. 
• Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual. 
• Personal data from a known child. 

Businesses must also conduct data protection assessments before processing activities that may present a heightened risk to the consumer. That could be targeted advertising or profiling, selling data, processing sensitive data, and other activities. 

While there are many other requirements like the need to comply with purpose specification and data minimization, one of the major features of the law is the need to comply with data subject access requests (DSARs).  

Data privacy laws give consumers certain rights they may choose to exercise; when they do, it’s called a DSAR. Businesses have 45 days to respond to a DSAR, or request a 45-day extension for high-volume and/or complex requests. 

What Consumer Rights Does the Colorado Privacy Act Grant? 

The CPA lists five rights granted to Colorado residents once the law becomes effective. They are:  

• The right to opt out of targeted ads, the sale of their personal data, or being profiled.  
• The right to access the data a company has collected about them.  
• The right to correct data that's been collected about them.  
• The right to request the data collected about them is deleted.  
• The right to data portability (that is, the right to access data in an easily accessible and transportable format).  

Who Must Comply With the Colorado Privacy Act? 

Colorado’s privacy law applies to businesses that collect personal data from 100,000 Colorado residents or collect data from 25,000 Colorado residents and derive a portion of revenue from the sale of that data. 

What Updates Have Been Made via Rulemaking? 

One would think that when a data privacy regulation is signed into law, then that’s the end of it—barring any future amendments, of course. 

In reality, the legislative process involves further steps. The initial bill serves more as a framework for administrators and agencies to develop further in a process known as rulemaking. When it comes to data privacy law, rulemaking can make important clarifications to a given law. 

For the Colorado data privacy law, rulemaking has concluded, and businesses subject to the CPA have much-needed guidance on a number of previously unclear requirements. Here’s a non-exhaustive list: 

• Universal opt-out mechanisms, such as the Global Privacy Control, must be treated like an opt-out request from the consumer themself. 
• Opt-in consent must be obtained for the items described previously, such as processing sensitive data, but also for targeted advertising and profiling a consumer after a consumer has opted out, process 
• The CPA now explicitly requires consent to meet many of the same standards set by the GDPR; that is, that consent must be obtained through clear, affirmative action and be specific, informed, unambiguous, and freely given. Dark patterns (the use of design to manipulate), blanket acceptance of terms of service, silence, inactivity or inaction, pre-ticked boxes, and similar manipulative practices do not constitute consent. 
• Though most data privacy laws require businesses to adhere to data minimization requirements (i.e, limiting data collection to only that which is necessary to achieve a specific, stated purpose), the CPA rules go a bit farther. It requires controllers to review whether storage is necessary, adequate, or relevant to the stated processing purposes at least once a year for data like biometrics identifiers, digital or physical photographs, and audio or voice recordings.  
• Relative to other state privacy laws, the CPA provides a lot more direction on when data protection assessments are required and what’s required in them. At minimum, controllers must update their data protection assessment whenever the level of risk related to the processing of personal data is materially changed. That could be triggered by a change in the processing purpose, sources of data, method of collection, and more. There are also specific components to data protection assessments under the CPA, and assessments must involve all relevant internal stakeholders as well as any external experts needed to evaluate the data processing risks. Furthermore, businesses must produce their assessments to the Attorney General within 30 days when requested.  

Note that the above doesn’t represent the whole spectrum of CPA rulemaking. You can find the full list of CPA rules on the Colorado Attorney General’s website. 

Who Is Exempt From the CPA? 

The law includes exemptions for a broad range of purposes. 

"Small businesses definitely are treated differently than larger businesses," said Nahra. "In fact, like the laws in Virginia and California, many small businesses are exempted entirely ... These exemptions are a big part of this law."  

Calli Schroeder, global privacy counsel at the Electronic Privacy Information Center (EPIC), said the bill has some good elements, but there are places it needs improvement, specifically with some of the other exemptions.  

"The list of exemptions is long—exemptions for air carriers, exemptions for employment records, exemptions for information held by higher education or the state, and exemptions for customer data of public utilities (which includes common carriers/telecommunications companies)."  

There are 17 blanket exemptions within the law, noted Amie Stepanovich, executive director of Silicon Flatirons at Colorado University Law School. Those include:  

• If the data was collected for Colorado health insurance law purposes.  
• If the entity collecting the data or the data collected is already covered by certain sectoral laws, including the Children's Online Privacy Protection Act or the Family Educational Rights and Privacy Act.  
• If the data has been de-identified or pseudonymized.  
• If the data is being maintained and used by a consumer reporting agency.  
• If the data is being used for employment records purposes.  
   

Colorado Privacy Act Penalties and Enforcement 

The Colorado Attorney General's Office enforces the CPA, which differs from how the CPRA is enforced. In California, a dedicated privacy protection agency issues guidance on the law and enforces it. California is very much the exception, however; most states only have enforcement via the Attorney General’s office. 

Similarly, there is not a private right of action within the CPA. A private right of action allows consumers to file a lawsuit under certain circumstances, such as a breach of personal information.  

"This has been a sticking point for advocacy groups," said Nahra. "It was one of the major points of contention […] in the national privacy debate in Congress. It will be interesting to see if other states are willing to pass a privacy law without a private right of action, under the notion that some privacy protections are better than no law at all." 

Some see this as a mistake, arguing that companies won't take their obligations seriously if there isn't the looming threat of a lawsuit in cases of noncompliance.  

"Without giving individuals the ability to vindicate their rights, companies will assume there is a low risk of enforcement, and the effort that went into enacting a privacy law will be wasted," Schroeder said.  

Another unique feature of the Colorado data privacy law is its fine structure. Other state laws might fine a business $2,000 or so for each individual violation (which can build up pretty fast, as every instance of nonconsensual data processing counts as an offense). The CPA, however, levies a whopping $20,000 per offense! 

Fortunately, there’s a silver lining. The reason why the CPA has such a harsh penalty is because each CPA violation is treated as a deceptive trade practice under another Colorado law: the Colorado Consumer Protection Act.  

Although the Colorado privacy law penalizes deceptive trade practices at $20,000 per offense, it caps penalties at $500,000. So, relatively minor offenses of the Colorado data privacy law will hurt more than they would in other states, but businesses aren’t likely to rack up the multi-million-dollar fines possible in jurisdictions like California or the EU. 

What Should My Company Do First? 

Nahra said companies that already are complying with California or Virginia have a head start.  

"If you believe that you are subject to the Colorado law, the first step overall is data mapping," he said. "Understanding what data you collect, where it comes from and who it belongs to will help companies understand their relevant legal obligations, not only under the Colorado Privacy Act, but also under the California Privacy Rights Act and Virginia's Consumer Data Protection Act." 

In the end, Schroeder agreed with Stepanovich that the bill does some good, but more is needed.  

"While there are some important provisions in the bill that will provide privacy protections, the Colorado law is far from what states need to be doing in order to change the business practices that are eroding individual privacy and harming our communities," she said.