Guide To Compliance: Colorado Privacy Act (CPA/ColoPA)
Compliance sucks.
We make it simple.
Create a tailored Privacy Policy, Terms & more in under 5 minutes.
On August 3, 2023, the state of Colorado took a significant step in safeguarding consumer data privacy by enacting the Colorado Privacy Act (CPA/ColoPA). This legislation places Colorado in the company of states like California, Virginia, Florida, Connecticut, Utah, Iowa, Indiana, Tennessee, and Montana, which have all implemented robust data privacy laws. The Colorado Privacy Act is set to become effective on January 1, 2025, and it shares several key features with the “Virginia model,” while also introducing some unique provisions.
Get started with a CPA ready Privacy Policy
Get StartedUnderstanding the Colorado Privacy Act (CPA/ColoPA)
The Colorado Privacy Act (CPA/ColoPA) is designed to empower consumers and provide them with greater control over their personal data. Understanding the core aspects of the CPA is crucial for businesses looking to ensure compliance:
- Consumer Rights Under CPA:
-
- The Right to Access and Control Personal Data: Consumers have the right to access their personal data held by businesses and request corrections or deletions.
- Transparency in Data Processing: Businesses must inform consumers about how their data is collected, and processed, and the purposes for which it is used.
- Opt-Out from Targeted Advertising: Consumers can opt out of having their data used for targeted advertising.
- Data Portability: Consumers have the right to obtain their data in a portable and readily usable format.
- Non-Discrimination: Businesses cannot discriminate against consumers for exercising their privacy rights.
- Protection of Minors: Special protections are in place for the personal data of minors.
-
- Defining Personal Data
-
- In the context of the Colorado Privacy Act, personal data includes information that can identify individuals, such as names, social security numbers, driver’s license details, financial account information, email addresses, and more.
-
-
Is CPA/ColoPA Applicable to Your Business?
Determining whether your business falls under the jurisdiction of the CPA is essential:
- Geographic Scope:
-
- Operate in Colorado: If your business conducts activities within Colorado or offers products or services to Colorado residents, it is subject to the CPA.
-
- Data Processing Activities:
-
- Process Personal Data: The CPA applies to businesses that process or control the personal data of consumers. This includes collecting, storing, and managing consumer data.
-
Exemptions from CPA/ColoPA
While the CPA has a broad reach, some entities are exempt from its provisions, including:
- State Agencies and Political Subdivisions: State agencies or political subdivisions within Colorado are exempt. However, this exemption doesn’t extend to private businesses that provide services to these agencies.
- Financial Institutions: Entities subject to Title V of the Gramm-Leach-Bliley Act are exempt. If your business falls under this federal financial privacy law, you may not be subject to the CPA.
- Healthcare Entities: Businesses regulated by the U.S. Department of Health and Human Services under HIPAA and HITECH are exempt. If your organization handles protected health information (PHI) and complies with HIPAA, the CPA’s regulations may not apply.
- Nonprofit Organizations and Educational Institutions: Nonprofits and postsecondary educational institutions are also exempt.
Data processing activities are exempted under specific conditions, including data subject to existing regulations like HIPAA, GLBA, and FERPA, among others.
Ensuring Compliance
To ensure your business is compliant with the Colorado Privacy Act, follow these steps:
- Determine Applicability: Assess whether your business falls under the jurisdiction of the CPA by considering its geographical operations and data processing activities.
- Privacy Policy: Create a comprehensive and accessible privacy policy that covers all required elements. Clearly communicate how personal data is collected, and processed, and the purposes for which it is used.
- Data Rights: Develop a system that allows consumers to exercise their data rights, including access, deletion, and data portability. Ensure that your staff is trained to respond promptly to these requests.
- Transparency: Clearly inform consumers about the sale of their personal data and provide opt-out options, as required by the CPA.
- Security Measures: Implement appropriate security measures to protect personal data. Regularly assess and enhance your data security protocols to minimize the risk of data breaches.
Looking Ahead
The Colorado Privacy Act is set to take effect on January 1, 2025. To prepare for compliance and ensure that your business is well-prepared for the CPA, consider the following:
- Privacy Gap Assessment: Conduct a thorough assessment of your online services and websites to ensure they are in compliance with CPA regulations. Pay special attention to services accessed by minors.
- Data Retention: Establish a structured data retention schedule. Ensure that you only retain data for as long as necessary and have clear procedures for data deletion.
- Reporting Mechanisms: Develop mechanisms for reporting data breaches. Prompt reporting is essential for maintaining compliance with data breach notification requirements.
- Privacy Policies: Create detailed privacy policies, notices, and data protection impact assessments. These documents should provide clear guidance on how personal data is handled.
- Personnel Training: Train employees to respond to data subject requests effectively. Your staff should be knowledgeable about the CPA and understand the steps required for compliance.
- Appeals Process: Institute a clear appeals process for dispute resolution, allowing consumers to challenge your decisions regarding their data.
How Can GetTerms Assist You
If your business falls under the Colorado Privacy Act (CPA/ColoPA), it is essential to start your compliance preparations well in advance of January 1, 2025, when the law comes into effect.
GetTerms offers many features to help you efficiently address numerous items on your checklist, including tailoring your legal policy documentation and generating cookie consent banners. Please take advantage of GetTerms’ services today to ensure ongoing compliance with the FBDR and other pertinent privacy regulations.
CA/VA/CO Privacy Laws – Chart Comparison & Info. Summary
| SUBJECT | Californa (CPRA) | Virginia (VCDPA) | Colorado (CPA) |
| APPLICABILITY | For-profits that do business in CA, meeting one of three thresholds:
1. Revenues over $25,000,000; 2. Collect personal information of over 100,000 consumers or households; or 3. Generate at least half of revenues from sales of personal information. |
Persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that:
1. Control or process personal data of at least 100,000 consumers per year; or 2. Control or process personal data of at least 25,000 consumers and derive more than half of gross revenues from the sale of personal data. |
Controller that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado and:
1. Controls or processes the personal data of 100,000 consumers or more during a calendar year; or 2. Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more. |
| PERSONAL DATA | Personal information is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, not including publicly available information or deidentified or aggregate consumer information. | Personal data means any information that is linked or reasonably linked to an identified or identifiable natural person, not including de-identified data or publicly available information. | Personal data means information that is linked or reasonably linkable to an identified or identifiable individual, not including publicly available information. |
| SENSITIVE INFO. | Sensitive personal information means (in summary) personal information that reveals certain information about a consumer. The specific categories of sensitive personal information are listed in the statute and include data types similar to those listed in Virginia and Colorado, and information such as Social Security number, driver’s license, state identification card or passport numbers, account log-in, financial account, debit card or credit card numbers in combination with any required security or access code, password or credentials allowing access to an account, and precise geolocation. | Sensitive data means a category of personal data that includes data revealing racial or ethnic origin, religious beliefs, physical or mental health diagnosis, sexual orientation, or citizen or immigrant status, as well as processing of genetic or biometric data for identification, precise geolocation data, and personal data collected from a known child. | Sensitive data means personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, a person’s sex life or sexual orientation, citizenship, or citizenship status, as well as genetic or biometric data that may be processed for the purpose of uniquely identifying an individual. The definition also includes personal data from a known child. |
| KEY EXEMPTIONS | [Note: The Personnel and B2B exemptions in CA are scheduled to sunset January 1, 2023, although many expect they will be extended.]
1. Information (not institutions) subject to GLBA or California financial privacy laws 2. Institutions and information subject to HIPAA 3. Data regulated by FCRA, DPPA, FERPA, and others 4. Non-profit organizations |
1. Institutions subject to GLBA and its implementing regulations
2. Institutions and information subject to HIPAA 3. Personnel data 4. B2B information 5. Data regulated by FCRA, DPPA, FERPA, and others 6. Non-profit organizations |
1. Institutions subject to GLBA and its implementing regulations
2. Institutions and information subject to HIPAA 3. Personnel data 4. B2B information 5. Data regulated by FCRA, DPPA, FERPA, and others 6. Data maintained by state institutions of higher learning for non-commercial purposes |
| CONSUMER RIGHTS | |||
| Right of Access | Yes | Yes | Yes |
| Right of Portability | Yes | Yes | Yes |
| Right to Correct | Yes | Yes | Yes |
| Right to Delete | Yes | Yes | Yes |
| Opt-out Right | Yes | Yes | Yes |
| Opt-in Right for processing Sensitive Data | No
(Note: May limit use and sharing.) |
Yes | Yes |
| Non-Discrimination Right | Yes | Yes | No |
| Private Right of Action | Yes | No | No |
| BUSINESS/CONTROLLER OBLIGATIONS | |||
| Notice to Consumers | Yes (Notice at Collection specifically required) | Yes | Yes |
| Privacy Policy | Yes (California Privacy Policy specifically required) | No (although required disclosures may be incorporated in the privacy policy) | No (although required disclosures may be incorporated in the privacy policy) |
| Contractual Reqs. for Third Party Service Providers/Processors | Yes | Yes | Yes |
| Data Processing Impact | No | Yes | Yes |
| ENFORCEMENT | |||
| Right to Cure | None (Note: the existing right to cure sunsets January 1, 2023) | 30 days | 60 days |
| Enforcer | Dedicated enforcement agency (CPPA),
Attorney General, and Private litigants |
Attorney General | Attorney General and District Attorneys |
Get started with a CPA ready Privacy Policy
Get StartedRelated Articles
A Guide To Pennsylvania’s Consumer Data Privacy Act (PCDPA)
A Guide To Pennsylvania's Consumer Data Privacy Act (PCDPA)
