Learn how Colorado is protecting its residents’ personal data — and what this means for your business.
Consumers and organizations alike are increasingly concerned with how personal data is collected and used. Although federal lawmakers have proposed draft privacy legislation like the American Data Privacy and Protection Act, the United States still lacks a comprehensive data privacy act.
Some federal laws, like the Gramm-Leach-Bliley Act for financial services and the Health Insurance Portability and Accountability Act (HIPAA) for healthcare, do afford consumers some measure of data privacy. But these regulations are insufficient to cover the vast amount of personal data being processed in our modern data landscape. As a result, more and more individual states have started writing and enacting their own privacy laws to cover the data privacy of their residents.
One of the latest additions to the regulatory landscape is the recent Colorado Privacy Act. In this comprehensive guide, we’ll delve into what the CPA entails, including its key requirements, timeline, and implications for businesses operating in Colorado.
What are the key elements of the Colorado Privacy Act?
Signed into law in September 2021 and enforced beginning in July 2023, the Colorado Privacy Act (CPA) is a state data privacy legislation aimed at protecting the personal data of Colorado residents. It is the third such data privacy law in the United States, and it shares some similarities with its two precursors, the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act. Here, we’ll explore the CPA’s key elements and requirements.
Colorado consumer rights and personal data
The Colorado Privacy Act gives Colorado consumers certain rights regarding the processing of their personal data, including:
- The right to opt-out from the use of their personal data for sale, targeted advertising, and certain types of profiling.
- The right to know whether a controller is collecting personal data.
- The right to access personal data.
- The right to request correction or deletion of personal data.
- The right to download and remove personal data from a platform in a format that allows it to be transferred to another platform.
Similar to the EU’s General Data Protection Regulation (GDPR), the CPA focuses only on personal data, which in Colorado’s case is defined as “information that is linked or reasonably linkable to an identified or identifiable individual.”
There are many categories of personal data, but it often includes information like bank account numbers, email addresses, health-related or biometric details, and citizenship status. However, it does not include de-identified data (i.e., anonymized information) or publicly available information like census data or state court records.
New obligations for organizations
To guarantee these Colorado consumer rights, the law imposes new obligations on organizations, including the requirement to be forthright with Coloradans about the collection and use of their data. Under the law, data controllers must:
- Be transparent about how they collect, store, use, share, and sell personal data. This includes avoiding secondary uses of personal data, clearly identifying the purpose for data processing, and not processing personal data without the individual’s clear and informed consent.
- Abide by data minimization principles, limiting the amount of data they collect and store to what is strictly necessary.
- Use reasonable security practices to secure personal data.
- Respond to consumer requests to access, alter, or delete personal data.
- Conduct data protection assessments before selling personal data, processing sensitive data, or processing personal data that could result in unfair treatment, financial or physical injury, or a violation of an individual’s privacy.
For now, organizations bound by the CPA may choose whether to implement a universal opt-out mechanism. This user-selected opt-out mechanism will become mandatory beginning on July 1, 2024, and must allow consumers to “freely and unambiguously choose to opt out of personal data processing.”
Everything else you need to know about the Colorado Privacy Act
Who must comply with the Colorado Privacy Act?
The CPA does not apply to all organizations. Rather, it sets specific thresholds based on the amount of data processing that a business conducts, as well as how much revenue is generated specifically from data processing.
Unlike the California Consumer Privacy Act, which bases some of its criteria on an organization’s annual gross revenue, the Colorado Privacy Act does not have a gross revenue threshold. Instead, the CPA applies to data controllers that either a) process the personal data of 100,000+ Colorado consumers each calendar year or b) derive revenue from the sale of personal data and process the personal data of 25,000+ Colorado consumers each calendar year.
Any data controllers that conduct business in Colorado or produce commercial products or services for Colorado residents will be bound by the law — meaning that out-of-state businesses may fall under the CPA’s jurisdiction. Colorado defines a data controller as any entity that determines the purpose for and means of collecting and processing personal data. This distinguishes them from data processors, which simply conduct processing activities on the behalf of a controller.
Who is exempt from the Colorado Privacy Act?
The CPA excludes certain entities and types of personal data, most often in cases where industry-based data privacy regulations already exist. For example, the CPA lists the following exceptions and exemptions:
- Financial institutions and affiliates governed by the Gramm-Leach-Bliley Act.
- Air carriers subject to Federal Aviation Administration regulation.
- National securities associations registered under the Securities Exchange Act.
- Certain types of personal data bound by specific federal privacy laws like the Family Educational Rights and Privacy Act, the Fair Credit Reporting Act, and HIPAA.
It’s important to note that smaller businesses may be exempt from certain provisions of the law, and that an individual’s data is not considered personal data when it is processed within an employment context or for job applicants.
What’s the timeline for the Colorado Privacy Act?
Like most data privacy legislation, the CPA has been several years in the making. It was first signed into law in July 2021. During 2022, the Colorado Attorney General’s office engaged with Colorado consumers, businesses, and other stakeholders and solicited comments on its website, by writing, and at scheduled events. The Attorney General published the revised draft rules until December 2022, and the final rules were not filed with the Secretary of State until March 2023.
Enforcement of the CPA officially began in July 2023. As part of that enforcement effort, the Colorado Attorney General began mailing letters to businesses to educate them about the law and their new legal obligations.
How will the Colorado Privacy Act be enforced?
The law will be enforced by the Colorado Attorney General’s Office and District Attorneys. According to the CPA’s official website, private citizens may not file lawsuits or sue organizations under the CPA (i.e., there is no private right of action). However, companies that violate the CPA and are prosecuted by the state of Colorado face civil penalties of up to $20,000 per violation with a total maximum penalty of $500,000.
Until January 2025, the AG’s office will send courtesy letters giving violators of the CPA 60 days to cure the violation before penalties are incurred, unless no fix is possible. After that, the 60-day grace period will no longer be provided.
How does the Colorado Privacy Act compare to other state-level consumer data privacy laws?
The CPA bears a resemblance to the CCPA (and its related law, the California Privacy Rights Act, or CPRA) and the Virginia Consumer Data Protection Act (VCDPA) in its emphasis on protecting consumer data privacy. But it also has several unique qualities.
Opt-out mechanisms. The distinction between California’s and Colorado’s approaches to processing sensitive data is subtle but important. The CCPA requires organizations to let consumers opt out of having their sensitive personal information processed, while the Colorado legislation requires organizations to obtain consumers’ consent before processing their sensitive data. Colorado, in other words, places the impetus on businesses rather than individuals to ensure that personal data privacy is being protected.
Private right of action. Like the VCDPA, Colorado’s law does not provide a private right of action and can only be enforced by state officials like the Attorney General’s office. This is in contrast to California’s law, which allows individuals to file civil suits under the CCPA. Some critics note that this makes the CPA a relatively weaker consumer law.
Exemptions for nonprofits. Unlike Virginia’s privacy law, the CPA does not offer exemptions to nonprofits that process personal data.
Data protection assessments. While both the VCDPA and the CCPA require data protection assessments (DPAs), neither law specifies the content of those DPAs in as much detail as the CPA. Colorado is unique in requiring the data protection assessment to be “a genuine, thoughtful analysis” that considers the heightened risk of harm not only to the individual consumer but also to the general public. It is unique in placing the burden of proof on organizations to demonstrate that the benefits of their data processing activities outweigh the risks to all relevant stakeholders.
Strengthening data protection under the CPA
Compliance with the Colorado Privacy Act is an ongoing process, and efforts have only just begun. As such, organizations should be sure to stay informed about updates to the CPA and adjust their data protection strategies accordingly. They should also consult legal and compliance experts to ensure that they’re covered under the new law.
If your company is just getting started with CPA compliance, here are a few suggestions to help:
Conduct thorough data protection assessments
The Colorado Privacy Act requires that DPAs be conducted in several circumstances:
- Before the sale of personal data.
- Before the processing of sensitive data.
- Before the processing of personal data that could result in unfair treatment, financial or physical injury, heightened risk of harm, unlawful discrimination, or the violation of an individual’s privacy.
For most companies, the data protection assessment process will include inventorying their current data processing practices, determining their data security risks, conducting regular audits, and documenting their CPA compliance measures. Some businesses may find that enlisting the help of legal experts can help them interpret their obligations and ensure that they meet compliance.
To comply with the CPA, businesses should create a process for consumers to submit requests regarding the use of their personal data, and they should communicate this process clearly. They must provide a clear and meaningful privacy notice informing consumers of their right to opt out of the sale and targeted advertising of their personal data.
Companies will also need to update their existing privacy policies to explain how and why they collect and use personal data, and they will have to obtain people’s informed consent before they collect sensitive data.
Don’t forget third parties
If your organization contracts with third-party vendors to perform the processing of personal data, it’s important to ensure that those third-party processors are also maintaining compliance with the CPA. Specifically, they will need to demonstrate that they’re using appropriate technical and organizational safeguards to protect consumer data under the CPA. They will also need to enter into a contract that specifies controller-to-processor instructions, provisions on data retention, confidentiality agreements, and more.
Achieve compliance in Colorado and beyond with ShardSecure
We know that data privacy is challenging enough without having to juggle multiple regulatory regimes. The shifting compliance landscape, combined with the lack of a comprehensive federal law for data privacy in the United States, makes it difficult for organizations to understand their legal obligations, let alone uphold them.
The ShardSecure platform offers a solution to strengthen your cybersecurity posture and ensure advanced data privacy. Our innovative approach to file-level encryption safeguards data against third-party access, keeping sensitive data secure regardless of where it’s stored.
Interested in learning more? Take a look at our press release to see why we were recently named a 2023 Gartner® Cool Vendor in Privacy — or peruse our white paper on GDPR/Schrems II compliance to learn why our technology has been validated by independent privacy attorneys to meet the EDPB’s recommendations for GDPR compliance.
GARTNER is a registered trademark and service mark of Gartner and Cool Vendors is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.