Doing business in certain countries and states may subject you to enhanced privacy laws. When you do business in Colorado, you may need to comply with the state’s unique data privacy laws, which are more expansive than those in most other states. The key piece of Colorado privacy law, the Colorado Privacy Act (CPA), allows consumers more control over their sensitive data and other private information.

Does the CPA apply to your business? If you collect, store, and process consumer data from Colorado residents and meet the threshold requirements outlined in the next section, you need to enact a compliant privacy policy. Read on to learn how the CPA will affect your company’s data collection practices.

What is the Colorado Privacy Act?

The Colorado Privacy Act was signed into law on July 7, 2021. The Act is designed to give Colorado consumers control over who has access to their private data.

The CPA applies to companies who target products and services to Colorado residents, who:

  1. Control or process the personal data of 100,000 or more consumers during a calendar year; or
  2. Derive revenue or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 or more consumers.

For the purposes of the CPA, “consumer” means a Colorado resident acting in an individual or household context. Unlike in California, there is no revenue threshold under the CPA; if your company meets either of the two qualifications above, you must have a compliant privacy policy in place.

Unlike in California and Virginia, non-profit organizations are not exempt from the CPA’s expansion of Colorado privacy law. There are certain exceptions, such as for financial institutions  subject to the Gramm-Leach-Bliley Act, data that is subject to FERPA, higher education institutions (so long as the data is used for a non-commercial purpose), and some healthcare data. It’s important to read the law’s exemptions to see if your business qualifies for one.

What does the Colorado Privacy Act protect?

The CPA protects Colorado residents by giving them the right to:

  • Opt out of targeted advertising
  • Opt out of the sale of their personal data and certain profiling methods
  • Access, correct and delete personal data
  • Have their data ported
  • Appeal if a company denies their privacy request

Under the law, data controllers (companies who collect, store and process data) have 45 days to respond to consumer data requests. This allows Colorado consumers to limit the use and sale of their personal data. Keep in mind that the CPA isn’t just about collecting and processing data—it also covers the data you’ve already collected and are storing. Companies should perform a data audit and analysis to ensure their current data storage is or will be compliant with the law.

Certain exceptions to the law may apply to your company. For instance, disclosure to a third-party data processor does not meet the definition of a “sale” under the Act, but you do need to ensure that your vendor agreements with your data processors comply with the requirements of the CPA. Similarly, controllers can disclose consumer personal data to third parties at a consumer’s request.

When will the CPA become effective?

Although the CPA was signed into law in July 2021, it will not go into effect until July 1, 2023. Businesses who target Colorado residents still have several months to create a compliant privacy policy.

How to comply with the Colorado Privacy Act (CPA)

To comply with the Colorado privacy law, data controllers must provide a “reasonably accessible, clear and meaningful” privacy notice which:

  • Identifies the categories of personal data being collected or processed
  • Describes why the data is being collected and processed
  • Notifies consumers of their rights
  • Describes how consumers can exercise their privacy rights
  • Discloses key information about selling and sharing personal data

Companies must also restrict their data collection to that which is “adequate, relevant and limited to what is reasonably necessary” (data minimization). They are forbidden from using data for secondary uses not clearly identified in their privacy notice, and they must properly secure the personal data.

Your business type and scale will determine whether the CPA applies to your company, and whether you qualify for any exemptions. Even if your company is currently too small to qualify under the CPA, it’s often worth creating a compliance policy now—when your company scales up, you won’t be caught unaware.

Data privacy compliance can be confusing, especially when you’re doing business on a global scale. Researching and creating compliant privacy policies for different territories is time-consuming and expensive. Fortunately, SixFifty has solutions. Our proprietary software combines legal expertise with the power of AI to deliver compliant data privacy documents with just a few clicks. Rest assured that your company is compliant with Colorado privacy law—reach out to schedule a free demo today!

Meili Bell

By Meili Bell

Meili Bell is the Content Manager at SixFifty. She spends her workdays writing, editing, project managing and reading about the intersection of law and technology.

Related Topics

  • Colorado CPA