The Colorado Privacy Act (CPA) was officially enacted in the state of Colorado on July 8, 2021, following the signing of the bill by Governor Jared Polis. With this new law, Colorado became the third state in the United States to enact comprehensive privacy legislation, following California in 2018 and Virginia earlier in 2021. The CPA will take full effect beginning on July 1, 2023. In this article, we will take a closer look at the scope, exemptions, and consumer rights provided by the Colorado Privacy Act.

Birds-Eye View of the Colorado Privacy Act

The CPA applies to any controller that conducts business in Colorado, produces or delivers commercial products or services that are intentionally targeted to Colorado residents, and controls or processes the personal data of at least 100,000 consumers or more during a calendar year, or if they derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 consumers or more. The CPA is broader in some ways and narrower in others compared to California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (CDPA). Unlike the CCPA, the CPA does not have any revenue thresholds, meaning a business can’t become subject to the law simply due to its annual revenue. However, it extends applicability to businesses that process the personal data of 25,000 consumers and receive any revenue or discount from the sale of data, even if the company derives less than 50% of its gross annual revenue from selling data.

The CPA defines a consumer as “a Colorado resident acting only in an individual or household context.” The definition of “sale of personal information” is “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.” The definition of “sale” explicitly excludes certain types of disclosures, such as disclosures to a processor, disclosures of personal data to third parties for the purpose of providing a requested product or service, and disclosures of personal data to affiliates.

Exemptions to the Colorado Privacy Act

The CPA sets forth categories of exempt data, which can be broken down into entity-level exemptions and data-level exemptions. The primary entity-level exemption under the CPA is for entities regulated by the Gramm-Leach-Bliley Act. However, there is no entity-level exemption for HIPAA-regulated entities. The law sets forth specific exemptions for health care controllers, but does not fully exempt them from the law in the same way the CDPA does. Other notable exemptions include deidentified information and information specifically regulated by other laws and therefore exempt from CPA obligations.

Consumer Rights Under the CPA

The CPA provides five main rights for consumers:

• Right of access: Consumers have the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data.
• Right to correction: Consumers have the right to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of processing.
• Right to delete: Consumers have the right to delete their personal data.
• Right to opt-out: Consumers have the right to opt-out of the sale of their personal data. An additional requirement for a universal opt-out mechanism will take effect on July 1, 2024.
• Right to non-discrimination: Consumers have the right to equal treatment by a controller, even if they exercise their privacy rights.

Planning for CPA Compliance

The Colorado Privacy Act is a comprehensive piece of legislation that provides a framework for the protection of consumer privacy in the state of Colorado. It sets forth the scope of the law, exemptions, and consumer rights, offering a level of protection for Colorado residents similar to the CCPA and CDPA. Businesses operating in Colorado or targeting Colorado residents should be aware of the requirements of the CPA and ensure that they are in compliance with the law.

To ensure your ongoing compliance with the CPA and other active privacy laws, please don’t hesitate to contact us.