Colorado Privacy Act (CPA)

What is Colorado data protection act (CPA)?

Colorado is officially the third U.S state to adopt privacy legislation, after California and Virginia, respectively. The Colorado General Assembly passed the Colorado Privacy Act (CPA), Senate Bill 21-109, on June 8, 2021. Colorado’s governor, Jared Polis signed the Colorado Privacy Act (“CPA”) into law on July 7th, 2021. It will be effective from July 1, 2023. CPA compliance ensures that businesses operating in Colorado adhere to the data protection standards set forth by the Colorado Privacy Act.

Who must comply with Colorado Privacy Act?

Colorado’s CPA applies to Controllers that:

  • Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado;
    and
  • Satisfies one or both of the following conditions:
    • Controls or processes the personal data of one hundred thousand consumers (100,000) or more during a calendar year or
    • Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of twenty-five thousand consumers (25,000) or more.

Who enforces Colorado Privacy Act?

Consumers do not have a private right of action under this regulation. The Attorney General and District Attorneys have the authority to enforce this act. Businesses have a 60-day period from the date it receives a notice of violation from the attorney general or a district attorney to cure the violation.

Colorado Privacy Act - Mandatly Inc.

Key highlights of Colorado's CPA:

Personal DataPersonal Data means Information that is linked or reasonably linkable to an identified or identifiable individual; and does not include de-identified data or publicly available information.
Consumer RightsThe Colorado’s CPA provides the consumer rights, which largely mirror those provided by the CPRA.
Privacy AssessmentControllers must undertake a data protection assessment for each processing activity involving a heightened risk of harm to consumers.
Consent“Consent" means a clear, affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data.

Know the difference between Virginia’s CDPA, CCPA and CPRA?

Download this whitepaper to know more about the key differences between the provisions of Virginia’s new privacy law called CDPA, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).  It provides an overview of each law’s requirements, highlighting their similarities and differences. Although there are some similarities in all the active privacy laws, the framework, and definitions of CDPA carries its unique requirements and guidance.

Know the difference between Virginias CDPA, CCPA and CPRA - Mandatly Inc.

Consumer personal data rights [CPA Section 6-1-1306(1)]

  1. Right to opt-out: (I) A consumer has the right to opt-out of the processing of personal data concerning the consumer for purposes of:
    • Targeted Advertising;
    • The Sale of Personal Data; Or
    • Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
  2. Right of access: A consumer has the right to confirm whether a Controller is processing personal data and to access such data.
  3. Right to correction: A consumer has the right to correct the inaccuracies in the consumer’s personal data.
  4. Right to deletion: A consumer has the right to delete personal data.
  5. Right to data portability: A consumer has the right to access personal data in a readily usable and portable format. A consumer can exercise this right maximum of 2 times in a calendar year.

Controllers have 45 days to respond to an authenticated consumer request, which can be extended by 45 additional days where it is reasonably necessary to do so.

Duties of Controller [CPA Section 6-1-1308]

  1. Duty of transparency: A Controller must provide the data subject with a clear and reasonably accessible privacy notice which includes all the required information and declarations.
  2. Duty of purpose specification: A Controller must specify the express purpose for the collection and processing of data.
  3. Duty of data minimization: A Controller should limit the collection of personal data to what is adequate and relevant for the specified purpose.
  4. Duty to avoid secondary use: The Controller shall process personal data only for the purposes that are reasonably necessary or compatible with the specified purposes or obtain the consumer’s consent for further processing.
  5. Duty of care: A Controller shall take reasonable measures to secure personal data during both storage and use from an unauthorized acquisition.
  6. Duty to avoid unlawful discrimination: A Controller shall not process personal data in violation of State or Federal laws that prohibit unlawful discrimination against consumers.
  7. Duty regarding sensitive data: Controller shall obtain the consent of the consumer before processing their sensitive data or for data concerning a known child, the consent of child’s parent or lawful guardian.

Data Protection Assessments [CPA Section 6-1-1309]

Controllers must undertake a data protection assessment for each processing activity involving a heightened risk of harm to consumers, including:

  1. Targeted advertising where profiling presents a risk of
    • Unfair or deceptive treatment of, or unlawful or disparate impact on consumers.
    • Financial or physical injury to consumers.
    • An intrusion upon a consumer’s solitude or seclusion, or the private affairs or concerns of the consumer if such an intrusion would be offensive to a reasonable person.
    • Other substantial injury to consumers.
  2. Selling personal data.
  3. Processing sensitive data.

Controllers must present these data protection assessments to the CO Attorney General upon request.

How Mandatly helps you achieve Colorado Privacy Act compliance?

Mandatly’s CPA compliance solution goes above and beyond automation and includes comprehensive privacy risk management features that enable you to make effective business decisions and eliminate privacy risks.

Data Subject Rights (DSR) - Mandatly Inc.
Consumer RightsEnd-to-end DSAR fulfillment solution with automated identity verification and data discovery to fulfill the consumer request timely, securely, and efficiently.
Data Inventory and Mapping - Mandatly Inc.
Data Inventory and MappingMaintain your data sources and map data flows to meet the Colorado’s CPA "Lookback" requirements.
PIA/DPIA Assessments - Mandatly Inc.
Privacy AssessmentsBundled with intelligence to uncover and assess privacy risks that your business can be exposed to.
Privacy Notices - Mandatly Inc.
Privacy NoticesGenerate privacy notices for your website or applications to keep your customers informed about how their Personal Information is collected, processed, and shared.
Automated 'Do Not Sell' Requests Handling - Mandatly Inc.
Do not sell my informationEnables customers to opt-out of the cookie based and non-cookie based sale of personal information.
Reporting and Governance - Mandatly Inc.
AnalyticsReporting features are built into the system to get a holistic view of the compliance program for different stakeholders.

Start with our forever free edition

No credit card required

Recent Articles