Colorado Privacy Act (CPA)

    Overview

    The Colorado Privacy Act (CPA) is a state-level data privacy regulation that empowers Colorado residents to control their personal data. Enacted in 2021, it provides consumers with rights such as access, correction, deletion, and opt-out options related to their data. The CPA also requires businesses to handle personal data responsibly, ensuring transparency and accountability in how they process personal information.

    The CPA Final Rules, which provide further details on compliance requirements, were finalized and came into effect on July 1, 2024.

     

     

    Regulation Summary

    Timeline
    • March 2, 2021: CPA introduced in the Senate.
    • July 7, 2021: Signed into law.
    • July 1, 2023: CPA became enforceable.

    What Businesses Are Affected
    • Businesses conducting operations in Colorado or targeting Colorado residents.
    • Businesses that either:
      • Process data of 100,000+ consumers annually.
      • Derive revenue from selling personal data of 25,000+ consumers.

    Exemptions
    • Health-related data covered by HIPAA.
    • Data governed by federal regulations (e.g., Fair Credit Reporting Act, GLBA, COPPA).
    • Data used for personal, household, or employee purposes.
    Responsibilities for Businesses
    • Data Minimization: Only collect data necessary for the stated purpose.
    • Transparency: Provide privacy notices detailing data collection practices.
    • Purpose Limitation: Avoid using data for secondary purposes unless consented.
    • Security: Implement safeguards appropriate to the data’s nature.
    • Non-discrimination: Do not deny services or provide inferior service based on privacy rights exercise.

    Specific Responsibilities for Website Owners
    • Opt-Out Mechanism: Provide a user-friendly way for consumers to opt out of targeted advertising, data sales, and profiling.
    • Privacy Notices: Display clear and accessible privacy disclosures.
    • Universal Opt-Out: From July 1, 2024, honor user-selected universal opt-out mechanisms.

    Additional Requirements
    • Data Protection Assessments: Required for activities that pose heightened risks (e.g., targeted advertising, sensitive data processing).
    • Sensitive Data: Obtain consent before processing sensitive data (e.g., health information, racial/ethnic origin).

    Data Subject Rights
    • Access: Confirm and obtain a copy of personal data.
    • Correction: Request corrections to inaccurate data.
    • Deletion: Request data deletion.
    • Portability: Receive personal data in a machine-readable format.
    • Opt-Out: Refuse data processing for targeted advertising, data sales, or profiling.

    Enforcement
    • Enforced by the Colorado Attorney General and District Attorneys.
    • No private right of action (individual lawsuits).
    • Fines: Up to $20,000 per violation, depending on severity.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you..

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596