The Colorado Privacy Act (CPA): an overview

What does the Colorado Privacy Act do?

The Colorado Privacy Act (CPA): an overview

How well does your business protect the personal information of customers?

The lack of a Federal data privacy law in the US means that businesses have relative freedom around the identifiable information of their consumers. This doesn’t come without risk though, and can leave some customers – especially those of financial institutions – worried about who has access to their sensitive personal data.

Colorado residents may now be breathing a sigh of relief, as the Colorado Privacy Act passed on July 8th 2021. Governor Jared Polis signed the act into law, to be enacted from July 1st 2023.

The state joins California and Virginia as one of the first to safeguard the sensitive data of Colorado consumers. Businesses who qualify will be required to think about their compliance obligations as well as updating processes as part of consumer protection enforcement.

What does the Colorado Privacy Act do?

The purpose of the Colorado Privacy Act is to protect consumers and enforce stricter ethical standards around the collection and treatment of data. Colorado’s law provides clearer information around consumer rights, and ensures that businesses become responsible data custodians.

For example, companies who use consumer data to inform their targeted advertising must disclose the information held to customers who request it.

A violation of the Colorado Privacy Act by either data controllers or processors may be viewed as an infringement of privacy rights and will lead to monetary sanctions. Therefore, it’s important for firms to stay on the right side of the regulator.

Who does the Colorado Privacy Act apply to?

The CPA largely affects companies who conduct business within the state or specifically target customers with Colorado citizenship status. Businesses and financial institutions with a nexus in Colorado, for example, are likely to fall within the brackets.

The other threshold refers to the volume of data processed. Either, companies that are processing the personal data of more than 100,000 consumers, or derive revenue from the sale of more than 25,000 pieces of data. In this context, ‘sale‘ refers to exchange for money or other value.

There is no annual revenue threshold associated with the Colorado Privacy Act.

What is covered by the data protection law?

Colorado’s law gives more power to consumer rights and ensures there are consequences for companies who ignore the privacy legislation.

When requested, companies must be able to provide clear information about processing activities, as well as display transparency around data treatment and protection.

For example, some companies will anonymize their information (known as pseudonymous data) in order to protect the identities of their customers. They must be able to display how this information becomes de-identified data.

Consumer rights

  1. Access: consumer requests to access the information that companies hold on them must be fulfilled.
  2. Correction: customers have the consumer right to edit or change the information held about them if it is wrong.
  3. Deletion: businesses must adhere to consumer requests to delete personal data from company records.
  4. Opt-out: businesses must display a clear choice to opt-out of data collection and processing.

How can businesses comply?

The introduction of the Colorado Privacy Act will be welcomed by businesses that are striving to protect the data security of their customers. But there are some compliance obligations that you may want to consider.

Does your business meet the threshold?

Unlike other privacy legislation, there are no covered entity exemptions such as for healthcare companies.

Have you updated your public privacy policy?

Streamline compliance efforts by completing a data inventory. This might require reviewing vendor contracts and implementing a consent mechanism to collect personal data, for example.

The Colorado Privacy Act also calls for data protection assessments and the implementation of reasonable data security measures. Those who already work within GDPR guidelines should not experience too much of a change.

Finally, you should develop a standard operating procedure for responding to customer requests. Failing to do so risks civil penalties of up to $2,000 per violation. It can also save precious time.

CUBE uses next-generation AI to track, capture and map every relevant regulatory obligation to your business and business areas. So you know what’s changed, what’s in force, and how it applies to your existing policy and control framework, in an instant.

Related resources

Regulatory Risk Management: How will Executive Order 14028 change the cybersecurity landscape?

Regulatory Risk Management: How will Executive Order 14028 change the cybersecurity landscape?

What is Executive Order 14028 and who must comply with the US regulation? And will it affect the cyb...

What is the US’ Community Reinvestment Act?

What is the US’ Community Reinvestment Act?

Are you aware of the latest updates to the Community Reinvestment Act in the US? Learn more about fi...

What regulations are there for the payment services industry?

What regulations are there for the payment services industry?

Discover the regulations shaping payment services, from PSD2 to AMLD6. Stay compliant with CUBE's in...

What is the CISO (Chief Information Security Officer) responsible for?

What is the CISO (Chief Information Security Officer) responsible for?

CISO's face a number of challenges with regulations constantly changing. Learn more about some of th...

View More