The Colorado Privacy Act

The Colorado Privacy Act (the “CPA”) was signed into law on July 8, 2021 by Governor Jared Polis, only 6 months after Virginia enacted its data privacy law, the Virginia Consumer Data Privacy Act (“VCDPA”). You can learn more about the VCDPA in our previous blog post. The CPA not only creates new rights to consumers and obligations to businesses, but also authorizes the Colorado Attorney General to promulgate additional rules and regulations to govern opinion letters and interpretive guidance to develop an operational framework for CPA compliance.

Effective July 1, 2023, businesses that control or process data must comply with the CPA if they: (a) conduct business in Colorado or (b) produce products or services that are targeted to residents of Colorado and

  1. Controls or processes personal data of at least 100,000 consumers, or
  2. Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 or more consumers

The CPA grants six rights to consumers—the same rights granted under the VCDPA:

  1. Right to confirm whether a controller is processing a consumer’s personal data
  2. Right to access the personal data processed by a controller
  3. Right to correct inaccuracies in the consumer’s personal data
  4. Right to delete personal data provided by or obtained by a controller
  5. Right to obtain a copy of the personal data a consumer has provided to the controller in a portable and readily usable format; and
  6. Right to opt out of processing of personal data for:
    1. Targeted advertising
    2. Sale of personal data; and
    3. Profiling

A consumer may exercise the first rights above through a consumer request process that is identical to the VDPA, including the ability to appeal a consumer request denial.

Like the VCDPA, the CPA grants consumers the right to opt-out of processing for targeted advertising, the sale of personal data, and profiling. Unlike the VCDPA, the CPA requires businesses to establish a process to allow a person or technological mechanism (such as a browser setting, extension, or global device setting) acting on behalf of a consumer to exercise the right to opt out. Additionally, the Colorado Attorney General will promulgate rules to detail technical specifications for a universal opt-out mechanism that must be adopted by businesses prior to July 1, 2024.

Also similar to the VCDPA, the CPA requires businesses to obtain consumer consent prior to collecting and/or processing “sensitive data.” Sensitive data, a subset of personal data, includes multiple categories of information, such as children’s data, genetic or biometric data, precise geolocation. Sensitive data also includes data of a more intimate nature, such as racial or ethnic origin, sexual orientation, health condition or diagnosis, and immigration or citizenship status. The CPA specifies that consent is not granted by consumers through acceptance of a broad terms of use document or hovering over or closing out of a given piece of content. In this regard, the CPA requires affirmative consent from consumers to collect sensitive data.

The CPA establishes seven additional duties to controllers of personal data, many of which are similar to the seven underlying principles of Europe’s General Data Privacy Regulation (“GDPR”):

  • Duty of transparency (a reasonably accessible, clear, meaningful privacy policy)
  • Duty of purpose specification (express purpose for collecting data)
  • Duty of data minimization (collection must be adequate, relevant, and reasonably limited)
  • Duty to avoid secondary use (purposes of collection must be reasonably necessary to accomplish the specified purpose)
  • Duty of care (take reasonable measures to secure personal data)
  • Duty to avoid unlawful discrimination
  • Duty regarding sensitive data

As with the VCDPA, the CPA also requires a data protection assessment in certain circumstances and a binding contract between a controller and processer to govern any data processing.

The CPA does not have a private right of action. After a business receives notice of a potential violation, the business has a 60-day cure period to resolve such violation. If the business continues to violate the CPA following the cure period, the Attorney General may initiate an action against the business to seek an injunction and/or civil penalties.

Notably, the notice and opportunity to cure provision of the CPA will be repealed on January 1, 2025. As such, any business must ensure their practices align with the requirements under the CPA as soon as possible. While many guiding regulations from the Colorado Attorney General are still to come, it is vital that businesses begin to prepare to comply with state data privacy laws to avoid the costs of investigation, possible injunction, and/or civil penalties.

Should you have any questions or need assistance, please contact us.

Nicole E. Cloyd

Mark E. Musekamp

Nicole is admitted to practice law in Kentucky; Nicole is approved under Ohio Gov. Bar R. I § 19 to practice in Ohio while her application for admission is pending.

KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.


© 2024 Keating Muething & Klekamp PLL. All Rights Reserved


Jump to Page