Skip to main content
Top Button
Colorado Becomes Third State to Enact Comprehensive Privacy Legislation Colorado Becomes Third State to Enact Comprehensive Privacy Legislation

Colorado Becomes Third State to Enact Comprehensive Privacy Legislation

Colorado joins California and Virginia in enacting a comprehensive state privacy law, furthering a trend we expect to continue—and that may be capped by actions of the U.S. Congress. The Colorado Privacy Act (“CPA”) was signed into law on July 8, 2021 and will be effective on July 1, 2023. The CPA for the most part adopts a middle ground between the more stringent California Consumer Privacy Act (“CCPA”) and the more business friendly Virginia Consumer Data Protection Act (“CDPA”).
Entities Covered by the CPA
The CPA applies to any entity that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado” and that satisfies one or both of the following thresholds:
  1. During a calendar year, controls or processes personal data of 100,000 or more Colorado residents; or
  2. Derives revenue or receives discounts from selling personal data and processes or controls the personal data of 25,000 or more Colorado residents.[i]
Similar to other privacy laws, an entity that is covered by the CPA is referred to as a “controller.” The scope of the CPA is notable for a few reasons. First, the CPA does not have any revenue thresholds, meaning there is the potential that the comprehensive CPA requirements may apply to small businesses who collect or profit from large amounts of personal data. Second, unlike the California and Virginia laws, the CPA does not exempt non-profit organizations.
Types of Information Covered by the CPA
As it relates to consumers, personal data is defined under the CPA as “information that is linked or reasonably linkable to an identified or identifiable individual.”[ii] Personal Data does not include de-identified or publicly available data.[iii] A “consumer” is defined in the CPA as an individual who is a Colorado resident acting only in an individual or household context.[iv] A consumer does not include an individual acting in a commercial or employment context, meaning employment data is not covered by the CPA.[v]
However, the CPA does have a number of exemptions for certain types of data and information. Notable exemptions under the CPA include the following:
  • Information or data that is maintained by the state or other governmental entities, state institutions of higher education[vi];
  • Financial institutions that are subject to the Gramm-Leach-Bliley Act (“GLBA”)[vii];
  • Personal data that is regulated by the Family Educational Rights and Privacy Act (“FERPA”)[viii];
  • Personal data that is regulated by the Fair Credit Reporting Act (“FCRA”)[ix];
  • Information created for the purposes of complying with the Health and Insurance Portability and Accountability Act (“HIPAA”)[x]; and
  • Personal data that is regulated by the Children’s Online Privacy Protection Act (“COPPA”) if that personal data is collected, processed, and maintained in compliance with COPPA.[xi]
Consumer Rights under the CPA
The CPA establishes a number of rights for consumers, these rights are broadly similar to the consumer rights within the CCPA and CDPA.
The CPA rights include:
  • Right to opt-out of the sale and processing for targeted advertising purposes of their personal information
  • Right of access
  • Right to correction
  • Right to deletion
  • Right to data portability[xii]
Controller Obligations under the CPA
Obligations and requirements for controllers under the CPA include:
  • Duty of transparency[xiii]
    • Includes specifications for a privacy notice to consumers
  • Duty of purpose specification[xiv]
  • Duty of data minimization[xv]
  • Duty to avoid secondary use[xvi]
  • Duty of care[xvii]
    • Requires controllers to take reasonable measures to secure personal data during both the storage and use from unauthorized acquisition
    • The measures should be appropriate to the volume, scope, and nature of the personal data being processed as well as the nature of the business
  • Duty to avoid unlawful discrimination[xviii]
  • Duty regarding sensitive data[xix]
A controller will also be required to conduct and document a data protection assessment before they undertake to engage in processing activities that “presen[t] a heightened risk of harm to a consumer.”[xx] The CPA provides three examples of “processing that presents a heightened risk of harm to a consumer” which include the following:
  1. Processing personal data for the purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of:
    • Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
    • Financial or physical injury to consumers;
    • A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or
    • Other substantial injury to consumers
  2. Selling personal data; and
  3. Processing sensitive data[xxi]
Similar to the CCPA, CDPA, and the EU General Data Protection Regulation (“GDPR”) the CPA requires that when a controller intends to have a third-party process personal data, there must be an agreement in place to regulate the processing of personal data and delineates the required provisions that must be included.[xxii]
The CPA does not provide private right of action for consumers and leaves enforcement to the Colorado attorney general as well as district attorneys. Implementing regulations for the CPA have not been released yet—the CPA requires the Colorado attorney general to issue these by July 1, 2023. We expect the implementing regulations to provide additional clarity on the CPA.
Please contact Guillermo Christensen, Reena Bajowala, or Rachel Spiker for more information. Guillermo is the office managing partner of Ice Miller’s Washington DC office and practices within the Data Security and Privacy and White Collar Defense Groups. Reena is a partner in Ice Miller’s Chicago office and practices within the Data Security and Privacy and Information and Software Disputes practices. Rachel is an associate in the Data Security and Privacy Group.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
[i] Bill 6-1-1304(1)
[ii] Bill 6-1-1303(17)
[iii] Id.
[iv] Bill 6-1-1303(6)
[v] Id.
[vi] Bill 6-1-1304(2)(o)
[vii] Bill 6-1-1304(2)(q)
[viii] Bill 6-1-1304(2)(j)(V)
[ix] Bill 6-1-1304(2)(i)(C)(II)
[x] Bill 6-1-1304(2)(e)
[xi] Bill 6-1-1304(2)(j)(IV)
[xii] Bill 6-1-1306(1)
[xiii] Bill 6-1-1308(1)
[xiv] Bill 6-1-1308(2)
[xv] Bill 6-1-1308(3)
[xvi] Bill 6-1-1308(4)
[xvii] Bill 6-1-1308(5)
[xviii] Bill 6-1-1308(6)
[xix] Bill 6-1-1308(7)
[xx] Bill 6-1-1309
[xxi] Id.
[xxii] Bill 6-1-1305
View Full Site View Mobile Optimized