Skip to main content
Top Button
Gearing Up for Comprehensive Data Privacy and Security Legislation Across the States | Colorado Priv Gearing Up for Comprehensive Data Privacy and Security Legislation Across the States | Colorado Priv

Gearing Up for Comprehensive Data Privacy and Security Legislation Across the States | Colorado Privacy Act

On July 8, 2021, Colorado became the third state in the country to pass a comprehensive privacy law, following what seems to be a national trend. The Colorado Privacy Act (CPA) will become effective on July 1, 2023. The CPA follows the enactment of the Virginia Consumer Data Protection Act (VCDPA) and the California Consumer Privacy Act (CCPA). This edition of our Gearing Up for privacy law compliance series provides important information regarding the CPA’s scope and threshold requirements, necessary steps that can be taken to gear up for compliance, and further information regarding how the law will be enforced.

CPA’s Scope and Threshold Requirements

Much like the GDPR, CCPA, and VCDPA, the CPA includes specific threshold requirements that dictate the applicability of the law to any entity. In addition, the CPA, much like the GDPR, clearly defines and differentiates the obligations and definitions of data controllers and processors.

Controllers are defined as the natural or legal persons that, alone or jointly with others, determines the purpose and means of processing personal data. The CPA specifies how controllers must fulfill duties regarding consumers’ assertion of their rights, transparency, purpose specification, data minimization, secondary uses, unlawful discrimination, and sensitive data. The CPA also requires controllers to conduct a data protection assessment for each of their processing activities for purposes of targeted advertising, profiling, selling of personal data, or processing sensitive data.

Processors process personal data on behalf of a controller. Under the CPA, a processer can only process personal or sensitive data under the direct authorization or command of a controller. The CPA requires controllers and processors to define their respective roles and responsibilities in a contractually binding processing agreement.

With regard to the threshold requirements, the CPA will apply to any controller that conducts business within Colorado or produces or delivers commercial products or services that are specifically and intentionally targeted to Colorado residents. If an entity falls within that definition, the CPA will apply if it also:
  • Controls or processes the personal data of at least 100,000 consumers or more during one calendar year; or
  • Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.
Unlike the California and Virginia laws, there is no applicable revenue threshold for entities who fall within CPA guidance. Because there is no revenue threshold, the CPA is much broader than the CCPA or VCDPA.

However, there are a number of exemptions. For example, the CPA does not apply to financial institutions regulated by the Gramm-Leach-Bliley Act, air carriers subject to Federal Aviation Administration regulation, national securities associations registered under the Securities Exchange Act, or entities regulated by HIPAA or the Fair Credit Reporting Act.

CPA Consumer Rights

Following the CCPA, VDCPA, and GDPR, the CPA protects consumers by providing the following rights:
  • The right of access to certain personal data and to obtain the data in a portable, readily usable format;
  • The right to opt-out of the use or selling of personal data for targeted advertising or profiling;
  • The right to delete personal data concerning the consumer; and
  • The right to correct any inaccuracies of personal or sensitive data.
In addition, a business under CPA purview must obtain a consumer’s opt-in consent prior to processing or selling their sensitive data. The CPA considers “sensitive data” to be a person’s racial or ethnic origin, religious beliefs, mental or physical health condition, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data, or personal data from a known child. In contrast, personal data relates to any information that can identify an individual: telephone number, email address, or social security number.

What Your Business Can Do to Prepare for Compliance

As July 2023 nears, entities that meet the scope and threshold requirements of the CPA must begin to prepare for compliance. For those entities subject to CPA, changes must be made to current data privacy and cybersecurity practices. To be compliant with CPA, an entity must:
  • Revise any current privacy policies to reflect the new personal data processing rules and inform consumers of their new rights;
  • Implement reasonable security measures and safeguards to protect personal or sensitive data;
  • Establish a procedure to determine when to conduct a data protection assessment;
  • Enable an “opt-out” feature for consumers regarding the sale of their personal information, which must be readily accessible to the consumer;
  • Implement new mechanisms to obtain informed consent when collecting sensitive information;
  • Facilitate receipt and response to consumer requests; and
  • Implement training programs for the employees of the entity. 


The CPA will become effective on July 1, 2023, giving entities an opportunity to focus on preparing for compliance. The CPA will be enforced by the Colorado Attorney General, as well as by the district attorneys in the state. Similar to the UCPA and VCDPA, there is no private right of action under the CPA. In the case of an alleged violation, the attorney general will give the entity written notice identifying the specific alleged violation 60 days before initiation of any action, giving the business a month as a “cure period” to address and solve any potential violations.

In the event of non-compliance, controllers or entities who have violated the CPA after the cure period has ended may be subject to large penalties of $20,000 per violation, capped at a maximum of $500,000. It is recommended that businesses protect themselves from potential violations by adopting and implementing a compliance program that includes a privacy policy that is easily accessible and comprehendible.

Connect with Ice Miller’s Data Privacy and Cybersecurity Attorneys

Ice Miller has extensive experience assisting companies with navigation and compliance relating to domestic privacy legislation and regulation. Our team includes Reena Bajowala (CIPT, CIPP/US, CIPM), a partner in Ice Miller’s Chicago office and Chair of the Data Security & Privacy and Information and Software Disputes practices; and Angad Chopra (CIPP/US), a Certified Privacy Professional and associate in Ice Miller’s Data Security & Privacy Group. Former Summer Associates Miranda Greene, Zenas Shi, and Christopher Williams contributed to this publication.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.
View Full Site View Mobile Optimized