On July 8, 2021, Colorado became the third state to pass a data privacy law behind California (CCPA, CPRA) and Virginia (CDPA). The Colorado Privacy Act (CPA) grants consumer data rights of Colorado residents and will be enforced starting July 1, 2023. CPA shares many similarities to CDPA and a few to CCPA/CPRA. CPA even shares a similar framework and terminology to the General Data Protection Regulation (GDPR). CPA also has notable differences that are both more/less intensive.
Any for-profit organization doing business in Colorado that collects consumers’ personal information and meets one of the following thresholds must comply with CPA:The right to know
The right to delete
The right to opt-out
The right to correction
The right to data portability
The right to appeal*
*denial to take action within a reasonable time period; including the right to contact the attorney general if the appeal is denied.
Compliance starts with a strategic plan and checklist. A few tips include:
Establish and update your privacy policy to acknowledge that you are aware of CPA
Review legal basis for processing personal data
Document all data that is collected/processed
Data map personal information fields to each internal database
Appoint a person/team/Data Protection Officer who can own data privacy best practices and respond to
Meet proper deadlines
Audit/create reports to show reporters your data landscape, proof of purpose, and all DSARs completed to date.
Understand all exemptions under CPA
Decipher between data definitions as they differ between state laws
Establish a user-selected universal opt-out mechanism by July 1, 2024
The Colorado Privacy Act, signed on July 8, 2021, is a Colorado state data privacy law that protects Colorado residents from misuse or unauthorized access to their personal information.
The Colorado privacy act introduces multiple data protection requirements for sensitive personal information on residents, including a requirement that no person or entity may collect or maintain personal information on an individual who resides in Colorado without first being permitted by law to do so or having obtained written permission from the Colorado resident.
Businesses must provide consumers with a privacy notice, and it must include
The Colorado Data Privacy Act is important to Colorado residents but also to businesses that maintain private information on Colorado residents. CPA imposes data protection requirements for businesses and government entities that maintain personal information of Colorado residents and provides for fines if businesses are found not complying with it. It also allows Colorado citizens affected by certain Colorado data breaches to seek damages in court. Finally, this act expands privacy into the social media realm, limiting what employers can do with employees’ social media accounts while ensuring that worker’s benefits aren’t diminished because they use such online platforms.
The Colorado privacy act (CPA) impacts businesses that maintain personal data on Colorado residents and Colorado residents themselves. The CPA applies to any controller that:
CPA Provides Colorado Consumer Rights
Consumer data privacy rights provided by CPA as part of processing of personal data include:
Like CCPA, under the CPA, a business must identify all personal data that belongs to a requestor and respond to a consumer request within 45 days of receipt and with an ability to extend that deadline by an additional 45 days. If a business elects to extend that deadline it must notify the consumers within the initial 45-day response period and provide legitimate reason for extension.
The Colorado Attorney General (AG) and district attorneys are tasked with enforcing CPA; They may seek civil remedies for violations by imposing fines and obtaining injunctions to require compliance with Colorado law. Non-compliant entity could be fined up to $20,000 per violation.
CYTRIO is helping all organizations meet the burden of the Colorado Privacy Act (CPA) with an easy-to-use privacy rights management platform. Using CYTRIO, organizations can eliminate 80%+ of manual tasks, resulting in significant time and cost-saving, with CPA compliance response SLAs and minimization risk of regulatory fines, all the while building consumer trust.
Using CYTRIO CPA compliance software, organizations can operationalize and automate Privacy Right Management , enabling organizations to meet a complex set of CPA compliance requirements through a secure data request intake portal, identity verification, AI-driven PI data discovery, classification, identity correlation, data subject access request (DSAR) response orchestration, and detailed audit records. Learn more on CYTRIO’s NextGen Privacy Rights Solution.
Colorado Attorney General.
Any individual who has a permanent address in Colorado
Customers of household goods and services, employees, and those who make business-to-business transactions
45 days
If my business is not in Colorado, do I have to comply? Yes, if you have customer/client who resides Colorado you must comply with CPA
Consumers may only make information requests twice a year and only for a 12-month look-back
An individual whose data is collected and processed
An organization that collects data from one or more sources, provides some value-added processing, and repackages the result in a usable form
the process of matching fields from one database to another.
The process of matching fields from one database to another
A person who determines the purposes and means of the processing of personal data
A third-party who processes personal data on behalf of the controller
A business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship