What to know about the CPA

Proactive management of data privacy compliance to handle challenging CPA requirements

What is CPA?

On July 8, 2021, Colorado became the third state to pass a data privacy law behind California (CCPA, CPRA) and Virginia (CDPA). The Colorado Privacy Act (CPA) grants consumer data rights of Colorado residents and will be enforced starting July 1, 2023. CPA shares many similarities to CDPA and a few to CCPA/CPRA. CPA even shares a similar framework and terminology to the General Data Protection Regulation (GDPR). CPA also has notable differences that are both more/less intensive.

Any for-profit organization doing business in Colorado that collects consumers’ personal information and meets one of the following thresholds must comply with CPA:
  • Buys, receives, sells, or shares the personal information of more than 100,000 consumers, households, or devices for commercial purposes
  • Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more
There are several exemptions to CPA that don’t mirror CCPA/CPRA:
  • There is no global annual revenue threshold requirement
  • “Protected individuals” do not include employee/applicant data
  • Air carriers, public utilities (as defined by Colorado Law), and those subject to Gramm-Leach-Bliley do not have to comply
  • Certain types of personal data, such as patient data or publicly available information, does not qualify for processing obligations

Consumer Rights under CPA:

The right to know

The right to delete

The right to opt-out

The right to correction

The right to data portability

The right to appeal*

*denial to take action within a reasonable time period; including the right to contact the attorney general if the appeal is denied.

Best Practices: How to Comply

Compliance starts with a strategic plan and checklist. A few tips include:

Establish and update your privacy policy to acknowledge that you are aware of CPA

Review legal basis for processing personal data

Document all data that is collected/processed

Data map personal information fields to each internal database

Appoint a person/team/Data Protection Officer who can own data privacy best practices and respond to

Meet proper deadlines

Audit/create reports to show reporters your data landscape, proof of purpose, and all DSARs completed to date.

Understand all exemptions under CPA

Decipher between data definitions as they differ between state laws

Establish a user-selected universal opt-out mechanism by July 1, 2024

What are the fines and penalties for non-compliance?

Non-Compliance Civil Penalty:
Maximum $20,000 per offense

How does Colorado’s CPA compare to California CPRA?

CPA CPRA
Rights
  • The right to know what personal information is sold or shared and to whom
  • The right to delete personal data and the personal data collected from third parties
  • The right to opt-out of sale or sharing of personal information
  • The right to non-discriminate
  • The right to appeal
  • The right to know what personal information is sold or shared and to whom
  • The right to delete personal data and the personal data collected from third parties
  • The right to opt-out of sale or sharing of personal information
  • The right to non-discriminate
  • The right to correct inaccurate information
  • The right to limit the use and disclosure of sensitive personal information
  • The right to opt-out of automated decision-making technology
Who Must Comply: Organizations that conduct business or produce commercial products or services that are intentionally targeted to residents and that either:
  • Buy, receive, sell, or share the personal information of more than 100,000 consumers, households, or devices for commercial purposes.
  • Derive revenue or receive a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.
  • Gross Revenue >$25 million
  • Buy, receive, sell, or share the personal information of more than 100,000 consumers, households, or devices for commercial purposes
  • Derive 50 percent or more of its annual revenues from selling or sharing consumers’ personal information
Fines Maximum $20,000 per offense
  • Unintentional Non-Compliance Civil Penalty: Maximum $2,500 per offense
  • Intentional Non-Compliance Civil Penalty: Maximum $7,500 per offense
  • Consumers can file private lawsuits for between $100 to $750 damages or for actual damages
Links - Websites must have “Do not sell my personal information” link and “Limit the use of my personal information” link
Enforcement CO Attorney General + District Attorneys CA Attorney General + California Privacy Protection Agency
Minors - Organizations must notify minors under 16 years of age if they intend to sell or share their personal data
Cure Period (Fines) 60-day cure period after receiving notice from the Attorney General/District Attorney before it takes further enforcement measures. (The right to cure exists as a two-year sunset provision andwill cease to be required beginning January 1, 2025). No Cure period (CCPA has a 30 Day Cure Period)
Minor Fines - automatic $7,500 fine per violation involving the personal information of minors

Frequently Asked Questions

The Colorado Privacy Act, signed on July 8, 2021, is a Colorado state data privacy law that protects Colorado residents from misuse or unauthorized access to their personal information.

The Colorado privacy act introduces multiple data protection requirements for sensitive personal information on residents, including a requirement that no person or entity may collect or maintain personal information on an individual who resides in Colorado without first being permitted by law to do so or having obtained written permission from the Colorado resident.

Businesses must provide consumers with a privacy notice, and it must include

  • Categories of sensitive personal information (PI) collected or processed by controller or processor.
  • Purpose(s) of processing personal information.
  • How to exercise consumer privacy rights and right to appeal if a request is denied.
  • Categories of personal information shared.
  • Categories of third parties with whom personal information is shared.
  • If personal information is sold to a third party or processed for targeted advertising, the controller shall clearly and conspicuously disclose the sale or processing as well as the opt-out mechanism.

The Colorado Data Privacy Act is important to Colorado residents but also to businesses that maintain private information on Colorado residents. CPA imposes data protection requirements for businesses and government entities that maintain personal information of Colorado residents and provides for fines if businesses are found not complying with it. It also allows Colorado citizens affected by certain Colorado data breaches to seek damages in court. Finally, this act expands privacy into the social media realm, limiting what employers can do with employees’ social media accounts while ensuring that worker’s benefits aren’t diminished because they use such online platforms.

The Colorado privacy act (CPA) impacts businesses that maintain personal data on Colorado residents and Colorado residents themselves. The CPA applies to any controller that:

  • Conducts business in Colorado or produces or delivers commercial products or services that are targeted to residents of Colorado; and
  • Controls or processes the personal data of at least 100,000 consumers or more during a calendar year; or
  • Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.

CPA Provides Colorado Consumer Rights

Consumer data privacy rights provided by CPA as part of processing of personal data include:

  1. Right of access. Like the California Consumer Protection Act (CCPA), CPA gives Consumers the right to confirm and access their personal data.
  2. Right to correction. Consumers have the right to request a company to correct inaccuracies in their personal data.
  3. Right to delete. Consumers have the right to request a company to delete their personal data.
  4. Right to data portability. Consumers have the right to obtain a personal data in a portable and readily usable format that allows the consumer to transmit the data to another entity without hindrance.
  5. Right to opt out. Consumers have the right to opt out of the processing of their personal data

Like CCPA, under the CPA, a business must identify all personal data that belongs to a requestor and respond to a consumer request within 45 days of receipt and with an ability to extend that deadline by an additional 45 days. If a business elects to extend that deadline it must notify the consumers within the initial 45-day response period and provide legitimate reason for extension.

The Colorado Attorney General (AG) and district attorneys are tasked with enforcing CPA; They may seek civil remedies for violations by imposing fines and obtaining injunctions to require compliance with Colorado law. Non-compliant entity could be fined up to $20,000 per violation.

CYTRIO is helping all organizations meet the burden of the Colorado Privacy Act (CPA) with an easy-to-use privacy rights management platform. Using CYTRIO, organizations can eliminate 80%+ of manual tasks, resulting in significant time and cost-saving, with CPA compliance response SLAs and minimization risk of regulatory fines, all the while building consumer trust.

Using CYTRIO CPA compliance software, organizations can operationalize and automate Privacy Right Management , enabling organizations to meet a complex set of CPA compliance requirements through a secure data request intake portal, identity verification, AI-driven PI data discovery, classification, identity correlation, data subject access request (DSAR) response orchestration, and detailed audit records. Learn more on CYTRIO’s NextGen Privacy Rights Solution.

 Colorado Attorney General.

Any individual who has a permanent address in Colorado

 Customers of household goods and services, employees, and those who make business-to-business transactions

45 days

If my business is not in Colorado, do I have to comply? Yes, if you have customer/client who resides Colorado you must comply with CPA

 Consumers may only make information requests twice a year and only for a 12-month look-back

 An individual whose data is collected and processed

 An organization that collects data from one or more sources, provides some value-added processing, and repackages the result in a usable form

 the process of matching fields from one database to another.

The process of matching fields from one database to another

 A person who determines the purposes and means of the processing of personal data

 A third-party who processes personal data on behalf of the controller

A business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship

Why CYTRIO?

NextGen Privacy Rights Management

State of CCPA and GDPR Privacy Rights Compliance

Q2 2022 Research Report – 8,270 companies researched

Screenshot_4.png