Skip to Content
Colorado Attorney General

Phil Weiser

Colorado Attorney General

File A Complaint
  • About Us
    • Attorney General Bio & Photos
    • Vision & Values
    • Senior Staff & Organization
    • Colorado Attorney General Annual Report
    • Attorney General Opinions
    • Contact Our Office
  • Sections
    • Administration
    • Business & Licensing
    • Civil Litigation & Employment Law
    • Consumer Protection
    • Criminal Appeals
    • Criminal Justice
    • Natural Resources & Environment
    • Division of Community Engagement
    • Revenue & Utilities
    • State Services
  • Careers
    • Attorney & Other Non-Classified Positions
    • Fellowships
    • Internships
    • Classified Staff Positions
    • Other Opportunities to Join our Team
  • Media Center
    • Press Room
    • Colorado Open Records Act – CORA
  • Resources
    • Survivors of Childhood Sexual Abuse
    • Victim Assistance
    • Budget & Accounting
    • Colorado Privacy Act
    • Code of Colorado Regulations
    • Colorado Revised Statutes
    • Coronavirus Information
    • Data Protection Laws
    • Funding Opportunities
    • Office of Financial Empowerment
    • Student Loans
    • Transparency Online Project (TOPS)
  • Licensing
    • Business Resources
    • Collection Agencies & Debt Collectors
    • Colorado Uniform Consumer Credit Code: Licensing & Notification
    • Debt Management Services Providers
    • Health Club Bonds
    • Repossessors
    • Student Loan Servicers: Licensing
    • Telemarketing
  • Recursos en español

Colorado Privacy Act (CPA) Rulemaking

On July 7, 2021, Governor Polis signed Senate Bill 21-190: Protect Personal Data Privacy establishing the Colorado Privacy Act (CPA). The CPA tasked the Colorado Attorney General with implementing and enforcing the CPA, including adopting new rules. The CPA is a part of the State of Colorado’s Consumer Protection Act.

The CPA gives the Colorado Attorney General authority to adopt rules governing privacy. It also requires that, by July 1, 2023, the Colorado Attorney General specifically adopt rules that detail the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data (6-1-1313(2), C.R.S.).

The Attorney General’s Office will provide notice of its proposed rulemaking and begin the rulemaking process in the coming months. Please consider sharing input on the CPA or participating in rulemaking input process. We are better together.

The importance of input

The Colorado Attorney General’s Office believes it will produce better rules if it receives strong, diverse input from interested persons. Though rulemaking has not begun, the Colorado Attorney General’s Office welcomes initial input from the community to better understand the public’s thoughts and concerns about the focus for future rulemaking.

If you wish to provide informal input on the CPA and future rulemaking prior to the notice of proposed rules, please share your comments through this form:

CPA COMMENT FORM →

Note that any information you send as part of this information-gathering process may be considered part of the rulemaking record.  If individuals or entities wish to provide information that will be considered part of the rulemaking record, they will be afforded opportunities to do so once the rulemaking process commences.

Rulemaking input

Once rulemaking begins, the Colorado Attorney General’s Office will update this page with details about the proposed rules and the opportunities for input. The rulemaking will be governed by the State Administrative Procedures Act. The Office plans to have a robust public outreach and input process that gives interested persons a variety of ways to provide feedback, perspective, opinion, and expertise.

GENERAL INFORMATION

What does the CPA protect?

The CPA protects the personal data of Colorado residents when they act in an individual or household context, for example when browsing the internet or signing up for a retail rewards program. The CPA does not cover the personal data of individuals acting in a commercial or employment context, such as a job applicant

When do the new laws take effect?

To allow companies time to change their practices and operations to comply with this new law, it will not take effect until July 1, 2023.

How does the CPA protect Colorado consumers?

Under the act, Colorado consumers will gain additional insight into what personal data controllers collect, share and sell, and how that data is used. Additionally, Colorado consumers will have the following enumerated rights with respect to their personal data:

  • The right to opt-out from the sale of their personal data, or use of personal data for targeted advertising and certain types of profiling;
  • The right to know whether a controller is collecting personal data;
  • The right to access personal data that a controller has collected about them;
  • The right to correct personal data;
  • The right to delete personal data; and
  • The right to download and remove personal data from a platform in a format that allows the transfer to another platform.
What does it mean to process data?

Data processing refers to actions a company make take regarding personal data, including the collection, usage, sale, storage, disclosure, analysis, deletion, or modification of personal data. An entity “processes” data even if it instructs another entity to process data on its behalf.

What is the difference between controllers and processors?

A controller determines the purpose for and means of collecting and processing personal data.​ For example, retailers like Walmart and Target are considered controllers because they collect consumer information when customers make their purchases, and then decide how that information will be used. Controllers make the primary decisions to manage, collect, and utilize data.

A processor maintains and processes consumer personal data on behalf of a controller. For example, a cloud services provider could act as a processor by storing personal data collected by a controller, as directed by that controller.

The general distinguishing factor between a processor and a controller is the entity’s autonomy and decision-making authority over data. Under the CPA, a processor may only process data under the direct authorization and command of a controller. The CPA requires a controller and processor to define their respective responsibilities and obligations in a contractually binding processing agreement.

Some processors act as both controllers and processors depending on their role, and if  a Processor begins to determine the purpose and means of the data processing, it becomes a controller with respect to that processing.

WHAT CONSUMERS AND ENTITIES SHOULD KNOW

How do Colorado Consumers exercise their rights under the CPA?

How do Colorado consumers exercise their rights under the CPA?

When the CPA goes into effect in July of 2023, consumers will be able to learn how to exercise their rights on businesses’ websites. Businesses and other organizations controlling data, also called controllers, will be obligated to provide consumers with a privacy notice that includes the types of personal data collected or processed, the purpose for which that personal data is processed, the type of data that is shared with third parties and the categories of third parties it is shared with, and how people can access, correct, delete, and download and transmit their personal data. Additionally, those businesses and organizations will have to provide clear and conspicuous disclosure if any personal data is sold or processed for targeted advertising and how people can to opt out of having their data sold or processed. Consumers will be able to opt-out through businesses' privacy notices as well as through a readily accessible location outside the privacy notice. Additionally, consumers will be able to opt out through a universal opt-out option which will apply to all businesses subject to the CPA.

Before the CPA goes into effect, the Colorado Attorney General’s Office will create and provide rules with input from consumers and other stakeholders setting forth additional details regarding the steps controllers must take to ensure that consumers can effectively exercise their rights, including details relating to the universal opt-out mechanism.

Is consent required to process personal data under the CPA?

Only in specific circumstances. The CPA requires controllers to get affirmative consent from consumers prior to (1) collecting and processing sensitive data, (2) processing personal data for reasons other than those specified when the data was collected, or (3) selling or processing personal data for targeted advertising after a consumer has opted out of such uses. Such consent must be affirmative, freely given, specific, informed, and unambiguous. Acceptance of broad terms of service, hovering over, pausing, or otherwise interacting with content generally, and agreement obtained through deceptive webpage design is not considered consent under the CPA.

What's the difference between personal data and sensitive data?

Personal data is any non-public information that reasonably can be linked to an individual. Sensitive data is a subset of personal data and includes:

  • Any personal data regarding a child under the age of 13;
  • Any data that reveals the race, ethnic origin, or religious beliefs, mental or physical health conditions or diagnoses, sexual activity, preferences or orientation, or citizenship status or citizenship of an individual; and
  • Biometric data that is used for identifying an individual.

HOW BUSINESSES, NONPROFITS, AND OTHER ENTITIES WILL BE IMPACTED

Who must comply with the CPA?

The law applies to entities, including nonprofits, that conduct business in Colorado or deliver commercial products or services targeted to residents of Colorado; AND either:

  • Process the personal data of more than 100,000 individuals in any calendar year; or
  • Derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals.

The law also applies to service providers, contractors, and vendors that manage, maintain, or provide services relating to the data on behalf of these companies.

What is excluded from the CPA?

The CPA excludes some types of entities from complying with its requirements. These entities include:

  • Financial institutions and affiliates subject to the Gramm-Leach-Bliley Act;
  • Air carriers subject to Federal Aviation Administration regulation; and
  • National securities associations registered under the Securities Exchange Act.

The CPA also does not apply to certain types of personal data maintained in compliance with specific federal privacy laws, such the Health Insurance Portability and Accountability Act and the Fair Credit Reporting Act, or for certain governmental purposes. For a complete list see §6-1-1304 of the CPA.

What obligations do data controllers have under this new law?

Under the law, controllers MUST:

  • Be transparent about how they collect, store, use, share and sell personal data, and clearly identify the purpose for which they do so;
  • Minimize the amount of data they collect and store, meaning they should only collect and store information they need;
  • Avoid secondary uses of the data, meaning they can’t use personal data for reasons individuals were not originally aware of;
  • Use reasonable security practices to secure the data;
  • Respond to requests by individuals asserting the rights granted to them under the law; and
  • Conduct Data Protection Assessments before selling personal data, processing “sensitive data,” or processing personal data that could result in:
    • unfair, deceptive or disparate treatment of individuals;
    • financial or physical injury to individuals;
    • a physical or other intrusion on an individual’s privacy that would be offensive to reasonable people; or
    • some other substantial injury.

Under the law, controllers MAY NOT:

  • Collect, store, use, share or sell “sensitive data” without an individual’s consent.
  • Use personal data in any way that would result in unlawful discrimination.

HOW THE CPA WILL BE ENFORCED

What is the Attorney General's role in enforcing this law?

The Attorney General’s Office and District Attorneys have sole enforcement power under the CPA. The Attorney General’s Office also has rulemaking authority under the law.

Can individuals that have had their data mishandled sue directly under the CPA?

No. Private citizens are not entitled to file lawsuits or enforce legal rights under the CPA. Only the Attorney General and District Attorneys can enforce the CPA.

Are companies provided notice of a violation before enforcement action is taken?

If the Attorney General or District Attorney determines that a violation can be remedied, the Attorney General or District Attorney must first send a letter giving the violator 60 days to cure the violation. If either office determines that no fix is possible for the violation, no such letter is required. The process of providing notice of a violation and allowing 60 days for a cure will be in effect until Jan. 1, 2025.

What are the penalties the government can impose if a company is found in violation of the CPA?
Will the Attorney General provide any guidance on how to comply with the CPA?

Yes. The Attorney General will create rules both for the purpose of carrying out the CPA and to detail the technical specifications of one or more universal opt-out options. The Attorney General plans on adopting those rules before July 1, 2023.

The Attorney General’s Office will engage with Colorado consumers, businesses, and other stakeholders related to the CPA and potential rulemaking considerations. In early 2022, the Attorney General’s Office will post a series of topics for informal input on its website and solicit responses in writing and at scheduled events. This will help the office engage in a more focused dialogue, consider diverse perspectives, and address issues. By the fall of 2022, the Attorney General’s Office plans to post a formal Notice of Proposed Rulemaking, which will include a proposed set of model rules. This will kick off a process of collecting verbal and written comments about the proposed rules and how they would operate from a range of stakeholders and other interested persons across Colorado. If you would like to follow the CPA rulemaking process, you may sign up to receive additional information and updates here.

Public input

If you wish to provide input on the CPA and future rulemaking prior to the notice of proposed rules, please share your comments through this form:

CPA COMMENT FORM →

Pre-rulemaking considerations

Click below to view the pre-rulemaking considerations:

Pre-rulemaking considerations →

Get on the mailing list

Interested persons can attend the office’s future informational meetings to learn about the function and purpose of the CPA and understand the office’s plans for receiving public comment during rulemaking. We will share information about informational meetings on this page and through the mailing list below.

Please know that these meetings are informational and may be part of the official rulemaking record. The office will provide public notice of its proposed rules once they are prepared. At that time, the office will also hold public hearings to allow interested persons to share input on the proposed rules and further engage in the rulemaking process.

If you wish to receive updates on informational meetings, provide future rulemaking input, or otherwise be involved with the rulemaking process, please click the button and complete the form to receive updates and notices:

INFORMATIONAL & RULEMAKING MEETING NOTICE SIGN-UP →

You can also receive additional notices about this rulemaking and other Colorado rulemakings by completing the form on the Department of Regulatory Agencies webpage.

If you do not wish to sign-up for notifications, you can follow the rulemaking filings on the Colorado Secretary of State’s website at www.coloradosos.gov.

 

Learning about the Colorado Privacy Act

The text of the CPA is available at this link:

  • Learn about the CPA:  Senate Bill 21-190

 

Office of the Attorney General
Colorado Department of Law
Ralph L. Carr Judicial Building
1300 Broadway, 10th Floor
Denver, CO 80203

(720) 508-6000

Contact the Office of the Attorney General

Contact

Facebook
Twitter