Colorado Privacy Act (CPA) Rulemaking

As of 5 p.m. MT, Feb. 3. 2023, the Department of Law is longer accepting written comments as the comment period has concluded.

On July 7, 2021, Governor Polis signed Senate Bill 21-190: Protect Personal Data Privacy establishing the Colorado Privacy Act (CPA). The CPA tasked the Colorado Attorney General with implementing and enforcing the CPA, including adopting new rules. The CPA is a part of the State of Colorado’s Consumer Protection Act.

The CPA gives the Colorado Attorney General authority to adopt rules governing privacy. It also requires that, by July 1, 2023, the Colorado Attorney General specifically adopt rules that detail the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data (6-1-1313(2), C.R.S.).

The proposed draft rules for the CPA were published by the Secretary of State on Oct. 10, 2022, and are now available for public comment, pursuant to the State Administrative Procedures Act. The Colorado attorney general and the Department of Law believe that public involvement and transparency are important in developing thoughtful, well-considered rules. Anyone is welcome to present at the rulemaking hearing as well, submit written comments through the online CPA rulemaking comment portal, and provide verbal comments at one or more stakeholder meetings.

Jan. 27, 2023 update

An updated version of the draft rules, with redline changes based on feedback received through Jan. 18, 2023, is available here. Any future revisions to the proposed draft rules will be posted to this website.

Dec. 21, 2022 update

An updated version of the draft rules, with redline changes based on feedback received through Dec. 2, 2022, is available here. Any future revisions to the proposed draft rules will be posted to this website.

Rulemaking hearing

A hearing on the proposed rules is scheduled for 10 a.m. MST Feb. 1, 2023, and will continue as needed. The hearing will be conducted both in person and by video conference.

Click to register for the rulemaking hearing →

The in-person hearing will be hosted at the Colorado Department of Law, Ralph L. Carr Judicial Building, 1300 Broadway, Room 1D in Denver. Additional information about the rulemaking hearing can be found in the Notice of Proposed Rulemaking.

Stakeholder sessions

The department hosted three virtual stakeholder meetings to discuss the CPA proposed draft rules. These stakeholder meetings were a forum for the department to gather feedback from a broad range of stakeholders for the development of rules to implement the CPA. Participants were asked to provide their input and insight, along with constructive feedback and suggestions, on the draft rules in an open discussion format.

After pre-registered speakers presented their comments, our office posed questions that were provided in our notice of proposed rulemaking, and questions stemming from our review of the rulemaking comments received to date. All attendees were welcome to provide input in response to those questions.

The stakeholder session dates and topics were as follows:

Nov. 10, 2022

When: 10 a.m. – 1 pm. MST

Topics: Consumer Rights and Universal Opt-Out Mechanisms

Questions from Notice of Proposed Rulemaking:

    • Consumer Rights: Pages 2-3
    • Universal Opt-Out Mechanisms: Pages 3-4

Click here to view the meeting.

Nov. 15, 2022

When: 12 p.m. – 3 p.m. MST

Topics: Controller Obligations and Data Protection Assessments

Questions from Notice of Proposed Rulemaking:

    • Controller Obligations: Pages 4-5
    • Data Protection Assessments: Pages 5-6

Click here to view the meeting.

Nov. 17, 2022

When: 2 p.m. – 5 p.m. MST

Topics: Profiling, Consent, and Definitions

Questions from Notice of Proposed Rulemaking:

    • Profiling: Page 6
    • Consent: Page 5
    • Definitions: Page 2

Click here to view the meeting.

Cost-Benefit & Regulatory Analysis

Pursuant to section 24-4-103(2.5), C.R.S., anyone can request a cost-benefit analysis on proposed rules within five days of publication in the Colorado Register. The department received two timely requests for a cost-benefit analysis related to the proposed draft CPA rules. In response to those requests, the department compiled a comprehensive cost-benefit analysis, available here.

For more information about the cost-benefit analysis process, go to the Colorado Department of Regulatory Agencies website.

Pursuant to 24-4-103(4.5), C.R.S., any person may request a regulatory analysis of a proposed rule up to 15 days prior to the rulemaking hearing. The department did not receive any timely requests for a regulatory analysis. However, in support of public involvement and transparency during the rulemaking process, the department published the regulatory analysis as contemplated by the Colorado Administrative Procedure Act. Click here to view the regulatory analysis for the CPA rules.

GENERAL INFORMATION

What does the CPA protect?

The CPA protects the personal data of Colorado residents when they act in an individual or household context, for example when browsing the internet or signing up for a retail rewards program. The CPA does not cover the personal data of individuals acting in a commercial or employment context, such as a job applicant

When do the new laws take effect?

To allow companies time to change their practices and operations to comply with this new law, it will not take effect until July 1, 2023.

How does the CPA protect Colorado consumers?

Under the act, Colorado consumers will gain additional insight into what personal data controllers collect, share and sell, and how that data is used. Additionally, Colorado consumers will have the following enumerated rights with respect to their personal data:

  • The right to opt-out from the sale of their personal data, or use of personal data for targeted advertising and certain types of profiling;
  • The right to know whether a controller is collecting personal data;
  • The right to access personal data that a controller has collected about them;
  • The right to correct personal data;
  • The right to delete personal data; and
  • The right to download and remove personal data from a platform in a format that allows the transfer to another platform.
What does it mean to process data?

Data processing refers to actions a company make take regarding personal data, including the collection, usage, sale, storage, disclosure, analysis, deletion, or modification of personal data. An entity “processes” data even if it instructs another entity to process data on its behalf.

What is the difference between controllers and processors?

A controller determines the purpose for and means of collecting and processing personal data.​ For example, retailers like Walmart and Target are considered controllers because they collect consumer information when customers make their purchases, and then decide how that information will be used. Controllers make the primary decisions to manage, collect, and utilize data.

A processor maintains and processes consumer personal data on behalf of a controller. For example, a cloud services provider could act as a processor by storing personal data collected by a controller, as directed by that controller.

The general distinguishing factor between a processor and a controller is the entity’s autonomy and decision-making authority over data. Under the CPA, a processor may only process data under the direct authorization and command of a controller. The CPA requires a controller and processor to define their respective responsibilities and obligations in a contractually binding processing agreement.

Some processors act as both controllers and processors depending on their role, and if  a Processor begins to determine the purpose and means of the data processing, it becomes a controller with respect to that processing.

WHAT CONSUMERS AND ENTITIES SHOULD KNOW

How do Colorado Consumers exercise their rights under the CPA?

How do Colorado consumers exercise their rights under the CPA?

When the CPA goes into effect in July of 2023, consumers will be able to learn how to exercise their rights on businesses’ websites. Businesses and other organizations controlling data, also called controllers, will be obligated to provide consumers with a privacy notice that includes the types of personal data collected or processed, the purpose for which that personal data is processed, the type of data that is shared with third parties and the categories of third parties it is shared with, and how people can access, correct, delete, and download and transmit their personal data. Additionally, those businesses and organizations will have to provide clear and conspicuous disclosure if any personal data is sold or processed for targeted advertising and how people can to opt out of having their data sold or processed. Consumers will be able to opt-out through businesses' privacy notices as well as through a readily accessible location outside the privacy notice. Additionally, consumers will be able to opt out through a universal opt-out option which will apply to all businesses subject to the CPA.

Before the CPA goes into effect, the Colorado Attorney General’s Office will create and provide rules with input from consumers and other stakeholders setting forth additional details regarding the steps controllers must take to ensure that consumers can effectively exercise their rights, including details relating to the universal opt-out mechanism.

Is consent required to process personal data under the CPA?

Only in specific circumstances. The CPA requires controllers to get affirmative consent from consumers prior to (1) collecting and processing sensitive data, (2) processing personal data for reasons other than those specified when the data was collected, or (3) selling or processing personal data for targeted advertising after a consumer has opted out of such uses. Such consent must be affirmative, freely given, specific, informed, and unambiguous. Acceptance of broad terms of service, hovering over, pausing, or otherwise interacting with content generally, and agreement obtained through deceptive webpage design is not considered consent under the CPA.

What's the difference between personal data and sensitive data?

Personal data is any non-public information that reasonably can be linked to an individual. Sensitive data is a subset of personal data and includes:

  • Any personal data regarding a child under the age of 13;
  • Any data that reveals the race, ethnic origin, or religious beliefs, mental or physical health conditions or diagnoses, sexual activity, preferences or orientation, or citizenship status or citizenship of an individual; and
  • Biometric data that is used for identifying an individual.

HOW BUSINESSES, NONPROFITS, AND OTHER ENTITIES WILL BE IMPACTED

Who must comply with the CPA?

The law applies to entities, including nonprofits, that conduct business in Colorado or deliver commercial products or services targeted to residents of Colorado; AND either:

  • Process the personal data of more than 100,000 individuals in any calendar year; or
  • Derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals.

The law also applies to service providers, contractors, and vendors that manage, maintain, or provide services relating to the data on behalf of these companies.

What is excluded from the CPA?

The CPA excludes some types of entities from complying with its requirements. These entities include:

  • Financial institutions and affiliates subject to the Gramm-Leach-Bliley Act;
  • Air carriers subject to Federal Aviation Administration regulation; and
  • National securities associations registered under the Securities Exchange Act.

The CPA also does not apply to certain types of personal data maintained in compliance with specific federal privacy laws, such the Health Insurance Portability and Accountability Act and the Fair Credit Reporting Act, or for certain governmental purposes. For a complete list see §6-1-1304 of the CPA.

What obligations do data controllers have under this new law?

Under the law, controllers MUST:

  • Be transparent about how they collect, store, use, share and sell personal data, and clearly identify the purpose for which they do so;
  • Minimize the amount of data they collect and store, meaning they should only collect and store information they need;
  • Avoid secondary uses of the data, meaning they can’t use personal data for reasons individuals were not originally aware of;
  • Use reasonable security practices to secure the data;
  • Respond to requests by individuals asserting the rights granted to them under the law; and
  • Conduct Data Protection Assessments before selling personal data, processing “sensitive data,” or processing personal data that could result in:
    • unfair, deceptive or disparate treatment of individuals;
    • financial or physical injury to individuals;
    • a physical or other intrusion on an individual’s privacy that would be offensive to reasonable people; or
    • some other substantial injury.

Under the law, controllers MAY NOT:

  • Collect, store, use, share or sell “sensitive data” without an individual’s consent.
  • Use personal data in any way that would result in unlawful discrimination.

HOW THE CPA WILL BE ENFORCED

What is the Attorney General's role in enforcing this law?

The Attorney General’s Office and District Attorneys have sole enforcement power under the CPA. The Attorney General’s Office also has rulemaking authority under the law.

Can individuals that have had their data mishandled sue directly under the CPA?

No. Private citizens are not entitled to file lawsuits or enforce legal rights under the CPA. Only the Attorney General and District Attorneys can enforce the CPA.

Are companies provided notice of a violation before enforcement action is taken?

If the Attorney General or District Attorney determines that a violation can be remedied, the Attorney General or District Attorney must first send a letter giving the violator 60 days to cure the violation. If either office determines that no fix is possible for the violation, no such letter is required. The process of providing notice of a violation and allowing 60 days for a cure will be in effect until Jan. 1, 2025.

What are the penalties the government can impose if a company is found in violation of the CPA?
Will the Attorney General provide any guidance on how to comply with the CPA?

Yes. The Attorney General will create rules both for the purpose of carrying out the CPA and to detail the technical specifications of one or more universal opt-out options. The Attorney General plans on adopting those rules before July 1, 2023.

The Attorney General’s Office will engage with Colorado consumers, businesses, and other stakeholders related to the CPA and potential rulemaking considerations. In early 2022, the Attorney General’s Office will post a series of topics for informal input on its website and solicit responses in writing and at scheduled events. This will help the office engage in a more focused dialogue, consider diverse perspectives, and address issues. By the fall of 2022, the Attorney General’s Office plans to post a formal Notice of Proposed Rulemaking, which will include a proposed set of model rules. This will kick off a process of collecting verbal and written comments about the proposed rules and how they would operate from a range of stakeholders and other interested persons across Colorado. If you would like to follow the CPA rulemaking process, you may sign up to receive additional information and updates here.