Colorado Privacy Act (CPA) Rulemaking

The CPA protects the personal data of Colorado residents when they act in an individual or household context, for example when browsing the internet or signing up for a retail rewards program. The CPA does not cover the personal data of individuals acting in a commercial or employment context, such as a job applicant

To allow companies time to change their practices and operations to comply with this new law, it will not take effect until July 1, 2023.

Under the act, Colorado consumers will gain additional insight into what personal data controllers collect, share and sell, and how that data is used. Additionally, Colorado consumers will have the following enumerated rights with respect to their personal data:

• The right to opt-out from the sale of their personal data, or use of personal data for targeted advertising and certain types of profiling;
• The right to know whether a controller is collecting personal data;
• The right to access personal data that a controller has collected about them;
• The right to correct personal data;
• The right to delete personal data; and
• The right to download and remove personal data from a platform in a format that allows the transfer to another platform.

Data processing refers to actions a company make take regarding personal data, including the collection, usage, sale, storage, disclosure, analysis, deletion, or modification of personal data. An entity “processes” data even if it instructs another entity to process data on its behalf.

A controller determines the purpose for and means of collecting and processing personal data.​ For example, retailers like Walmart and Target are considered controllers because they collect consumer information when customers make their purchases, and then decide how that information will be used. Controllers make the primary decisions to manage, collect, and utilize data.

A processor maintains and processes consumer personal data on behalf of a controller. For example, a cloud services provider could act as a processor by storing personal data collected by a controller, as directed by that controller.

The general distinguishing factor between a processor and a controller is the entity’s autonomy and decision-making authority over data. Under the CPA, a processor may only process data under the direct authorization and command of a controller. The CPA requires a controller and processor to define their respective responsibilities and obligations in a contractually binding processing agreement.

Some processors act as both controllers and processors depending on their role, and if  a Processor begins to determine the purpose and means of the data processing, it becomes a controller with respect to that processing.

How do Colorado consumers exercise their rights under the CPA?

When the CPA goes into effect in July of 2023, consumers will be able to learn how to exercise their rights on businesses’ websites. Businesses and other organizations controlling data, also called controllers, will be obligated to provide consumers with a privacy notice that includes the types of personal data collected or processed, the purpose for which that personal data is processed, the type of data that is shared with third parties and the categories of third parties it is shared with, and how people can access, correct, delete, and download and transmit their personal data. Additionally, those businesses and organizations will have to provide clear and conspicuous disclosure if any personal data is sold or processed for targeted advertising and how people can to opt out of having their data sold or processed. Consumers will be able to opt-out through businesses' privacy notices as well as through a readily accessible location outside the privacy notice. Additionally, consumers will be able to opt out through a universal opt-out option which will apply to all businesses subject to the CPA.

Before the CPA goes into effect, the Colorado Attorney General’s Office will create and provide rules with input from consumers and other stakeholders setting forth additional details regarding the steps controllers must take to ensure that consumers can effectively exercise their rights, including details relating to the universal opt-out mechanism.

Only in specific circumstances. The CPA requires controllers to get affirmative consent from consumers prior to (1) collecting and processing sensitive data, (2) processing personal data for reasons other than those specified when the data was collected, or (3) selling or processing personal data for targeted advertising after a consumer has opted out of such uses. Such consent must be affirmative, freely given, specific, informed, and unambiguous. Acceptance of broad terms of service, hovering over, pausing, or otherwise interacting with content generally, and agreement obtained through deceptive webpage design is not considered consent under the CPA.

Personal data is any non-public information that reasonably can be linked to an individual. Sensitive data is a subset of personal data and includes:

• Any personal data regarding a child under the age of 13;
• Any data that reveals the race, ethnic origin, or religious beliefs, mental or physical health conditions or diagnoses, sexual activity, preferences or orientation, or citizenship status or citizenship of an individual; and
• Biometric data that is used for identifying an individual.

The law applies to entities, including nonprofits, that conduct business in Colorado or deliver commercial products or services targeted to residents of Colorado; AND either:

• Process the personal data of more than 100,000 individuals in any calendar year; or
• Derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals.

The law also applies to service providers, contractors, and vendors that manage, maintain, or provide services relating to the data on behalf of these companies.

The CPA excludes some types of entities from complying with its requirements. These entities include:

• Financial institutions and affiliates subject to the Gramm-Leach-Bliley Act;
• Air carriers subject to Federal Aviation Administration regulation; and
• National securities associations registered under the Securities Exchange Act.

The CPA also does not apply to certain types of personal data maintained in compliance with specific federal privacy laws, such the Health Insurance Portability and Accountability Act and the Fair Credit Reporting Act, or for certain governmental purposes. For a complete list see §6-1-1304 of the CPA.

Under the law, controllers MUST:

• Be transparent about how they collect, store, use, share and sell personal data, and clearly identify the purpose for which they do so;
• Minimize the amount of data they collect and store, meaning they should only collect and store information they need;
• Avoid secondary uses of the data, meaning they can’t use personal data for reasons individuals were not originally aware of;
• Use reasonable security practices to secure the data;
• Respond to requests by individuals asserting the rights granted to them under the law; and
• Conduct Data Protection Assessments before selling personal data, processing “sensitive data,” or processing personal data that could result in:
  • unfair, deceptive or disparate treatment of individuals;
  • financial or physical injury to individuals;
  • a physical or other intrusion on an individual’s privacy that would be offensive to reasonable people; or
  • some other substantial injury.

Under the law, controllers MAY NOT:

• Collect, store, use, share or sell “sensitive data” without an individual’s consent.
• Use personal data in any way that would result in unlawful discrimination.

The Attorney General’s Office and District Attorneys have sole enforcement power under the CPA. The Attorney General’s Office also has rulemaking authority under the law.

No. Private citizens are not entitled to file lawsuits or enforce legal rights under the CPA. Only the Attorney General and District Attorneys can enforce the CPA.

If the Attorney General or District Attorney determines that a violation can be remedied, the Attorney General or District Attorney must first send a letter giving the violator 60 days to cure the violation. If either office determines that no fix is possible for the violation, no such letter is required. The process of providing notice of a violation and allowing 60 days for a cure will be in effect until Jan. 1, 2025.

Yes. The Attorney General will create rules both for the purpose of carrying out the CPA and to detail the technical specifications of one or more universal opt-out options. The Attorney General plans on adopting those rules before July 1, 2023.

The Attorney General’s Office will engage with Colorado consumers, businesses, and other stakeholders related to the CPA and potential rulemaking considerations. In early 2022, the Attorney General’s Office will post a series of topics for informal input on its website and solicit responses in writing and at scheduled events. This will help the office engage in a more focused dialogue, consider diverse perspectives, and address issues. By the fall of 2022, the Attorney General’s Office plans to post a formal Notice of Proposed Rulemaking, which will include a proposed set of model rules. This will kick off a process of collecting verbal and written comments about the proposed rules and how they would operate from a range of stakeholders and other interested persons across Colorado. If you would like to follow the CPA rulemaking process, you may sign up to receive additional information and updates here.