Colorado Privacy Act (CPA)

The CPA protects the personal data of Colorado residents when they act in an individual or household context, for example when browsing the internet or signing up for a retail rewards program. The CPA does not cover the personal data of individuals acting in a commercial or employment context, such as a job applicant

To allow companies time to change their practices and operations to comply with this new law, it will not take effect until July 1, 2023.

Under the act, Colorado consumers will gain additional insight into what personal data controllers collect, share and sell, and how that data is used. Additionally, Colorado consumers will have the following enumerated rights with respect to their personal data:

• The right to opt-out from the sale of their personal data, or use of personal data for targeted advertising and certain types of profiling;
• The right to know whether a controller is collecting personal data;
• The right to access personal data that a controller has collected about them;
• The right to correct personal data;
• The right to delete personal data; and
• The right to download and remove personal data from a platform in a format that allows the transfer to another platform.

Data processing refers to actions a company make take regarding personal data, including the collection, usage, sale, storage, disclosure, analysis, deletion, or modification of personal data. An entity “processes” data even if it instructs another entity to process data on its behalf.

A controller determines the purpose for and means of collecting and processing personal data.​ For example, retailers like Walmart and Target are considered controllers because they collect consumer information when customers make their purchases, and then decide how that information will be used. Controllers make the primary decisions to manage, collect, and utilize data.

A processor maintains and processes consumer personal data on behalf of a controller. For example, a cloud services provider could act as a processor by storing personal data collected by a controller, as directed by that controller.

The general distinguishing factor between a processor and a controller is the entity’s autonomy and decision-making authority over data. Under the CPA, a processor may only process data under the direct authorization and command of a controller. The CPA requires a controller and processor to define their respective responsibilities and obligations in a contractually binding processing agreement.

Some processors act as both controllers and processors depending on their role, and if  a Processor begins to determine the purpose and means of the data processing, it becomes a controller with respect to that processing.

“Personal Data” for purposes of the CPA’s application thresholds includes all information that is linked or could reasonably be linked to a Consumer, which is defined as a Colorado resident acting in an individual or household context (as opposed to an employment or business-to-business context). For instance, “Personal Data” does not include information collected from a job applicant. "Personal data" also does not include information made publicly available by federal, state, or local government, or made publicly available by the consumer.

The CPA defines "Consumer" as "an individual who is a Colorado resident acting only in an individual or household context..." C.R.S. § 6-1-1303(6).

Therefore, when the CPA states that it applies to a Controller that "Controls or Processes the Personal Data of one hundred thousand Consumers or more during the calendar year," it means 100,000 Colorado residents.

The CPA does not apply to data maintained for employment records purposes. Furthermore, the term "consumer" means an individual Colorado resident acting only in an individual or household context and does not include an individual acting as an employee or job applicant.

Data controllers will be required to accept opt-out requests through universal opt-out mechanisms starting on July 1, 2024. Prior to July 1, 2024, controllers may, but are not required to, allow consumers to opt-out of personal data processing through a universal opt-out mechanism. By January 1, 2024, the Colorado Department of Law will publish a list of universal opt-out mechanisms that have been recognized meet the standards of the Colorado Privacy Act.

For information regarding a specific controller, check the controller's privacy notice. Each controller's privacy notice must include a description of the various methods through which a consumer can exercise their data rights. Starting, July 1, 2024, these notices must include an explanation of how opt-out requests through universal opt-out mechanisms will be processed.

How do Colorado consumers exercise their rights under the CPA?

When the CPA goes into effect in July of 2023, consumers will be able to learn how to exercise their rights on businesses’ websites. Businesses and other organizations controlling data, also called controllers, will be obligated to provide consumers with a privacy notice that includes the types of personal data collected or processed, the purpose for which that personal data is processed, the type of data that is shared with third parties and the categories of third parties it is shared with, and how people can access, correct, delete, and download and transmit their personal data. Additionally, those businesses and organizations will have to provide clear and conspicuous disclosure if any personal data is sold or processed for targeted advertising and how people can to opt out of having their data sold or processed. Consumers will be able to opt-out through businesses' privacy notices as well as through a readily accessible location outside the privacy notice. Additionally, consumers will be able to opt out through a universal opt-out option which will apply to all businesses subject to the CPA.

Before the CPA goes into effect, the Colorado Attorney General’s Office will create and provide rules with input from consumers and other stakeholders setting forth additional details regarding the steps controllers must take to ensure that consumers can effectively exercise their rights, including details relating to the universal opt-out mechanism.

Only in specific circumstances. The CPA requires controllers to get affirmative consent from consumers prior to (1) collecting and processing sensitive data, (2) processing personal data for reasons other than those specified when the data was collected, or (3) selling or processing personal data for targeted advertising after a consumer has opted out of such uses. Such consent must be affirmative, freely given, specific, informed, and unambiguous. Acceptance of broad terms of service, hovering over, pausing, or otherwise interacting with content generally, and agreement obtained through deceptive webpage design is not considered consent under the CPA.

Personal data is any non-public information that reasonably can be linked to an individual. Sensitive data is a subset of personal data and includes:

• Any personal data regarding a child under the age of 13;
• Any data that reveals the race, ethnic origin, or religious beliefs, mental or physical health conditions or diagnoses, sexual activity, preferences or orientation, or citizenship status or citizenship of an individual; and
• Biometric data that is used for identifying an individual.

The Colorado Privacy Act requires that consumer disclosures are understandable and accessible. Data controllers shall use plain, straightforward language and provide communications in languages generally used by the business. Communications must be “provided in a readable format on all devices through which consumer normally or regularly interact with the controller, including on smaller screens and through mobile applications, if applicable.” 4 CCR 904-3, Rule 3.01(5). In considering whether disclosures must be provided in a readable format on a specific device, controllers should consider whether the consumer receives other communications, disclosures and notifications from the controller on that device in the normal course of business.

Notifications and disclosures must also be reasonably accessible to consumers with disabilities by following standard web accessibility guidelines and by providing information on how customers with disabilities may access the communication or request it in an alternative format.

Data controllers must respond to consumer requests within 45 days of receiving the request. If reasonably necessary, a controller may extend this period by an additional 45 days, though the controller must inform the consumer of the extension within the original 45-day period and provide reasons for delay.

Under the CPA, consumers have the right to access their personal data collected and maintained by the controller. Consumers also have a right to obtain this data in a portable and readily usable format. Controllers must provide information to consumers free of charge for the first request within a twelve-month period. Controllers may charge for second or subsequent requests within a twelve-month period, at a rate of 25 cents per page or no more than the actual cost of the record requested.

Controllers must comply with access requests by providing all the specific pieces of personal data collected about the consumer, with few exceptions for passwords, identification numbers, or financial data. Responses to access requests must be concise, transparent, and intelligible, and in a commonly used format. For full details, see 4 CCR 904-3, Rule 4.04.

If a consumer requests this data in a portable format, the controller must transfer the personal data securely in a common electronic format which is readily usable by another entity. However, a controller is not required to provide data in a manner which would disclose trade secrets. For full details, see 4 CCR 904-3, Rule 4.07.

The Colorado Privacy Act gives Colorado Consumers specific rights, including the Right of access. In describing the right of access, the CPA states that "[a] Consumer has the right to confirm whether a Controller is Processing Personal Data Concerning the Consumer and to access the Consumer's Personal Data.” C.R.S. § 6-1-1306(1)(b).

"Consumer" under the CPA means "(a) an individual who is a Colorado resident acting only in an individual or household context; and (b) does not include an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context. C.R.S. § 6-1-1303(6).

Therefore, the right of access enables a Colorado resident acting in an individual context to access their own Personal Data and does not give a third party (e.g. an employer or landlord) the right to request a Consumer's Personal Data.

Methods for consumers to opt-out or make requests to the controller should consider the ways that consumers normally interact with the controller. Exclusively online companies that interact directly with consumers need only provide an email address for submitting requests. Controllers with a website or mobile app that also interact with consumers offline should have one method such as a webform on that website or app, and another method as well. Controllers with an in-person presence should consider offline methods like printed forms, in-store tablets, or telephone options. Whichever methods a controller chooses, the process must be available at any time, must be easy to execute, and must require a minimal number of steps.

A "Bona Fide Loyalty Programs", as referred to in the CPA, "is defined as a loyalty, rewards, premium feature, discount, or club card program established for the genuine purpose of providing Bona Fide Loyalty Program Benefits to Consumers that voluntarily participate in that program such that the primary purpose of Processing Personal Data through the program is solely to provide Bona Fide Loyalty Program Benefits to participating Consumers." 4 CCR 904-3, Rule 2.02.

A "Bona Fide Loyalty Program Benefit" is "an offer of superior price, rate, level, quality, or selection of goods or services provided to a Consumer through a Bona Fide Loyalty Program." 4 CCR 904-3, Rule 2.02.

The Sale of Personal Data or use of Personal Data for Targeted Advertising is not a Bona Fide Loyalty Program Benefit and therefore not the primary purpose of a Bona Fide Loyalty Program. Instead, it is a secondary use. Under the CPA, a Controller must obtain Consent from a Consumer before Processing the Consumer's Personal Data for a secondary use. Accordingly, a Controller must obtain Consent to use Personal Data obtained through a Bona Fide Loyalty Program for Targeted Advertising.

The law applies to entities, including nonprofits, that conduct business in Colorado or deliver commercial products or services targeted to residents of Colorado; AND either:

• Process the personal data of more than 100,000 individuals in any calendar year; or
• Derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals.

The law also applies to service providers, contractors, and vendors that manage, maintain, or provide services relating to the data on behalf of these companies.

The CPA excludes some types of entities from complying with its requirements. These entities include:

• Financial institutions and affiliates subject to the Gramm-Leach-Bliley Act;
• Air carriers subject to Federal Aviation Administration regulation; and
• National securities associations registered under the Securities Exchange Act.

The CPA also does not apply to certain types of personal data maintained in compliance with specific federal privacy laws, such the Health Insurance Portability and Accountability Act and the Fair Credit Reporting Act, or for certain governmental purposes. For a complete list see §6-1-1304 of the CPA.

Under the law, controllers MUST:

• Be transparent about how they collect, store, use, share and sell personal data, and clearly identify the purpose for which they do so;
• Minimize the amount of data they collect and store, meaning they should only collect and store information they need;
• Avoid secondary uses of the data, meaning they can’t use personal data for reasons individuals were not originally aware of;
• Use reasonable security practices to secure the data;
• Respond to requests by individuals asserting the rights granted to them under the law; and
• Conduct Data Protection Assessments before selling personal data, processing “sensitive data,” or processing personal data that could result in:
  • unfair, deceptive or disparate treatment of individuals;
  • financial or physical injury to individuals;
  • a physical or other intrusion on an individual’s privacy that would be offensive to reasonable people; or
  • some other substantial injury.

Under the law, controllers MAY NOT:

• Collect, store, use, share or sell “sensitive data” without an individual’s consent.
• Use personal data in any way that would result in unlawful discrimination.

The obligations of controllers under the CPA are the same whether the personal data is collected offline, such as in-store or over the phone, or online, such as on a website.

Two key obligations for controllers are the duty of transparency via clear and accessible privacy notices and the duty to respond to consumers who wish to exercise their rights under the CPA. Other obligations include: a duty to minimize unnecessary data collection and avoid secondary use, a duty of care in processing data, a duty to avoid unlawful discrimination, and a duty to obtain consent before processing sensitive data. For more information on specific requirements for data controllers, please see 4 CCR 904-3, Part 6.

Both controllers and processors have responsibilities under the CPA. A controller is a person or entity who determines the purposes for and means of processing personal data. Controller responsibilities are outlined throughout the CPA, and include those duties listed in C.R.S. § 6-1-1308, as well as the obligation to provide consumers with a clear and conspicuous opt-out method and to respond to consumers’ request to exercise their rights under the C.R.S. § 6-1-1306(2).

A processor is a person or entity that processes personal data on behalf of a controller. Processors must adhere to instructions of the controller and assist the controller to meet its obligations under the CPA. Processors must also ensure the confidentiality of anyone processing personal data and take measures to allow for the fulfillment of consumer data requests. Full processor responsibilities are outlined in C.R.S. § 6-1-1305(2)-(6).

It is possible that a covered entity could be both a controller and processor. In those cases, any personal data collected by the entity for which they determine and control the processing purposes would be subject to controller obligations. Any personal data they receive from a third-party and only handle as a processor would be subject to processor obligations.

Both controllers and processors are responsible for entering into a contract governing the processing relationship and for implementing appropriate measures to ensure an appropriate level of security with established allocations of responsibilities.

The Attorney General’s Office and District Attorneys have sole enforcement power under the CPA. The Attorney General’s Office also has rulemaking authority under the law.

No. Private citizens are not entitled to file lawsuits or enforce legal rights under the CPA. Only the Attorney General and District Attorneys can enforce the CPA.

If the Attorney General or District Attorney determines that a violation can be remedied, the Attorney General or District Attorney must first send a letter giving the violator 60 days to cure the violation. If either office determines that no fix is possible for the violation, no such letter is required. The process of providing notice of a violation and allowing 60 days for a cure will be in effect until Jan. 1, 2025.

Yes. The Attorney General will create rules both for the purpose of carrying out the CPA and to detail the technical specifications of one or more universal opt-out options. The Attorney General plans on adopting those rules before July 1, 2023.

The Attorney General’s Office will engage with Colorado consumers, businesses, and other stakeholders related to the CPA and potential rulemaking considerations. In early 2022, the Attorney General’s Office will post a series of topics for informal input on its website and solicit responses in writing and at scheduled events. This will help the office engage in a more focused dialogue, consider diverse perspectives, and address issues. By the fall of 2022, the Attorney General’s Office plans to post a formal Notice of Proposed Rulemaking, which will include a proposed set of model rules. This will kick off a process of collecting verbal and written comments about the proposed rules and how they would operate from a range of stakeholders and other interested persons across Colorado. If you would like to follow the CPA rulemaking process, you may sign up to receive additional information and updates here.

The Colorado Privacy Act applies to data controllers that conduct business in Colorado or whose products or services are targeted at Colorado residents, and that either process the personal data of at least 100,000 Colorado consumers in one calendar year, or that derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of at least 25,000 consumers. The Act applies regardless of the controller's location and enforcement will not vary based on a controller’s location.