Key Steps to Compliance With The Colorado Privacy Act (CPA)


The Colorado Attorney General’s office has finalized rules for the Colorado Privacy Act (CPA), cementing key provisions of the law, which was enacted in July 2021, ahead of the enforcement deadline of July 1st, 2023. The CPA increases consumer data privacy rights and sets forth privacy compliance requirements for businesses, with potentially high penalties for non-compliance.

In this blog, we’ll outline key provisions of the law and provide a checklist for beginning a compliance program for the law ahead of enforcement.

For a more in-depth breakdown of state-level privacy laws, check out our new Comprehensive Guide to US Privacy Law for 2023, a free 46-page eBook that gives a comparison chart of all state-level privacy laws, as well as an in-depth breakdown of each law, the consumer rights and business requirements of each law, and best practices for compliance with the patchwork of US privacy laws.

What is the Colorado Privacy Act?

The Colorado Privacy Act (CPA) is a state-level data privacy law enacted in Colorado in 2021. The CPA extends consumer rights and protections related to their personal data and sets specific business obligations concerning data privacy and the storage and protection of sensitive data.

Who Needs to Comply With The CPA?

The CPA applies to entities that conduct business or deliver commercial products or services targeted to Colorado residents and meet either of the following thresholds:

  1. Control or process the personal data of more than 100,000 consumers in a calendar year, or
  2. Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.

What Rights are Established?

The CPA sets forth a number of rights for Colorado residents in relation to their personal data, similar to the rights provided by the General Data Protection Regulation (GDPR) in Europe and the California Privacy Rights Act (CPRA).

These include:

  1. The right to access their personal data.
  2. The right to correct inaccuracies in personal data.
  3. The right to delete personal data.
  4. The right to data portability.
  5. The right to opt out of the processing of personal data for particular purposes, such as targeted advertising, the sale of personal data, or profiling that produces legal or similarly significant effects.

Struggling with consent management and compliance? CHEQ can help. Schedule a demo today.

What are the Business Obligations and Penalties?

Businesses subject to the CPA are required to meet obligations, including providing clear and accessible privacy notices, conducting data protection assessments for high-risk processing such as those involving sensitive data, honoring consumer rights requests, minimization and purpose limitation of personal data collection and use, and reasonable data security measures to protect data from unauthorized access, use, modification, and disclosure.

Businesses that fail to comply with the law may be subject to civil penalties up to a maximum of $20,000 per violation–which can add up quickly for a website serving thousands of customers.

Before a business can be found in violation of the CPA and subject to these penalties, it has an opportunity to cure the violation within 60 days after being notified of noncompliance.

Colorado Privacy Act Compliance Checklist

With the approaching enforcement deadline, it’s important to act promptly to ensure that your business meets all the CPA’s requirements. By following these key steps, you’ll be well on your way to compliance with Colorado’s new Privacy Act.

  1. Determine if Your Business Falls Under the CPA: Your business is subject to the CPA if it conducts business in Colorado, targets over 100,000 Colorado consumers annually, or profits from the personal data of 25,000 or more Colorado residents. Non-profit organizations are also included.
  2. Understand the Penalties: Be aware that businesses found in violation of the CPA can be subject to civil penalties of up to $20,000 per violation if they don’t rectify the violation within 60 days.
  3. Review Your Data Processing Activity: CPA Rules stipulate that businesses obtain explicit consent prior to processing various forms of data, including sensitive data, children’s personal data, and data used for targeted advertising, profiling, and selling personal data.
  4. Re-evaluate Your Consent Process: The CPA Rules set out five key elements for valid consent: clear, affirmative action; freely given; specific; informed; and unambiguous. Make sure your consent process meets these criteria. Blanket acceptance of general terms, pre-ticked boxes, or Dark Patterns are not considered valid consent. If processing purposes change, obtain new consent from the consumer.
  5. Update Pre-Existing Consent: If you’ve obtained consent prior to July 1, 2023, you can continue to process personal data, provided that the consent complied with the requirements under the CPA.
  6. Develop a System for Re-seeking and Refreshing Consent: You can re-seek consent from consumers who have previously opted-out, but be careful not to cause ‘consent fatigue’. If a consumer hasn’t interacted with your business for over a year, you must refresh their consent.
  7. Implement a Data Minimization Protocol: Make sure to review annually whether the storage of biometric identifiers, digital or physical photographs, or audio or voice recordings that generate personal data is necessary, adequate, or relevant for the processing purpose.
  8. Establish Guidelines for Profiling: If your business uses automated decision-making, ensure transparency, gain consent, and perform data protection assessments. In addition, consumers must be allowed to opt out of profiling based on solely automated processing or human-reviewed automated processing.
  9. Prepare for Universal Opt-Out Mechanisms: The Colorado State Department of Law will release an approved public list of Universal Opt-Out Mechanisms by January 1, 2024. Ensure your technical systems are ready to implement these mechanisms when they become available.
  10. Review Your Loyalty Programs: If you offer loyalty programs, you need to comply with the CPA’s unique regulations regarding these. Make sure to disclose certain information, like categories of personal data collected, third parties receiving the data, loyalty program partners, and benefits provided by each partner.
  11. Establish a Framework for Data Protection Assessments: The CPA Rules give comprehensive guidance on performing data protection assessments. Your assessment team should include internal stakeholders and any necessary external parties. The assessment should address the nature, purpose, scope, risks, and governance relating to the processing of personal data.
  12. Adopt a Method for Exercising Consumer Rights: Your business must clearly outline the rights available to Colorado consumers and how to exercise
  13. these rights. In cases where a consumer submits multiple requests, prioritize completing the opt-out before any other consumer data privacy rights request.
  14. Ensure the Right of Access: Controllers are required to furnish all the specific pieces of personal data collected about a consumer when a request for access is made. This includes final profiling decisions, inferences, derivative data, marketing profiles, and other personal data that the controller has created, which can be linked to an identifiable individual.
  15. Establish a System for Privacy Policy Change Notifications: In the event of any material changes to your privacy notice, the CPA Rules require that you notify consumers in a manner consistent with how you regularly interact with them. Changes to the categories of personal data processed, processing purposes, your business’s identity, practices of sharing personal data with third parties, or the methods by which consumers may exercise their data rights requests, among other things, are considered material changes.

How CHEQ Can Help

The CPA is just one in a series of state-level and international laws that bring new rights to consumers as well as new responsibilities—and penalties— for businesses and marketers. CHEQ now offers organizations a solution to help build a fully compliant website and simplify compliance with the Colorado Privacy Act, as well as the CCPA, CDPA, and GDPR.

With Privacy by CHEQ, you can geo-target opt-out of sale links for Colorado consumers and give your customers a clear-cut choice on how their data is used or whether it is collected. And our low-code, zero-integration deployment means Privacy is easy to use and does not rely on integrations or APIs for compliance. A simple line of code added to your website is all you need to stop data from being collected before your customers give their consent, allowing real-time enforcement of customer consent regardless of tag management systems or 3rd party tags.

Schedule a demo today to learn how CHEQ can help simply consent and compliance.


Latest Posts

Ready to secure your
Go-to-Market efforts?

Get started