Effective July 1, 2023, Colorado will join California (CCPA), and Virginia (VCDP). with comprehensive data privacy laws, as it rolls out its new Colorado Privacy Act (CPA). Following shortly are Utah (UCPA), and, Connecticut (CTDPA).
⏰ Short on time? Jump to what you need to do to prepare for the CPA →
The Colorado Privacy Act (CPA) is a state-level privacy law that was signed into law in July 2021 and, is set to take effect on July 1, 2023. The CPA is designed to protect the privacy rights of Colorado residents by regulating how businesses collect, process, and store personal data.
Under the CPA, businesses must disclose their data collection practices, obtain consumers’ consent to process sensitive personal data, and provide consumers with the right, among others, to access, delete, or correct their personal data.
The CPA also mandates that businesses implement reasonable data security measures to protect personal data and imposes penalties for non-compliance. Overall, the CPA brings Colorado in line with other states that have enacted comprehensive privacy legislation.
🔎 Keep reading to learn more about the upcoming changes in Utah, or jump to what you need to do to prepare for the CPA →
Under the CPA, “personal data” is defined as information that is linked or reasonably linkable to an identified or identifiable individual. This refers to any information that can be used to identify an individual, either on its own or in combination with other information. However, de-identified data or publicly available information are excluded from the definition of personal data under the CPA.
The CPA applies to controllers that conduct business in Colorado or intentionally target Colorado residents with commercial products or services, and:
*Sale → means the exchange of personal data for monetary or other valuable consideration by a controller to a third party.
Specifically, the CPA requires you to provide a privacy notice that includes the following information:
If you sell personal data to third parties or processes personal data for targeted advertising, you must disclose the sale or processing and provide a clear and conspicuous method for consumers to opt out of the sale or processing.
Simply click “Enable disclosures for Users residing in the United States” to activate the new US-specific clauses.
Consumers can invoke and exercise their rights granted under the CPA at any time by submitting requests in accordance with the methods indicated in your privacy notice.
You will have 45 days to respond to any user requests, and you will also have additional responsibilities, including respecting user-selected universal opt-outs.
Under the Consumer Privacy Act (CPA), “Sensitive data” is defined as personal data that reveals specific categories of information about an individual, including their:
The Act also imposes restrictions on the processing of sensitive data. You may process sensitive data only if the consumer (or a child’s parent or legal guardian, if the personal data regards a known child) has given explicit consent.
⚠️ If you are processing sensitive data, you must take reasonable measures to protect the confidentiality, integrity, and availability of the sensitive data.
Under the CPA, there are no indications that opt-out links enabling consumers to opt-out of the processing of personal data for certain purposes are required. However, if you are processing personal data for targeted advertising or sale, you are required to provide a clear and conspicuous method for consumers to exercise their right to opt out.
This method must be clearly and conspicuously described in the privacy notice and must be readily accessible outside the privacy notice.
Effective July 1, 2024, you must allow consumers to exercise their right to opt out through a user-selected universal opt-out mechanism.
The Colorado Privacy Act will have significant implications for businesses operating in Colorado, requiring them to implement specific privacy measures and comply with a range of new regulations.