Iubenda logo
Start generating


Table of Contents

Colorado Privacy Act (CPA)

Went into effect July 1, 2023, Colorado will join California (CCPA), and Virginia (VCDP). with comprehensive data privacy laws, as it rolls out its new Colorado Privacy Act (CPA). Following shortly are Utah (UCPA), and, Connecticut (CTDPA).

⏰ Short on time? Jump to what you need to do to prepare for the CPA →

Overview of the Colorado Privacy Act

The Colorado Privacy Act (CPA) is a state-level privacy law that was signed into law in July 2021 and, took effect on July 1, 2023. The CPA is designed to protect the privacy rights of Colorado residents by regulating how businesses collect, process, and store personal data. 

Under the CPA, businesses must disclose their data collection practices, obtain consumers’ consent to process sensitive personal data, and provide consumers with the right, among others, to access, delete, or correct their personal data. 

The CPA also mandates that businesses implement reasonable data security measures to protect personal data and imposes penalties for non-compliance. Overall, the CPA brings Colorado in line with other states that have enacted comprehensive privacy legislation.

🔎 Keep reading to learn more about the upcoming changes in Utah, or jump to what you need to do to prepare for the CPA → 

What is considered personal data under the CPA?

Under the CPA, “personal data” is defined as information that is linked or reasonably linkable to an identified or identifiable individual. This refers to any information that can be used to identify an individual, either on its own or in combination with other information. However, de-identified data or publicly available information are excluded from the definition of personal data under the CPA.

Will You Be Affected by the Colorado Privacy Act (CPA)?

The CPA applies to controllers that conduct business in Colorado or intentionally target Colorado residents with commercial products or services, and:

  • control or process the personal data of 100,000 consumers or more during a calendar year; or 
  • derive revenue from the sale of personal data and process or control the personal data of 25,000 consumers or more.

*Sale → means the exchange of personal data for monetary or other valuable consideration by a controller to a third party. 

Privacy Policy under the CPA

Specifically, the CPA requires you to provide a privacy notice that includes the following information:

  1. Categories of personal data collected or processed.
  2. Purposes for which the categories of personal data are processed.
  3. How and where consumers can exercise their rights, including the contact information and how to appeal a controller’s action with regard to a consumer’s request.
  4. Categories of personal data that are shared with third parties, if any;
  5. Categories of third parties with whom the personal data are shared, if any.

If you sell personal data to third parties or processes personal data for targeted advertising, you must disclose the sale or processing and provide a clear and conspicuous method for consumers to opt out of the sale or processing.

🚀 Did you know?

iubenda’s Privacy and Cookie Policy Generator allows you to add all currently required US state-level privacy disclosures in one simple click!

Simply click “Enable disclosures for Users residing in the United States” to activate the new US-specific clauses.

👉 Easily create your privacy policy for the upcoming CPA →

Consumer rights under the CPA

Under the CPA, consumers have the right to:

  • opt-out of the processing of personal data for targeted advertising, sale and certain profiling; and 
  • access, correct, delete, and obtain their personal data in a portable manner. 

Consumers can invoke and exercise their rights granted under the CPA at any time by submitting requests in accordance with the methods indicated in your privacy notice.

You will have 45 days to respond to any user requests, and you will also have additional responsibilities, including respecting user-selected universal opt-outs.

Sensitive Data under the CPA

Under the Consumer Privacy Act (CPA), “Sensitive data” is defined as personal data that reveals specific categories of information about an individual, including their: 

  1. racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship, or citizenship status;
  2. genetic or biometric data that may be used to uniquely identify them; and
  3. personal data from a known child.

The Act also imposes restrictions on the processing of sensitive data. You may process sensitive data only if the consumer (or a child’s parent or legal guardian, if the personal data regards a known child) has given explicit consent.

⚠️ If you are processing sensitive data, you must take reasonable measures to protect the confidentiality, integrity, and availability of the sensitive data.

Under the CPA, there are no indications that opt-out links enabling consumers to opt-out of the processing of personal data for certain purposes are required. However, if you are processing personal data for targeted advertising or sale, you are required to provide a clear and conspicuous method for consumers to exercise their right to opt out.

This method must be clearly and conspicuously described in the privacy notice and must be readily accessible outside the privacy notice. 

Effective July 1, 2024, you must allow consumers to exercise their right to opt out through a user-selected universal opt-out mechanism.

How to prepare for the Colorado Privacy Act (CPA)

The Colorado Privacy Act will have significant implications for businesses operating in Colorado, requiring them to implement specific privacy measures and comply with a range of new regulations. 

✅ To prepare for the CPA, take the following steps:
  1. Determine whether the CPA applies to your business based on the criteria outlined in the act.
  2. Conduct a comprehensive data inventory to identify what personal data is collected, processed, and stored.
  3. Update your privacy policy to comply with the CPA’s requirements.
  4. Establish a process for responding to data subject requests, including the right to access, delete, and correct personal data.
  5. By July 1, 2024, ensure that you have established an opt-out preference signal mechanism to allow consumers to opt-out of the processing of their personal data for targeted advertising or sale.

Colorado Privacy Act took effect on July 1, 2023

Get Prepared Now