Iubenda logo
Start generating


Table of Contents

The Upcoming Colorado Law: What you Need to Know

Some important privacy news in Colorado. The Colorado Attorney General’s Office issued a first draft of the Rules implementing the Colorado Privacy Act (CPA) on September 30, 2022, as part of its rule-making powers under the Act. The Rules were then officially published in the Colorado Register on October 10, 2022. 

👀 Here’s what you need to know about the CPA so far.

Colorado Privacy Act (CPA)

🇺🇸 The current privacy landscape in Colorado

Colorado data protection law dates back to July 7th, 2021, when Governor Jared Polis signed the Protect Personal Data Privacy | Colorado Privacy Act (CPA) into law. It aims at promoting and protecting individuals’ privacy within Colorado.

The Colorado Privacy Act governs the processing of personal and sensitive data. 

Concerning additional protection of data relating to personal privacy, the act: 

  • specifies the obligations that controllers must meet in relation to sensitive data, consumers exercising their rights, transparency, purpose specification, data minimization, avoiding secondary use, and care;
  • mandates that controllers carry out a data protection assessment for each of their data processing operations involving consumer data that constitute a higher risk of harm, such as processing for the purposes of targeted advertising, profiling, selling personal data, or handling sensitive data; and
  • specifies that for purposes of enforcement, a breach of its criteria constitutes a deceptive trade practice; nonetheless, only the attorney general or district attorneys have the authority to enforce the act.

🔍 Why is the Colorado Privacy Act needed?

The Colorado General Assembly states:


👉 Read the legislative declaration

🆕 About the new Colorado Privacy Act

Under the CPA, consumers will have enhanced rights in regard to their personal data. Some of the proposed rights include the right to opt out of:

  • targeted advertising; 
  • the sale of personal data; and
  • certain types of profiling.

Residents of Colorado also have the right to access, correct, and delete their personal information, as well as the right to data portability.

💡 Under the CPA, Personal data means:

  1. information that is linked or reasonably linkable to an identified or identifiable individual; and 
  2. it does not include de-identified data or publicly available information.

📌 Privacy Policy under the CPA

You are now required to provide your users with a reasonably accessible, clear, and meaningful privacy notice that includes the following:

  • categories of personal data collected or processed by the controller or a processor;
  • purposes for which the categories of personal data are processed;
  • how and where your users may exercise their rights, including your contact information and how your users may appeal an action with regard to their request (this also includes your users’ right to contact the Attorney General in relation to a request/appeal);
  • categories of personal data that you share with third parties, if any; and
  • categories of third parties, if any, with whom you share personal data.

If your organization sells personal data to third parties or processes personal data for targeted advertising, you must clearly and conspicuously disclose the sale or processing.

iubenda’s Privacy and Cookie Policy Generator takes the guesswork out of the game!

We will automatically make your privacy policy compliant with the CPA and other stringent US laws. Simply click Enable disclosures for Users Residing in the United States from within the Generator, and we’ll handle the rest! 

Want to know more about the easy ways iubenda can help comply with the CPA? Click here →

📌 CPA opt out rights

If you are processing personal data for targeted advertising, sales, or certain profiling, you are required to provide users with a method for them to exercise their right to opt out. 

This must be made available in the privacy notice and, with reference to the processing for targeted advertising and/or sales, in a:

  1. clear;
  2. conspicuous; and 
  3. accessible location outside the privacy notice

You will have 45 days to respond to any user requests, and you will also have additional responsibilities, including respecting user-selected universal opt outs.

📌 Universal Mechanisms

If you are processing personal data for targeted advertising and/or sale, you must allow your users to exercise their right to opt out of such processing through a user-selected universal opt-out mechanism.

💡 Respecting the universal mechanism is not effective until July 1, 2024. Up until this date, you can, but are not required to, honor universal opt-out signals. 

How can iubenda help you comply with the CPA 

Did you know iubenda’s Privacy Controls and Cookie Solution will auto-configure to meet the most stringent US legal standards? 

👉 Simply choose the regions where you and your users are located, and the solution will do the rest!

Use our Privacy and Cookie Policy Generator to identify services that are active on your website!

👉 Activate US-specific clauses by clicking “Enable disclosures for users residing in the United States.”

The Colorado Privacy Act goes into effect on July 1, 2023. 

Businesses will definitely need to analyze how the obligations of the CPA fit into their compliance plan, along with the current work to comply with the California Privacy Rights Act (CPRA) modifications to the CCPA

🎯 Did you know? The CPA incorporates large aspects of the Virginia Consumer Data Protection Act (VCDPA). Virginia Consumer Data Protection Act (VCDPA) goes into effect on January 1, 2023, and will affect organizations that do business in Virginia or provide products/services to people in Virginia. 

But not to worry! We’ve created a privacy policy checklist for you!

About us


Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.