The Colorado Privacy Act (CPA) explained: Everything businesses need to know

Batja Huisman
Batja Huisman
May 26, 2022
min read
The Colorado Privacy Act (CPA) explained: Everything businesses need to know

The new Colorado Privacy Act (CPA) is stirring up quite a buzz. On July 8, 2021, Jared Polis signed into law the CPA, making Colorado the third state to enact a comprehensive privacy law. The CPA will be enforced on July 1, 2023, and applies broadly to businesses operating in Colorado. The law imposes several new obligations on companies doing business in Colorado concerning handling consumers’ data. Learn more about the new law and what it means for your business.

CPA’s Main Data Rights

<hl>The Colorado Privacy Act grants a set of data rights to Coloradans with regards to personal data, including:<hl> 

  • The right to opt-out: The right to opt out of having personal data processed for advertisement targeting and sale of personal information.
  • The right to access any data: Consumers have the right to access any personal data if they request it.
  • The right to rectify data: Consumers are entitled to have their data corrected if they find any inaccuracies.
  • The right to delete data: The right to delete their data at any time.
  • The right to data portability: A consumer has the right to request for their data to be transferred to a different company at most twice in 12 months.

Notes to Consider About CPA Compliance:

The Businesses obligated to comply:

  1. This law applies to any company that conducts business in Colorado and processes personal data of 100,000 Colorado consumers or more in a year.
  2. The Colorado Privacy Act applies to businesses that deliver products or services that target Coloradans if they derive a portion of profits from the sale of personal data and control the data of 25,000 or more consumers.

Exemptions to the act:

Financial institutions that are subject to the Gramm-Leach-Bliley Act (GLBA), COPPA-compliant entities, national securities associations, and air carriers are all exempted from the scope of CPA. Customers’ data at public utilities or authorities or collected and maintained by a Colorado institution of higher education falls under a legal exemption if the personal data is processed according to federal or state laws.

Penalties for non-compliance:

Companies are liable to a civil penalty of up to $2,000 if they are noncompliant to the CPA and also face a maximum potential penalty of $500,000 for other related violations.

The cure period:

In the event of a breach, the controller has 60 days to resolve the issue before being subject to any legal action.

CCPA and VCDPA vs. CPA: How the Laws Compare

Several US states have passed comprehensive privacy laws. Among them is Colorado, the third state to do so, as noted earlier.

  • Forms of data the acts cover: CCPA (The California Consumer Privacy Act), VCDPA (Virginia Consumer Data Protection Act), and CPA all have similar privacy acts that cover personally identifiable data. Their privacy measure does not apply to publicly available information.
  • Opt-out mechanism: All three laws ensure that their state’s consumers can opt out, delete their data from a company's database, or decline further use of their data. The new CPA requires that a universal opt-out option is in place by July 1, 2024. HOWEVER, both CCPA and VCDPA permit multiple mechanisms for users to opt-out completely.
  • Data minimization: While CCPA does not dictate data minimization, controllers obligated to CPA and VCDPA are required to minimize data collection based on its relevance.
  • The cure periods: There are a few differences in how to comply and respond to privacy requests between the three states. The three acts set a 45-day time frame for consumers' requests to be responded to. But the Colorado Privacy Act has a 60-day "cure period" to address stated violations. This is two times longer than the CCPA (The California Consumer Privacy Act) and the VDPA (The Virginia Consumer Data Protection Act), which both have 30-day “cure periods.”
  • Private right of action: Regarding the consumers’ private right of action, the CCPA allows users to enforce their rights, while the VCDPA and the CPA restrict users from enforcing their privacy rights.

How to Prepare and Handle Personal Data Under the CPA

<hl>Here are some steps businesses can take for privacy rights fulfillment to comply with Colorado's new privacy act:<hl>

  • Inform your customers: A single firewall won't suffice for data privacy compliance. Businesses in Colorado will need to develop a holistic approach to stay compliant. Furthermore, companies must have a functional strategy in place to not just collect personal data but also let customers know if that information will be sold or divulged for other business-related reasons.
  • Establish some barriers: To be compliant with both new and current privacy regulations, businesses must have a clear understanding of the data they take in and make sure only the right people have access. Companies need to know what types of customer data are being collected and be cautious about how it's stored, making data mapping capabilities a fundamental part of the privacy program.
  • Occasional data audits: Companies must regularly undertake data audits, privacy policy reviews, and risk assessments. It is best to appoint a data protection officer or consult with qualified legal counsel.
  • Consent management: Companies in e-commerce or other online spaces can protect themselves against prosecution by looking for a consent management system. The platform will be able to check if the customers on their website have given consent where required.
  • Handle data correction: To stay compliant with the CPA and give data subjects access to the privacy rights they are entitled to, organizations will need to set up a system that handles correction, verifications, and deletions.

Why Companies Must Pay Attention to Privacy Acts

As of late, American states are passing privacy legislation, varying from state to state. For instance, California has enacted the CCPA, Virginia follows the same framework with the VCDPA, Colorado enacted the CPA, and Utah became the fourth state to adopt its privacy act, the UCPA. On May 10, 2022, Connecticut’s Governor signed "An Act Concerning Personal Data Privacy and Online Monitoring." Many countries are also implementing GDPR-like data protection frameworks to ensure the safety of data subjects’ personal information. For instance, China’s Personal Information Protection Law was enacted in 2021. These laws across nations and states are built on the same core principles.

There are a lot of new rules affecting businesses both in the state and across borders, which means there is a higher chance of non-compliance with regulation requirements. While it may be challenging to keep track of them all, constant vigilance is required. Hence, up-to-date data mapping is crucial for compliance with present-day data privacy acts such as the GDPR in the EU and the CPA in the US.

Data protection will only grow in importance with increased regulations and consumer awareness. When personal information is compromised, this can lead to both legal consequences and a hit on one’s brand reputation. Therefore Companies should be mindful of the new privacy acts that their business operates under and take the needed steps to be ready.

Companies can effectively do this by implementing data privacy management technologies like Mine PrivacyOps that make managing and automating your companies’ privacy workflow easier.