Colorado Privacy Act (CPA)

On July 8, 2021, Jared Polis signed into law the CPA, making Colorado the third state to enact a comprehensive privacy law. The CPA will be enforced on July 1, 2023, and applies broadly to businesses operating in Colorado.

CPA’s  Data Rights

  • The right to opt-out: The right to opt-out of having personal data processed for advertisement targeting and sale of personal information.
  • The right to access any data: Consumers have the right to access any personal data if they request it.
  • The right to rectify data: Consumers are entitled to have their data corrected if they find any inaccuracies.
  • The right to delete data: The right to delete their data at any time.
  • The right to data portability: A consumer has the right to request that their data be transferred to a different company at most twice in 12 months.

The Businesses obligated to comply:

This law applies to any company that conducts business in Colorado and processes personal data of 100,000 Colorado consumers or more in a year.

The Colorado Privacy Act applies to businesses that deliver products or services that target Coloradans if they derive a portion of profits from the sale of personal data and control the data of 25,000 or more consumers.

Exemptions to the act:

Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), COPPA-compliant entities, national securities associations, and air carriers are exempted from the scope of CPA. Customers’ data at public utilities or authorities or collected and maintained by a Colorado institution of higher education falls under a legal exemption if the personal data is processed according to federal or state laws.