The Colorado Data Privacy Act (CPA): a game-changer for consumer protection

The Colorado Privacy Act (CPA) is set to transform how businesses handle personal data, ensuring the privacy of Colorado residents. Effective from July 1, 2023, the law imposes strict obligations on businesses to safeguard consumer data. 

The CPA applies to entities that:

  • Conduct business in Colorado or target Colorado residents, and

  • Control or process data of more than 100,000 consumers annually, or

  • Derive revenue from the sale of personal information of at least 25,000 Colorado residents.

By introducing robust measures for data protection, the CPA marks a significant step forward in enhancing consumer privacy and setting a new benchmark for data security across the state.


The importance of consent: key provisions of the CPA

For consent to be valid under the CPA, businesses obtain explicit consent from consumers before engaging in several data processing activities, and they must secure it through clear and affirmative actions. 

This includes processing sensitive data or the personal data of children, selling personal data, using personal data for targeted advertising, profiling (following a consumer's opt-out), and processing personal data for incompatible purposes.

Consent must be freely given, specific, and informed, reflecting an unambiguous agreement from the consumer. Simply put, invalid forms of consent include blanket acceptance of terms, inactivity, pre-ticked boxes, and agreements obtained through deceptive tactics known as Dark Patterns (strategies designed to manipulate users into making unintended decisions). 

Notably, businesses with valid consent obtained before July 1, 2023, can continue processing data but must seek new consent if processing purposes shift to secondary uses. Additionally, controllers can re-seek consent from consumers who previously opted out, and must refresh consent if there has been no interaction with the consumer for over a year. The CPA also introduces universal opt-out mechanisms, which allow consumers to opt out of data processing easily and across multiple platforms - empowering them to manage their privacy effectively.  


How does the Act compare to other State laws?

Data minimization and biometric identifiers

Unlike the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA), the CPA specifically addresses the retention of biometric identifiers, photographs, and audio or voice recordings. This means businesses must conduct annual reviews to determine whether the storage of such sensitive data is necessary. This provision is particularly important as the use of biometric data (like fingerprints, facial recognition, and voice patterns) becomes more widespread, potentially outpacing existing regulations.

The Act also puts “de-identified” data outside the scope of “personal data” - namely, data that cannot be reasonably linked to an identified or identifiable individual. However, controllers and processors using de-identified data still can’t use that data in a way consumers would not expect, implement proper safeguards and reduce the risks of the data being breached.

Profiling regulations and automated decision-making

The CPA sets detailed guidelines for profiling and automated decision-making, with profiling categorized into three distinct types:

  • Solely Automated Processing: decisions made without any human involvement

  • Human-Reviewed Automated Processing: automated decisions that are subsequently reviewed by a human

  • Human-Involved Automated Processing: decisions involving both automated processes and human judgment

Each category comes with specific requirements to ensure consumers understand and can control how their data is used. This granular approach is crucial as automated decision-making and profiling become more sophisticated and pervasive. For instance, in financial services and healthcare, these technologies can significantly impact consumer experiences and outcomes. These provisions help protect consumers from potential biases and errors in automated systems.


Loyalty programs and data protection assessments

Specific guidance is provided for loyalty programs under the CPA. Businesses must disclose the categories of personal data collected, sold, or processed for targeted advertising, the third parties receiving personal data, and details about bona fide loyalty program partners and their benefits. 

The CPA also offers more prescriptive guidance on data protection assessments than the CCPA and VCDPA. It outlines 13 components that address data processing activities' nature, purpose, scope, risks, and governance. Controllers must update these assessments when processing risks change significantly and be prepared to produce them within 30 days upon request by the Attorney General.


Implementation and compliance strategies for businesses

The CPA imposes stringent penalties for non-compliance, with civil penalties reaching up to $20,000 per violation, significantly higher than those under the CCPA and VCDPA. Businesses have a 60-day window to cure violations before penalties are enforced, notably differing from other states with 30-day cure periods.

As the Act is still relatively new, we are yet to understand the impact it will have on businesses fully. However, this should not make businesses complacent. Before the Act, Colorado businesses faced numerous privacy issues - in 2021, reports found that nearly 200 organizations reported data breaches, affecting 1.6 million Colorado residents. These breaches involved sensitive information like health records, passwords, birth dates, and Social Security numbers, highlighting the urgent need for Colorado businesses to step up their compliance efforts. 

To comply with the CPA and avoid severe penalties, businesses must prioritize data protection assessments, robust consent mechanisms and regular updates to data processing activities and privacy policies. 


The Colorado Privacy Act marks a major leap forward in data privacy regulation in the US. Its granular focus on newer forms of data collection and automated decision-making makes the Act more forward-thinking than its predecessors and sets a new standard for future laws. The high potential penalties serve as a clear wake-up call for businesses and will push them towards more responsible data management practices. As data privacy evolves, the CPA provides a solid framework for safeguarding personal information in our increasingly digital world.


Get a headstart on protecting and anonymizing sensitive data.

Previous
Previous

How will the new Colorado AI Act impact the regulation landscape?

Next
Next

The Nebraska Data Privacy Act (NDPA): prepare your business for 2025