All You Need to Know About the New Colorado Privacy Act

The state of Colorado passed the Colorado Privacy Act (CPA) on June 8, 2021, getting a step closer to becoming the third US state (after California and Virginia) to have its own privacy law. After being signed by the Governor, the law will go into effect in 2023.


Companies already complying with CCPA, GDPR, etc., will be better positioned to adapt to the Colorado Privacy Act. Despite its similarities with existing laws, the CPA also contains notable differences, including its definition of "sensitive data" and the scope of its exemptions. A well-thought-out plan will help organizations satisfy CPA’s unique provisions without disrupting existing business operations.


The act will provide greater control to Colorado citizens over their personal data while bringing accountability to data controllers and processors. The CPA has also drawn criticism from privacy advocates due to the lack of a private right of action, which allows consumers to seek legal action under certain circumstances.




How can you be prepared for CPA?

First of all, you need to understand who falls under the purview of the Colorado Privacy Act. The bill applies to controllers doing business or providing products or services targeted towards Colorado residents and that either:

  1. collects personal data from 100,000 Colorado residents every year; or

  2. collects data from 25,000 Colorado residents and derives a portion of revenue from the sale of that data

The CPA defines a “consumer” as “an individual who is a Colorado resident acting only in an individual or household context”, excluding any individual acting in a commercial or employment context.

Businesses that already have their data regulated by federal law are also exempt from the bill. For instance, entities that collect, store, and process protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) are not covered under the CPA. Similarly, it does not extend to personal data collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA).

Personal data and sensitive data

The CPA has a relatively broad definition of “personal data.” It defines personal data as “information that is linked or reasonably linkable to an identified or identifiable individual.” This excludes anonymized and publicly available information.


While defining publicly available information, apart from the information found in government records, the CPA also covers “information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public or widely distributed media; and information made available to the general public by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.” This comprises information found on social media profiles.


This definition of publicly available is much extensive than the one found in CCPA, which is expected to be broadened before implementation.


Another distinction of the bill is its definition of “sensitive data” and its difference from that of California’s CCPA and CPRA. The CPA has defined “sensitive data” as personal data disclosing racial or ethnic identity, religious beliefs, mental or physical health condition, sex life or sexual orientation, citizenship status; genetic or biometric data processed for identification purposes; or personal data of a child.


The CPA mandates controllers to obtain the consumer’s opt-in consent prior to processing their sensitive data. While this requirement is similar to the VCDPA, organizations will need to be extra cautious regarding the details in the CPA. Consent needs to be affirmative and cannot be unambiguous consent.


Controllers and processors The Colorado Privacy Act defines a controller as a person that (independently or jointly with others) establishes the purpose and manner of processing personal data, while a processor is a person processing the personal data on behalf of the controller.

The bill requires the data controllers and processors to be under data processing agreements for the purpose of transferring personal data and lay out the necessary limitations and security procedures to protect the personal data being transmitted.

Data controllers will also be required to conduct data protection assessments before carrying out any kind of data processing that poses a higher risk to the consumer. This includes processing personal data for targeted advertising or profiling, sale of personal data, and processing sensitive data.

The data controllers must provide the consumers with a privacy notice regarding the purpose of data collection, categories of personal data being collected, data being shared with third parties, the procedure for consumers to exercise their rights, and the sale or use of personal data for targeted advertisement.

Other obligations to be fulfilled by the data controllers are:

  • Purpose: Describe the express purposes for which personal data is collected and processed

  • Data Minimization: Limit the collection of personal data to what is needed in relation to the specified and express purposes for which the data are processed

  • Duty to Avoid Secondary Use: Not process personal data for unnecessary or inconsistent reasons as per the specified and express purposes for which the personal data is processed, without the consumer’s consent

  • Safeguard: Employ measures to secure personal data during both storage and use from unauthorized actions

  • Avoid Unlawful Discrimination: Not process personal data against the state and federal laws prohibiting unlawful discrimination against consumers

Controllers have to process these requests within 45 days. This time period can be extended by another 45 days with notice. Controllers cannot charge a fee for the first request but may be allowed to charge a fee for subsequent requests within a 12-month period.

Consumer rights The bill grants these five rights to Colorado residents with respect to personal data held by controllers:

  • Right to opt-out: Consumers can opt-out of the processing of their personal data for targeted ads, being profiled, sale of their personal data.

  • Right to data portability: Consumers have the right to obtain their personal data in a portable and readily usable format

  • Right of access: Consumers have the right to access the personal data a company has collected about them

  • Right to correction: Consumers have the right to correct inaccurate personal data collected about them

  • Right to deletion: Consumers have the right to request deletion of their personal data

Apart from the above rights, the CPA has proposed a global privacy control mechanism that would allow Colorado residents to opt-out of the processing of their personal data by any website. It is expected to be imposed on July 1, 2024, and could have a dramatic impact on the online business and advertising industry.


How can Meru Data help?

With many states implementing new laws and several more expected to do so, it can be challenging to keep track of the nuances of different regulations, especially if you operate across various regions.


Achieving compliance in such scenarios can get complicated without the right tools and knowledge. Organizations will need a significant amount of time and resources and the right expertise for developing programs that can help them comply with these privacy laws.


Meru’s Data Subject Access Request (DSAR) provides the right tool for your consumers to raise any data-related requests. You can see all the customer requests in a tabular form and take necessary action.


Our system maps what data is stored with respect to a particular individual, gathers all the information, and builds a report based on the gathered information. The response is delivered to the customer in a pre-formatted report detailing the requested information.