It’s a crowd: Colorado joins California and Virginia in passing consumer privacy legislation


By William W. Cheney 

On July 7, 2021, Colorado passed the Colorado Privacy Act (“CPA”), becoming the third state, joining California and Virginia, to enact comprehensive consumer privacy legislation.  The CPA will not go into effect, however, until July 1, 2023.  Moreover, Colorado Governor Jared Polis noted in signing the bill that it “will require clean-up legislation next year, and in fact, the sponsors, proponents, industry, and consumers are already engaged in conversations to craft that bill. We encourage those to continue but urge that they strike the appropriate balance between consumer protection while not stifling innovation and Colorado’s position as a top state to do business.”   Thus, the law will likely be subject to changes before the effective date. 

Overview of the CPA 

Who it applies to: The CPA applies to an entity that: 

  • Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and  
  • Satisfies one or both of the following thresholds: 
  • Controls or processes the personal data of 100,000 Colorado residents in a given year; and/or 
  • Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 Colorado residents or more. 

There is no revenue threshold; thus, regardless of the size of the business, the entity will not be subject to the CPA unless the criteria above are met.   

What information is covered: The CPA applies to the entity’s control or processing of “personal data.”  “Personal data” under the CPA is defined as “information that is linked or reasonably linkable to an identified or identifiable individual.”  The definition explicitly excludes “de-identified data or publicly available information.”  “Publicly available information” is defined as information that is “lawfully made available from federal, state, or local government records” or “a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.”   

The CPA exempts the processing or controlling of employment records and business-to-business data.  The CPA further contains data-specific exemptions for data subject to certain state and federal laws and regulations, including the Health Insurance Portability and Accountability Act, Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and the Children’s Online Privacy Protection Act.   

Consumer rights: The CPA affords consumers, defined as a Colorado resident acting in an individual or household context, the right to:  

  • Opt out of the processing of their personal data;  
  • Access, correct inaccuracies in, or delete their personal data;  
  • Confirm their personal data is being processed; and  
  • Obtain a portable copy of the data (no more than two times per year) to allow for transmission to another entity.  

The right to opt out is afforded to consumers when their personal data is being processed for purposes of targeted advertising, the sale of the data or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.”  A controller that sells personal data or engages in targeted ads must provide a clear and conspicuous method to exercise the right to opt out.  By July 2, 2014, such a controller must provide the consumer the ability to exercise their right to opt out through a “user-selected universal opt-out mechanism” to be developed by the Attorney General.   

Requirements for businesses: The CPA specifies obligations for controllers, which are defined as “a person that, alone or jointly with others, determines the purposes for and means of processing personal data.”  The CPA requires controllers to: 

  • Provide consumers with a reasonably accessible, clear and meaningful privacy notice; 
  • Specify the express purposes for which the personal data is being collected and processed;  
  • Ensure the collection of personal data is adequate, relevant, and limited to what is reasonably necessary in relation to the specified purpose for which the data is processed;  
  • Not process personal data for purposes that are not reasonably necessary to or compatible with the specific purposes for which the data is processed, without consent;  
  • Take reasonable measures to secure personal data during both storage and use from unauthorized acquisition; 
  • Avoid unlawful discrimination;  
  • Process sensitive data only with consent [sensitive data is defined as personal data revealing racial or ethnic origin, religious beliefs, mental or physical condition, sex life or sexual orientation or citizenship]; and 
  • Complete and document a data protection assessment for each processing activity that presents a heightened risk of harm to consumers, weighing the benefits that flow from the processing against the potential risks to the rights of the consumer and making the results available to the Attorney General upon request.   

The CPA also creates obligations for processors, which are defined as a person that processes personal data on behalf of a controller.   The CPA requires processors to: 

  • Adhere to the instructions of the controller and assist the controller in meeting its obligations by:  
  • Taking appropriate technical and organizational measures to respond to consumer requests to exercise their rights under the CPA; 
  • Helping to meet the controller’s obligation in relation to the security of processing of the personal data and the notification of a breach of security of the system; and 
  • Providing information to the controller necessary for data protection assessments;  
  • Ensure each person processing personal data is subject to a duty of confidentiality;  
  • Engage a subcontractor only after providing the controller with an opportunity to object and requiring through a written contract that the subcontractor meet the processor’s obligations with respect to personal data;  
  • Along with the controller, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of responsibilities between them;   
  • Enter into a contract respecting processing with the controller that binds both parties and sets out (1) processing instructions, (2) the type of personal data subject to processing and duration of processing, and (3) other requirements imposed by the CPA on the processor.  

Enforcement: Enforcement of the CPA is exclusively through the Attorney General or District Attorneys.  The CPA explicitly provides that it offers no private right of action to consumers. Prior to any enforcement action, if cure of the noncompliant action is deemed possible, the Attorney General or District Attorneys must issue a notice of violation to a controller permitting 60 days to cure. If the controller fails to cure, or if a cure is deemed impossible, the Attorney General or District Attorneys can bring an enforcement action, including seeking an injunction to enjoin a violation.   Any violation of the CPA is deemed a deceptive trade practice for purposes of the Colorado Consumer Protection Act and could result in a $20,000 fine per violation.  The requirement of a notice to cure sunsets as of January 1, 2025.   

For more information, please contact Bill Cheney at