The Colorado Privacy Act, or CPA, is new legislation passed by the Colorado State Government this year. It requires certain companies (criteria below) to comply with standards surrounding the controlling, storage, processing, and maintenance of personally identifiable information (PII), whether in written or electronic format. Companies must also take reasonable steps to protect consumer data and notify people of breaches that affect their PII.
The new legislation is similar to other state privacy laws like CCPA in California and CDPA in Virginia. Without a clear path to federal privacy regulation, with the passing of the CPA, we continue to see expansion in privacy regulations to more and more states.
The post below details everything that you need to know about the Colorado Privacy Act.
The Colorado Senate passed the CPA on June 8, 2021, under SB21-190. Governor Jared Polis signed the Act into law on July 8, 2021. Colorado is the third state to pass stringent consumer privacy laws, behind California and Virginia.
While the Colorado senate passed the CPA in 2021, compliance enforcement doesn’t begin until July 1, 2023. Governor Polis also emphasized that there are still areas for improvement, including balancing reasonable privacy standards that don’t stifle innovation.
The CPA applies to companies, called covered entities, which engage in Colorado commerce and have Colorado residents as customers.
Colorado laws further define a covered entity as one who also:
The concept of conducting business in Colorado doesn’t imply that your company is physically located within the state.
Still wondering about who must comply with the CPA? Here is an example of how Colorado determines if you are a covered entity:
Like Zenith, companies looking at future compliance should consider their options now since there are penalties for non-compliance. Getting a jumpstart on the process also ensures that you take a measured, methodical approach, which is particularly helpful when dealing with large databases storing multiple data types. In a world with multiple privacy regulations protecting residents in different geographies, this is not an easy task.
Colorado laws specify that certain businesses are exempt from the Colorado Privacy Act. Companies exempt from the CPA include the following types:
The most significant difference between the CPA and measures passed in other states relates to non-profit organizations. Unlike California and Virginia, the CPA will apply to charitable organizations that meet the above thresholds.
Information protected under the CPA includes personally identifiable information (PII). PII is data that could potentially reveal the identity of the consumer. The protections of the CPA apply to both physical and digital records.
Examples of PII include:
It’s also worth noting that PII doesn’t include information made available to the public lawfully. This information could consist of government documents or popular media. If you have legal questions about data, it’s always safer to err on the side of caution and assume the data is PII.
Just like GDPR and other state-based privacy laws, the CPA grants Colorado residents certain rights on their personal data.
Companies need to provide a clear means and process for consumers to exercise the above rights.
Your obligations under CPA are very similar to those obligations of other state privacy regulations.
The Colorado Attorney General’s Office enforces the CPA. If they discover a CPA violation, then they will issue the covered entity a notice, which contains an option to remedy the situation. The entity has up to sixty (60) days upon receipt to cure the violation.
These are the penalties for non-compliance with the CPA after the notification waiting period:
Colorado classifies a CPA violation as a deceptive trade practice. Deceptive trade practices can lead to criminal charges. Your company will want to avoid CPA violations at all costs to ensure that you can continue conducting business within the state.
Colorado currently has privacy laws in place from a general standpoint. However, they don’t address the specific and unique needs of digital information and its applicability within the Colorado commerce system. The CPA handles that issue and expands upon it.
Here are the three components of the Colorado consumer privacy laws include:
Covered entities have until July 2021 to make the necessary changes to controlling and processing consumer data. However, you should avoid waiting until the last minute to address the issue of compliance, especially when it comes to large data amounts. The CPA and associated laws are still developing, so it is essential to strike the right balance for data integrity and security in the interim.
The most practical way to address CPA compliance is by working with legal, financial, and technology experts for a complete result. Ensuring your employees know about CPA is also important as they may have to field data rights requests.