What you should know about the Colorado Privacy Act (CPA)

Travis Good
July 27, 2021

What is the Colorado Privacy Act (CPA)?

The Colorado Privacy Act, or CPA, is new legislation passed by the Colorado State Government this year. It requires certain companies (criteria below) to comply with standards surrounding the controlling, storage, processing, and maintenance of personally identifiable information (PII), whether in written or electronic format. Companies must also take reasonable steps to protect consumer data and notify people of breaches that affect their PII.

The new legislation is similar to other state privacy laws like CCPA in California and CDPA in Virginia. Without a clear path to federal privacy regulation, with the passing of the CPA, we continue to see expansion in privacy regulations to more and more states.

The post below details everything that you need to know about the Colorado Privacy Act.

When Does the Colorado Privacy Act Start?

The Colorado Senate passed the CPA on June 8, 2021, under SB21-190. Governor Jared Polis signed the Act into law on July 8, 2021. Colorado is the third state to pass stringent consumer privacy laws, behind California and Virginia.

While the Colorado senate passed the CPA in 2021, compliance enforcement doesn’t begin until July 1, 2023. Governor Polis also emphasized that there are still areas for improvement, including balancing reasonable privacy standards that don’t stifle innovation.

Who Must Comply?

The CPA applies to companies, called covered entities, which engage in Colorado commerce and have Colorado residents as customers.

Colorado laws further define a covered entity as one who also:

  1. Controls or processes personal data of 100,000 Colorado consumers or more, OR
  2. Profits from personal data sales and controls or processes personal data of 25,000 Colorado consumers or more

The concept of conducting business in Colorado doesn’t imply that your company is physically located within the state. 

CPA Compliance Example

Still wondering about who must comply with the CPA? Here is an example of how Colorado determines if you are a covered entity:

  • Zenith Apps Inc. operates from its office in Seattle, Washington
  • They offer a hiking app that collects consumer data from 90,000 Colorado residents
  • Zenith doesn’t need to comply with CPA at the moment
  • However, once Zenith hits the 100,000 Colorado resident mark, they must comply with CPA
  • The company should start planning their future compliance measures 

Like Zenith, companies looking at future compliance should consider their options now since there are penalties for non-compliance. Getting a jumpstart on the process also ensures that you take a measured, methodical approach, which is particularly helpful when dealing with large databases storing multiple data types. In a world with multiple privacy regulations protecting residents in different geographies, this is not an easy task.

What Businesses Are Exempt from the CPA?

Colorado laws specify that certain businesses are exempt from the Colorado Privacy Act. Companies exempt from the CPA include the following types:

  • Air carriers
  • Children’s Online Privacy Protection Act covered entities
  • Colorado government entities
  • Fair Credit and Reporting Act covered entities
  • Family Educational Rights and Privacy Act covered entities
  • Gramm-Leach Bliley covered entities
  • Higher education institutions
  • HIPAA covered entities

The most significant difference between the CPA and measures passed in other states relates to non-profit organizations. Unlike California and Virginia, the CPA will apply to charitable organizations that meet the above thresholds.

What Information Is Protected Under the CPA?

Information protected under the CPA includes personally identifiable information (PII). PII is data that could potentially reveal the identity of the consumer. The protections of the CPA apply to both physical and digital records.

Examples of PII include:

  • Biometric data
  • Credit or debit card numbers
  • Driver’s license numbers
  • Email addresses
  • Employer information
  • Financial information
  • Health insurance identification number
  • Home or work addresses
  • License plate numbers
  • Medical information
  • Military identification numbers
  • Passport identification numbers
  • Passwords
  • Social Security number
  • Student identification numbers
  • Telephone numbers
  • Usernames
  • Other data

It’s also worth noting that PII doesn’t include information made available to the public lawfully. This information could consist of government documents or popular media. If you have legal questions about data, it’s always safer to err on the side of caution and assume the data is PII.

Colorado Consumer Rights under CPA

Just like GDPR and other state-based privacy laws, the CPA grants Colorado residents certain rights on their personal data.

  1. Right of access.
  2. Right to correction.
  3. Right to delete.
  4. Right to data portability.
  5. Right to opt out.
  6. Right to appeal.

Companies need to provide a clear means and process for consumers to exercise the above rights.

Your Obligations under CPA

Your obligations under CPA are very similar to those obligations of other state privacy regulations.

  • Duty of transparency.
  • Duty of purpose specification
  • Duty of data minimization.
  • Duty to avoid secondary use.
  • Duty of care. 
  • Duty to avoid unlawful discrimination.
  • Duty regarding sensitive data.
  • Data protection assessment.
  • Data processing contracts.

What Are the Penalties for CPA Non-Compliance?

The Colorado Attorney General’s Office enforces the CPA. If they discover a CPA violation, then they will issue the covered entity a notice, which contains an option to remedy the situation. The entity has up to sixty (60) days upon receipt to cure the violation.

These are the penalties for non-compliance with the CPA after the notification waiting period:

  • Up to $2,000 per violation
  • Up to $500,000 for related violations

Colorado classifies a CPA violation as a deceptive trade practice. Deceptive trade practices can lead to criminal charges. Your company will want to avoid CPA violations at all costs to ensure that you can continue conducting business within the state.

3 Components of the Colorado Consumer Privacy Laws

Colorado currently has privacy laws in place from a general standpoint. However, they don’t address the specific and unique needs of digital information and its applicability within the Colorado commerce system. The CPA handles that issue and expands upon it.

Here are the three components of the Colorado consumer privacy laws include:

  • Component 1. Disposal: Entities must take specific steps when disposing of PII. It also states that they must not retain the information for longer than necessary.
  • Component 2. Protection: Entities must take reasonable security measures to protect consumer data. Owners must account for company size and industry.
  • Component 3. Notification: Entities must also notify consumers if a data breach occurred. Examples of security breaches include ransomware attacks, misplaced storage devices, and more.

How to get ready for the CPA

Covered entities have until July 2021 to make the necessary changes to controlling and processing consumer data. However, you should avoid waiting until the last minute to address the issue of compliance, especially when it comes to large data amounts. The CPA and associated laws are still developing, so it is essential to strike the right balance for data integrity and security in the interim.

The most practical way to address CPA compliance is by working with legal, financial, and technology experts for a complete result. Ensuring your employees know about CPA is also important as they may have to field data rights requests.