Blog details

Colorado Privacy Act

Colorado Privacy Act

The Colorado Privacy Act enhances data control for Colorado residents, contributing to the move towards stronger data protection in the US.


The Colorado Privacy Act (CPA) was signed into law on July 7, 2021, and took effect on July 1st, 2023. Colorado became the third state, after California and Virginia, to enact comprehensive data privacy legislation. The CPA aims to provide Colorado residents with more control over their personal data, adding to the landscape of state-specific privacy laws, highlighting the growing momentum towards stronger data protection across the United States. These laws have enhanced privacy standards, influencing businesses to review and strengthen their privacy practices, signalling a shift towards greater respect for consumer data privacy.


While the CPA shares similar goals with CCPA and VCDPA, it has some unique features, and businesses operating in Colorado are required to meet these unique compliance requirements.

The CPA is similar to the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA), but it also has its own unique features. It applies to businesses that either conduct business in Colorado or offer products or services specifically targeted to Colorado residents, and that either control or process the personal data of more than 100,000 consumers per year, or generate revenue from selling personal data and process or control the personal data of at least 25,000 consumers. Like the VCDPA, the CPA has specific provisions related to sensitive data, requiring explicit consent for processing in these cases. In addition, the CPA transcends the CCPA and provides individuals with the right to opt-out of not just the sale, but also targeted advertising and profiling in certain circumstances, in a similar way to the CCPA after it was amended by the California Privacy Rights Act. While these laws share similar goals of protecting consumer data, the specifics can vary, and compliance with one does not necessarily mean compliance with the others. 


Under the CPA, businesses must secure sensitive data, and conduct risk assessments for high-risk processing activities.


Under the CPA, it is required that businesses obtain explicit opt-in consent from consumers before processing sensitive data. This is categorised to include any personal data which may reveal their racial or ethnic origin, religious beliefs, mental or physical health condition, sexual orientation, citizenship status, genetic or biometric data, as well as any personal data from a known child. Businesses also have the duty to take measures to secure personal data and prevent unauthorised acquisition. They are not allowed to discriminate against consumers for exercising their rights under the CPA and must adhere to the data minimisation principle by limiting data collection to what is necessary to serve the specified purpose for which the data was collected. Businesses are also required to conduct data protection assessments for processing activities that present a heightened risk of harm to consumers, such as targeted advertising, selling personal data, profiling, and sensitive data processing. Under the CPA, a processor may only process data under the direct authorization and instruction of a controller. The CPA also requires a controller and processor to define their respective responsibilities and obligations in a legally binding processing agreement, which would be the CPA equivalent to the Data Processing Agreements under the GDPR.


The CPA grants Colorado residents rights over their personal data, requiring businesses to manage customer requests within 45 days or face penalties up to $7,500 per violation.


The CPA provides Colorado residents with several rights over their personal data. These include the right to opt-out of data processing, access their data, correct inaccuracies, delete their data, and obtain a portable copy of their data. Businesses are required to respond to these requests within 45 days. Therefore, businesses need to develop a system for handling consumer requests, which includes verifying the identity of the requester and responding within the required timeframe. Businesses that violate the CPA can be fined up to $7,500 per violation. In addition, businesses may be subject to other penalties, such as injunctions and orders to cease and desist. By taking steps to understand and comply with the CPA, businesses can protect themselves from potential penalties and build trust with their customers.

If you are looking to ensure compliance with the CPA or other data protection regulations, Aphaia can help. Our team of experts can provide  ad hoc advice to help you achieve compliance and improve your data protection practices. Contact Aphaia today to find out more.

Prev post
Virginia Consumer Data Protection Act
September 14, 2023
The Utah Consumer Privacy Act
Next post
The Utah Consumer Privacy Act
September 28, 2023