Colorado Privacy Act

The Colorado Privacy Act (CPA) is a comprehensive consumer data privacy law passed in July 2021. The CPA taking effect on July 1, 2023, regulates the personal information of Colorado residents. Details of the Colorado Privacy Act are provided below.

Who Is Regulated Under the Colorado Privacy Act?

The Colorado Privacy Act regulates certain businesses that the law terms “controllers.” To qualify as a controller, a business must meet two threshold requirements. 

It must:

  • Determine the purposes for and the means of processing personal data
  • Either conduct business in Colorado OR produce or deliver commercial products or services targeted to Colorado residents

Meeting these two requirements alone does not bring a business within the scope of the Colorado Privacy Act. 

A business must meet one or both of the following additional requirements to be considered a covered controller:

  • Control or process the personal data of 100,000 consumers or more during a calendar year
  • Derive revenue or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 consumers or more

The Colorado Privacy Act also regulates processors. The law defines a “processor” as “a person or entity that processes personal data on behalf of a controller. The processor, in effect, is to the controller, as a HIPAA business associate is to a HIPAA covered entity.

What is Personal Data Under the Colorado Privacy Act?

The Colorado Privacy Act regulates the processing and controlling of personal data. The Colorado Privacy Act defines personal data as “information that is linked or reasonably linkable to an identified or identifiable individual.” Like HIPAA protected health information, personal data does not include de-identified information or publicly available. 

The Colorado Privacy Act also protects a particular class of personal data known as “sensitive personal data.” The Colorado Privacy Act defines “sensitive personal data” as “personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data, or personal data from a known child.”

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Colorado Privacy Act and Obligations of Controllers

Under the Colorado Privacy Act, controllers must take the following measures concerning consumer personal data: 

  • Provide consumers with a “reasonably accessible, clear, and meaningful privacy notice” that outlines:
    • Categories of personal data collected or processed by the controller or processor(s)
    • The purposes for the processing
    • How consumers can exercise the rights granted to them by the Colorado Privacy Act 
    • The categories of personal data the controller shares with third parties and the third parties with whom the controller shares the personal data
  • Disclose, in a conspicuous manner, any sale of consumer data, and how a consumer may opt-out of the sale or processing of personal data.
  • Limit the collection of personal data to what is adequate, relevant, and “reasonably necessary in relation to the specified purposes for which the data are processed.”
  • Must take reasonable measures to secure personal data. These measures must be compatible with the data’s scope, volume, and nature. To comply with this requirement, controllers should assess their existing cybersecurity policies, procedures, and controls to e