Last updated on 01 July 2022 by Stephen Titcombe (Legal writer at TermsFeed)
The Colorado Privacy Act (CPA) will become effective from July 1, 2023.
If you do business in Colorado or target its residents to sell products or offer services, you may need to start actively taking steps to comply with the state's privacy act.
The Colorado Privacy Act is a recently enacted legislation that protects the privacy rights of Colorado residents and applies certain responsibilities to organizations doing business in the state.
The act was signed into law by Colorado's governor, Jared Polis on July 7th, 2021, effectively making Colorado the third U.S. state to pass a comprehensive data privacy law.
The CPA's provisions are reminiscent of those found in other prominent privacy laws such as the California Consumer Privacy Act (CCPA), Virginia's Consumer Data Protection Act (CDPA), and (partly) the EU's General Data Protection Regulation (GDPR).
So, if you already comply with any of these laws, you may not need to go above and beyond to ensure CPA compliance, as you should already meet most of its requirements.
One of the first things to take note of is that the CPA can apply to businesses that are based outside of Colorado as long as they process the personal data of Colorado residents.
More specifically, the CPA applies to organizations that are doing business in Colorado or selling products or services that target its residents and also do either one of the following:
The CPA defines a consumer as "an individual who is a resident of Colorado acting only in an individual or household context."
Note that the law explicitly excludes individuals acting in a commercial or employment context.
Like other privacy laws, the CPA defines personal data as any "information that is linked or reasonably linkable to an identified or identifiable individual."
Based on this definition, personal data may include an individual's name, email address, phone number, credit card details, IP address, identification number, and so on.
Exceptions to this definition include:
Under the CPA, sensitive data refers to a distinct category of personal data that is considered confidential, and which you must take appropriate measures to protect.
It includes the following:
According to the CPA, consent means "a clear, affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement."
Keep in mind that consent may be a written statement provided through an electronic means or another clear, affirmative action that confirms a consumer's agreement with your processing activities.
Colorado's law requires businesses to obtain explicit consent from consumers before processing their sensitive data.
What this means for you is that you need to review your existing privacy and data protection practices to make sure they meet up with the standards set by the CPA.
Letting consumers know exactly what type of data you collect or process is an essential requirement under the CPA and many other privacy laws.
It not only helps promote transparency for your business but is one of the privacy rights of consumers under the law.
Although it's not required, breaking down this clause can help keep things clean and organized. Lastly, remember that the more details you provide, the better.
Here's a good example from Amazon:
After disclosing the categories of personal data you collect or process, the natural next step is to explain in detail why you process that data.
Different websites use data for different reasons. In most cases, personal data is used for product or service delivery, website optimization, product enhancement, marketing and advertising, and so on.
Century21 does this well in its Privacy Notice as shown below:
Under the CPA, consumers have several privacy rights that give them more control over how their personal data is used. Briefly, these rights include the following:
Further down, Spotify provides explicit instructions about how consumers can exercise their rights, as shown below:
Keep in mind that you don't have to disclose which third parties you use individually. An overall description or classification by industry will do the job nicely.
For example, here's how Sharp explains the category of third parties with whom it shares personal data:
Furthermore, the CPA requires you to provide clear instructions on how consumers can exercise their right to opt out of any sale or processing of their data.
Here's how EY does this in its Privacy Statement:
It's considered a best practice to provide more than one way for consumers to contact you, like Century21 does here:
Here's an example from Vudu's account creation page:
Key locations include but aren't restricted to the following.
Here's an example from Hellofresh:
Here's how eBay does this on its account sign-up page:
Here's an example from Business Insider:
Colorado's Privacy Act is identical in many ways to other major U.S. privacy laws. It establishes a framework to give consumers certain rights and protection for their personal data.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022