The Colorado Privacy Act (CPA) will become effective from July 1, 2023.

If you do business in Colorado or target its residents to sell products or offer services, you may need to start actively taking steps to comply with the state's privacy act.

One very important obligation the CPA imposes on businesses is transparency, and the best way to demonstrate this is by having a clear and comprehensive Privacy Policy published on your website.

Moreover, a Privacy Policy is mandatory under many privacy regulations, and the CPA is no exception.

This article will walk you through what the CPA is all about, and how you can draft a Privacy Policy to comply with its requirements. We've also put together a Sample CPA Privacy Policy Template that you can use to help write your own.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

What is the Colorado Privacy Act (CPA)?

The Colorado Privacy Act is a recently enacted legislation that protects the privacy rights of Colorado residents and applies certain responsibilities to organizations doing business in the state.

The act was signed into law by Colorado's governor, Jared Polis on July 7th, 2021, effectively making Colorado the third U.S. state to pass a comprehensive data privacy law.

The CPA's provisions are reminiscent of those found in other prominent privacy laws such as the California Consumer Privacy Act (CCPA), Virginia's Consumer Data Protection Act (VCDPA), and (partly) the EU's General Data Protection Regulation (GDPR).

So, if you already comply with any of these laws, you may not need to go above and beyond to ensure CPA compliance, as you should already meet most of its requirements.

That being said, you need to assess your website/app Privacy Policy and, if necessary, update it to satisfy the requirements of the CPA.

If you don't currently have a Privacy Policy, you need to get one written before the law takes full effect by July 2023.

Having a prominently displayed Privacy Policy that clearly summarizes all essential information required under the law will play a huge role in helping you comply with Colorado's new act.

Before we look at the components of a CPA-compliant Privacy Policy, it's important to understand who has to comply with the CPA and how the law defines certain terms.

Who Does the Colorado Privacy Act Apply to?

One of the first things to take note of is that the CPA can apply to businesses that are based outside of Colorado as long as they process the personal data of Colorado residents.

More specifically, the CPA applies to organizations that are doing business in Colorado or selling products or services that target its residents and also do either one of the following:

  • Controls or processes the personal data of at least 100,000 consumers annually, or
  • Derives revenue or receives discounts from selling personal data and controls or processes the personal data of at least 25,000 consumers

Who is a Consumer Under the CPA?

The CPA defines a consumer as "an individual who is a resident of Colorado acting only in an individual or household context."

Note that the law explicitly excludes individuals acting in a commercial or employment context.

What is Personal Data?

Like other privacy laws, the CPA defines personal data as any "information that is linked or reasonably linkable to an identified or identifiable individual."

Based on this definition, personal data may include an individual's name, email address, phone number, credit card details, IP address, identification number, and so on.

Exceptions to this definition include:

  • Data that has been de-identified (i.e., stripped of all personally identifiable information or direct identifiers)
  • Publicly available information

What is Sensitive Data Under the CPA?

Under the CPA, sensitive data refers to a distinct category of personal data that is considered confidential, and which you must take appropriate measures to protect.

It includes the following:

  • Any data revealing racial or ethnic origin
  • Sexual orientation
  • Religious beliefs
  • Physical or mental health diagnosis
  • Citizenship standing
  • Biometric or genetic data
  • Personal data obtained from a known child

According to the CPA, consent means "a clear, affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement."

Keep in mind that consent may be a written statement provided through an electronic means or another clear, affirmative action that confirms a consumer's agreement with your processing activities.

Colorado's law requires businesses to obtain explicit consent from consumers before processing their sensitive data.

Now that we understand what the CPA is all about and who it applies to, let's take a look at the Privacy Policy requirements of the law.

Colorado Privacy Act Privacy Policy Requirements

Colorado Privacy Act Privacy Policy Requirements

The CPA provides specific requirements about the information you must disclose in your Privacy Policy.

So, if the law applies to your business, then you need to update your Privacy Policy to include the following information:

  • The categories of personal data you collect or process
  • The purpose(s) for which you process personal data
  • How and where consumers may exercise their privacy rights
  • Your company's contact information
  • How consumers can appeal to your actions regarding their requests
  • The categories of personal data you share with third parties (if any)
  • The categories of third parties (if any) with whom you share personal data
  • Your sale or processing of personal data (if applicable) and how consumers can exercise their right to opt out

It's not enough to merely list out this information in your Privacy Policy. You need to also observe the following best practices to fully comply with the CPA:

  • Make sure your Privacy Policy does not contain legalese or technical jargon but is written in a simple and easy-to-understand language. A good and helpful practice to follow is to use well-structured clauses that are identified with clearly descriptive headlines.
  • Be as detailed as possible when describing individual clauses in your Privacy Policy. This not only shows customers that you respect their privacy but helps you stay ahead of liability.
  • Ensure your Privacy Policy is conspicuously positioned and easily accessible on your website. You should also provide links to your Privacy Policy agreement in prominent places on your website.

Now that we've seen the requirements of a CPA-compliant Privacy Policy, we're going to look at the individual clauses you must include in your policy to avoid violating the law.

What Clauses Should You Include in Your CPA Privacy Policy?

What Clauses Should You Include in Your CPA Privacy Policy?

A Privacy Policy that complies with the CPA's provisions must be clear, well-structured, and include specific clauses laid down by the law.

What this means for you is that you need to review your existing privacy and data protection practices to make sure they meet up with the standards set by the CPA.

In essence, your Privacy Policy must include the following clauses.

What Type of Personal Data you Collect or Process

Letting consumers know exactly what type of data you collect or process is an essential requirement under the CPA and many other privacy laws.

It not only helps promote transparency for your business but is one of the privacy rights of consumers under the law.

Most websites split this section of their Privacy Policy down into subcategories, such as "data you provide to us," "data collected automatically by our website," "data gathered from other sources," and so on.

Although it's not required, breaking down this clause can help keep things clean and organized. Lastly, remember that the more details you provide, the better.

Here's a good example from Amazon:

Amazon Privacy Notice: What personal information about customers does Amazon collect clause

Electronic Arts provides a similar description in its Privacy Policy and further below describes the specific categories of data it processes as shown below:

Electronic Arts Privacy and Cookie Policy: Categories of Personal Information Processed clause

Why You Process Personal Data

After disclosing the categories of personal data you collect or process, the natural next step is to explain in detail why you process that data.

Different websites use data for different reasons. In most cases, personal data is used for product or service delivery, website optimization, product enhancement, marketing and advertising, and so on.

You may have other reasons for processing data. Just make sure you disclose them all in your Privacy Policy.

Century21 does this well in its Privacy Notice as shown below:

Century21 Privacy Notice: Use of Personal Information clause

How Consumers Can Exercise Their Rights

Under the CPA, consumers have several privacy rights that give them more control over how their personal data is used. Briefly, these rights include the following:

  • Right to opt out: Consumers have the right to opt out of the sale of their data, targeted advertising, and profiling
  • Right of access: Consumers have the right to confirm if their data is being processed and then gain access to the data
  • Right to correction: Consumers must be able to rectify any inaccurate information in their data
  • Right to deletion: Consumers have the right to request that you delete their data
  • Right to data portability: Consumers have the right to obtain a copy of their data in a readily usable form and transfer it to a third party without hindrance
  • Right to appeal: Consumers have the right to appeal your actions regarding their requests

On a final note, the CPA requires you to address these rights in your Privacy Policy and clearly explain how consumers can exercise their rights.

Here's a good description from Spotify's Privacy Policy:

Spotify Privacy Policy: Your personal data rights and controls clause

Further down, Spotify provides explicit instructions about how consumers can exercise their rights, as shown below:

Spotify Privacy Policy: How to exercise your rights with Spotify clause

Who you Share Personal Data With

To comply with the CPA, your Privacy Policy must explain what category of data you share with third parties as well as what category of third parties you share data with.

Keep in mind that you don't have to disclose which third parties you use individually. An overall description or classification by industry will do the job nicely.

For example, here's how Sharp explains the category of third parties with whom it shares personal data:

Sharp Global Website Privacy Policy: Who has access to your personal data clause

Sale or Processing of Personal Data and Opt Out Rights

If your company sells personal data to third parties or processes data for targeted advertising, you need to clearly and prominently disclose this information in your Privacy Policy.

Even if you don't sell personal data, it's considered a good practice to let consumers know in your Privacy Policy, like Deloitte does here:

Deloitte Privacy Notice: Selling of information clause

Furthermore, the CPA requires you to provide clear instructions on how consumers can exercise their right to opt out of any sale or processing of their data.

Here's how EY does this in its Privacy Statement:

EY Privacy Statement: Your rights in relation to personal data clause

Your Contact Information

Finally, your Privacy Policy must include a contact information clause that lets consumers know how they can reach you to discuss matters relating to their personal data and your use thereof.

It's considered a best practice to provide more than one way for consumers to contact you, like Century21 does here:

Century21 Privacy Notice: Contact Us clause

Now that we're clear on what clauses should go into a CPA-compliant Privacy Policy, let's take a look at how you can make your agreement legally binding and where you can display it on your website.

How to Display and Get Consent for Your CPA Privacy Policy

Before your Privacy Policy can be considered a legally binding agreement, it must include a means of documenting that consumers have reviewed and consented to its provisions.

A reliable way to do this is to provide links to your Privacy Policy in prominent places on your website and then include an unticked checkbox next to a text that says something similar to, "I have read and agree to the terms of the Privacy Policy." In order to move on, consumers would have to tick the checkbox to confirm their consent.

Alternatively, you can use a button that says "I Agree" in place of an unticked checkbox to obtain consent for your Privacy Policy.

Here's an example from Vudu's account creation page:

Vudu Create Account form with Agree to Terms and Privacy checkbox highlighted

To make your Privacy Policy agreement easily accessible to consumers or website visitors, you need to provide links to your agreement in prominent places on your website.

Key locations include but aren't restricted to the following.

Website Footers

One very common place to include a link to your Privacy Policy is the footer of your website. You can place it alongside other legal agreements, such as your Terms and Conditions.

Here's an example from Hellofresh:

HelloFresh website footer with Privacy Policy link highlighted

Mobile or Desktop In-app Menus

If you have a mobile or desktop app, you should include a link to your Privacy Policy in your in-app menu or settings interface as Netflix does here:

Netflix desktop app menu with Privacy Statement link highlighted

Account Sign-up or Registration Forms

It's important to include a link to your Privacy Policy before having users sign up on your website. This will help draw the attention of users to your policies and allow them to read and agree with your terms before creating an account on your website.

Here's how eBay does this on its account sign-up page:

eBay Create Account form with I agree text highlighted

Email Newsletter Sign-up Forms

Another prominent location to include a link to your Privacy Policy is the email newsletter sign-up form on your website. If you obtain email addresses to send your users promotional emails, you should add a link to your Privacy Policy on the sign-up form.

Here's an example from Business Insider:

Business Insider email newsletter sign up form with Privacy Policy link highlighted - Updated

Checkout Pages

If you sell products or services to consumers online, it's recommended that you add a link to your Privacy Policy on your website's checkout form, like HostGator does here:

HostGator checkout page with agree checkbox - Privacy Policy link highlighted

Summary of a CPA Privacy Policy

Colorado's Privacy Act is identical in many ways to other major U.S. privacy laws. It establishes a framework to give consumers certain rights and protection for their personal data.

To accomplish this, the CPA lays down specific requirements for businesses trying to comply with its provisions, a major part of which is to provide a Privacy Policy.

Taking things a step further, the law explicitly specifies what clauses should go into a valid Privacy Policy, which makes compliance easier on businesses.

To make sure your Privacy Policy is up to the CPA's standards, remember to include the following clauses:

  • What category of personal or sensitive data you collect
  • Why you collect or process the data
  • How and where consumers can exercise their privacy rights
  • What category of data you share with third parties
  • What category of third parties you share data with
  • How you sell or process personal data and how consumers can opt out
  • Your contact information