The Colorado Privacy Act (CPA) will become effective from July 1, 2023.
If you do business in Colorado or target its residents to sell products or offer services, you may need to start actively taking steps to comply with the state's privacy act.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. What is the Colorado Privacy Act (CPA)?
- 1.1. Who Does the Colorado Privacy Act Apply to?
- 1.2. Who is a Consumer Under the CPA?
- 1.3. What is Personal Data?
- 1.4. What is Sensitive Data Under the CPA?
- 1.5. What is Consent Under the CPA?
- 3.1. What Type of Personal Data you Collect or Process
- 3.2. Why You Process Personal Data
- 3.3. How Consumers Can Exercise Their Rights
- 3.4. Who you Share Personal Data With
- 3.5. Sale or Processing of Personal Data and Opt Out Rights
- 3.6. Your Contact Information
- 4.1. Website Footers
- 4.2. Mobile or Desktop In-app Menus
- 4.3. Account Sign-up or Registration Forms
- 4.4. Email Newsletter Sign-up Forms
- 4.5. Checkout Pages
What is the Colorado Privacy Act (CPA)?
The Colorado Privacy Act is a recently enacted legislation that protects the privacy rights of Colorado residents and applies certain responsibilities to organizations doing business in the state.
The act was signed into law by Colorado's governor, Jared Polis on July 7th, 2021, effectively making Colorado the third U.S. state to pass a comprehensive data privacy law.
The CPA's provisions are reminiscent of those found in other prominent privacy laws such as the California Consumer Privacy Act (CCPA), Virginia's Consumer Data Protection Act (VCDPA), and (partly) the EU's General Data Protection Regulation (GDPR).
So, if you already comply with any of these laws, you may not need to go above and beyond to ensure CPA compliance, as you should already meet most of its requirements.
Who Does the Colorado Privacy Act Apply to?
One of the first things to take note of is that the CPA can apply to businesses that are based outside of Colorado as long as they process the personal data of Colorado residents.
More specifically, the CPA applies to organizations that are doing business in Colorado or selling products or services that target its residents and also do either one of the following:
- Controls or processes the personal data of at least 100,000 consumers annually, or
- Derives revenue or receives discounts from selling personal data and controls or processes the personal data of at least 25,000 consumers
Who is a Consumer Under the CPA?
The CPA defines a consumer as "an individual who is a resident of Colorado acting only in an individual or household context."
Note that the law explicitly excludes individuals acting in a commercial or employment context.
What is Personal Data?
Like other privacy laws, the CPA defines personal data as any "information that is linked or reasonably linkable to an identified or identifiable individual."
Based on this definition, personal data may include an individual's name, email address, phone number, credit card details, IP address, identification number, and so on.
Exceptions to this definition include:
- Data that has been de-identified (i.e., stripped of all personally identifiable information or direct identifiers)
- Publicly available information
What is Sensitive Data Under the CPA?
Under the CPA, sensitive data refers to a distinct category of personal data that is considered confidential, and which you must take appropriate measures to protect.
It includes the following:
- Any data revealing racial or ethnic origin
- Sexual orientation
- Religious beliefs
- Physical or mental health diagnosis
- Citizenship standing
- Biometric or genetic data
- Personal data obtained from a known child
What is Consent Under the CPA?
According to the CPA, consent means "a clear, affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement."
Keep in mind that consent may be a written statement provided through an electronic means or another clear, affirmative action that confirms a consumer's agreement with your processing activities.
Colorado's law requires businesses to obtain explicit consent from consumers before processing their sensitive data.
- The categories of personal data you collect or process
- The purpose(s) for which you process personal data
- How and where consumers may exercise their privacy rights
- Your company's contact information
- How consumers can appeal to your actions regarding their requests
- The categories of personal data you share with third parties (if any)
- The categories of third parties (if any) with whom you share personal data
- Your sale or processing of personal data (if applicable) and how consumers can exercise their right to opt out
What this means for you is that you need to review your existing privacy and data protection practices to make sure they meet up with the standards set by the CPA.
What Type of Personal Data you Collect or Process
Letting consumers know exactly what type of data you collect or process is an essential requirement under the CPA and many other privacy laws.
It not only helps promote transparency for your business but is one of the privacy rights of consumers under the law.
Although it's not required, breaking down this clause can help keep things clean and organized. Lastly, remember that the more details you provide, the better.
Here's a good example from Amazon:
Why You Process Personal Data
After disclosing the categories of personal data you collect or process, the natural next step is to explain in detail why you process that data.
Different websites use data for different reasons. In most cases, personal data is used for product or service delivery, website optimization, product enhancement, marketing and advertising, and so on.
Century21 does this well in its Privacy Notice as shown below:
How Consumers Can Exercise Their Rights
Under the CPA, consumers have several privacy rights that give them more control over how their personal data is used. Briefly, these rights include the following:
- Right to opt out: Consumers have the right to opt out of the sale of their data, targeted advertising, and profiling
- Right of access: Consumers have the right to confirm if their data is being processed and then gain access to the data
- Right to correction: Consumers must be able to rectify any inaccurate information in their data
- Right to deletion: Consumers have the right to request that you delete their data
- Right to data portability: Consumers have the right to obtain a copy of their data in a readily usable form and transfer it to a third party without hindrance
- Right to appeal: Consumers have the right to appeal your actions regarding their requests
Further down, Spotify provides explicit instructions about how consumers can exercise their rights, as shown below:
Who you Share Personal Data With
Keep in mind that you don't have to disclose which third parties you use individually. An overall description or classification by industry will do the job nicely.
For example, here's how Sharp explains the category of third parties with whom it shares personal data:
Sale or Processing of Personal Data and Opt Out Rights
Furthermore, the CPA requires you to provide clear instructions on how consumers can exercise their right to opt out of any sale or processing of their data.
Here's how EY does this in its Privacy Statement:
Your Contact Information
It's considered a best practice to provide more than one way for consumers to contact you, like Century21 does here:
Here's an example from Vudu's account creation page:
Key locations include but aren't restricted to the following.
Here's an example from Hellofresh:
Mobile or Desktop In-app Menus
Account Sign-up or Registration Forms
Here's how eBay does this on its account sign-up page:
Email Newsletter Sign-up Forms
Here's an example from Business Insider:
Colorado's Privacy Act is identical in many ways to other major U.S. privacy laws. It establishes a framework to give consumers certain rights and protection for their personal data.
- What category of personal or sensitive data you collect
- Why you collect or process the data
- How and where consumers can exercise their privacy rights
- What category of data you share with third parties
- What category of third parties you share data with
- How you sell or process personal data and how consumers can opt out
- Your contact information
More specific Privacy Templates are available on our blog.