The Colorado Privacy Act (CPA), enacted on July 8th, 2021, will take effect on July 1st, 2023. It safeguards Colorado residents’ privacy rights and imposes obligations on businesses. The Colorado Privacy Act protects consumers when they conduct online business. They are given specific rights over their data, including contacting data controllers or data processors with inquiries or demands.
While recognizing that there is still an opportunity for improvement, the Colorado government will continue to reshape the legislation without stifling innovation. The CPA is similar in some respects to other privacy laws, such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR); however, it also has some unique features.
Consumer rights under the Colorado Privacy Act
The Colorado Privacy Act aims to safeguard state-based consumers’ legal rights. In comparison to the legislation of other jurisdictions, the specific rights listed are rather ordinary.
The Colorado Privacy Act grants consumers the following five particular rights:
The ability to object to the use of their personal data for profiling, sales, or targeted advertising
Access to whatever information that a business has collected about them
The right to have information gathered about them that is inaccurate or out-of-date updated
The right to ask that any information obtained about them be deleted.
The right to data portability, that allows you to move your information to another party
People who have to comply with CPA
The following companies are subject to the Colorado Privacy Act:
Processing personal data of 25,000 or more inhabitants each year
Processing personal data of 100,000 or more residents per year and profit from the sale of that data or gaining a discount on products or services as a result
These requirements are comparable to those in the Consumer Data Protection Act (CDPA) of Virginia and the CCPA, which make compliance simpler for smaller enterprises.
A company need not be physically present in Colorado or have its headquarters to conduct business there. Businesses that meet the requirements and conduct online or mobile commerce must also comply.
Exemptions to Colorado Privacy Act
The Colorado Privacy Act does not apply to every business. As stated, companies that don’t exceed the income criteria or the number of inhabitants whose data is processed annually are excluded. Furthermore, the following categories of organizations are exempt:
Entities covered by the Family Educational Rights and Privacy Act, Entities covered by the Children’s Online Privacy Protection Act, Entities covered by the Fair Credit Reporting Act
Entities governed by the Health Insurance Portability and Accountability Act (HIPAA) in Colorado
Those responsible for data collection and processing under the Colorado Health Insurance Law
Those responsible for gathering and processing data for employment records
Those who handle de-identified personal information agencies for consumer reporting. Institutions of higher learning
Organizations’ duties under the Colorado Privacy Act
Duty of transparency
A reasonably accessible, transparent, and meaningful privacy notice will be provided.
Duty of purpose specification
Specifying the purposes for which the data is being gathered is required.
Duty of data minimization
Ensuring that data is adequate, relevant, and restricted to what is genuinely required to achieve the goal conveyed.
Obligation to prevent secondary use
Refrain from processing personal data for unjustifiable or required purposes in light of the purpose indicated.
Duty of care
Taking reasonable precautions to protect data from unwanted access when storing and using it.
Duty to avoid unlawful discrimination
Refrain from processing personal data violating state or federal regulations that forbid unlawful discrimination against customers.
Obligation concerning sensitive data
Process sensitive data on customers only after receiving their express, informed consent or, in the instance of a known minor, the permission of the minor’s parents or legal guardians.
The Colorado Privacy Act (CPA) is a comprehensive privacy law that gives Colorado residents greater control over their personal information while imposing significant obligations on businesses that collect and process such information. By establishing rules for data collection, storage, and sharing, the CPA aims to protect individuals’ privacy rights and enhance transparency in the use of personal data.
Businesses that operate in Colorado need to take proactive measures to comply with the CPA, such as updating their privacy policies, implementing data protection assessments, and designating a person or team responsible for compliance. Failure to abide by the CPA may result in significant fines and reputational damage, highlighting the importance of adhering to the law’s requirements.