Colorado

The Colorado Privacy Act (CPA) was signed into law on July 7, 2021. It subsequently came into effect on July 1, 2023.

The Colorado Attorney General is responsible for enforcing the Colorado Privacy Act. Violations of the CPA could result in civil penalties of $2,000, reaching a maximum of $500,000 for related violations.

Who does it impact?

Businesses that are based in Colorado or produce products or services aimed at Colorado residents and either:

  • Control or process personal data of at least 100,000 consumers per calendar year; or
  • Derive revenue from the sale of personal data and control or process personal data of at least 25,000 consumers

Unlike the CCPA or the VCDPA there is no minimum dollar value of business revenue.


Exemptions

  • Financial institutions that are subject to the Gramm-Leach-Bliley Act
  • Air carriers
  • National securities association
  • Personal data maintained by a public utility or authority only if the personal data is processed as authorized by state or federal laws
  • Personal data maintained by a Colorado institution of higher education, the state of Colorado, the judicial department of the state of Colorado or a county or municipality provided that the personal data is processed only as authorized by state of federal laws.

Consumer Rights

Any data about them held or processed by a controller.

Inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of their personal data.

Personal data collected about them.

Consumers have the right to obtain their personal data in a portable and, to a technically feasible extent, readily usable format that allows the consumer to transmit the data to another entity with hindrance.

Of the processing of their personal data for purposes of: targeted advertising; sale of personal data; or, profiling in furtherance of decisions that produce legal or similarly significant effects.


Controller

An entity that, alone or jointly with others, determines the purposes and means of processing personal data.

Processor

An entity that processes personal data on behalf of a controller.


Enforcement

The Colorado Attorney General is responsible for enforcing the Colorado Privacy Act. Violations of the CPA could result in civil penalties of $2,000, reaching a maximum of $500,000 for related violations.

cure period

Until January 1st, 2025 if a breach is discovered a controller will have 60 days to fix it before any action can be taken against them, this is the so-called “cure period”. After this date the Attorney General will be able to act without notice.


Value Privacy are on hand to make sure your business is compliant with data and privacy regulations. Whether you need a privacy health check or you want help to make sure you and your business are ready for the arrival of the Colorado Privacy Act, we’re here to help. You can find out more about what we do or contact us and have a chat about your needs.

en_USEN