This summer, Colorado passed the new data privacy law called the Colorado Privacy Act (“CPA”), granting Colorado residents new rights and creating new obligations for businesses that are located in or conduct business with those in Colorado. CPA regulates the collection of personal data, or information relating or reasonably linkable to an identifiable person, such as a person’s name, social security numbers, email address, transaction data, Internet browsing history, and geolocation.

CPA – The Brass Tacks

Briefly, CPA applies to any business that (a) purposefully produces and delivers goods or services to Colorado residents and (b) meets one of the below criteria:

  1. Controls or processes personal data of 100,000 or more Colorado residents; or
  2. Derives revenue or receives discounts from selling personal data, and processes or controls the personal data of 25,000 or more Colorado residents.

A covered business must have completed all compliance efforts by July 1, 2023.

Colorado (CPA) v. California (CCPA)

As we’ve previously discussed at length on the Privacy Hacker, California’s similar privacy legislation, or the California Consumer Privacy Act (CCPA), applies to any business that meets one of the below criteria:

  1. Has an annual gross revenue of over $25 million
  2. Buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices; or
  3. Derives 50% or more of their annual revenue from selling California residents’ personal information.

Despite California casting a wider net on businesses that must comply with CCPA, Colorado’s CPA has several key differences from the California law that should be addressed when thinking about privacy compliance.

Know Your Consumers’ Rights: CPA vs. CCPA (and other laws)

The CPA defines in finer detail the rights granted to Colorado residents. For example, under CPA, Colorado residents have a similar right to opt-out of the sale of data as the CCPA. Similar to the California Privacy Rights Act, an amendment to the CCPA, which will also be effective in 2023, the Colorado legislature specifically included data processing for targeted ads and profiling. Practically, this means that Colorado businesses should take special care to ensure their responses to opt-out requests include targeted ads and profiling. Below, we have provided a high-level overview of the rights provided by both states:

CPA Rights CCPA Rights
  • Access, Deletion, Correction, Portability
  •   Opt-out of Data Sales
  • Opt-out of certain targeted advertising
  • Access, Deletion, Correction, Portability
  • Opt-out of Data Sales, which right can be exercised by an agent
  • Opt-out to process sensitive data
  • Opt-in consent to process sensitive data (similar to GDPR)

CPA Business Brief

More specifically, Colorado businesses should take time to review their new compliance responsibilities and the new response times required by Colorado as compared to the CCPA, the Virginia Consumer Data Protection Act, and the EU’s GDPR, among other privacy laws.

Complaints and Lawsuits Responding to Consumers’ Requests Data Protection Assessments
No private right of action Controllers have 45 days to respond to requests.
Relies on the attorney general and district attorney to prosecute consumer grievances. Extensions are available Businesses must conduct data protection assessments, or alert consumers about data collection, as well as, the categorization of and business-rationale for

As you work through your compliance obligations under the CCPA and the other multitude of privacy laws, consider preemptively creating systems and structures to also address CPA. Despite the long wait time, CPA enforcement will likely begin quickly after the July 1, 2023 enforcement date. If you have any questions or would like to learn more about how your business can become compliant with the CCPA, CPA, or many different privacy laws, please contact our Data Privacy and Security Department at Hopkins & Carley.