Colorado Privacy Act: Colorado joins California and Virginia in enacting the third state data protection act in the United States | Arent Fox


Which companies are covered?

The Colorado Privacy Act (CPA) applies to any entity that does business or manufacture products or services that are purposely aimed at Colorado residents and that either (1) control or process the personal information of more than 100,000 consumers per calendar year, or (2) derive from it income from the sale of personal data and control or processing of the personal data of at least 25,000 consumers.

The CPA does not apply to personal information governed by demarcated state and federal laws or employment records.

Notable definitions

There are several notable concepts and terms in the CPA that affect the requirements and applicability of the regulations. You are:

  1. “Approval”: Consent under the CPA is an opt-in consent. Consent requires a “clear confirmatory act, which means a voluntary, specific, informed and unambiguous consent of a consumer, for example by means of a written declaration, also by electronic means …” This corresponds more to the European standards of consent and deviates from the historical US Standards from opt-out consent.
  2. Consumer”: The Colorado Privacy Act applies to consumers. A consumer is defined as an “individual who is a Colorado resident and only acts in connection with an individual or household”. The term consumer expressly excludes persons who work in a commercial or professional context, for example as an applicant or as a beneficiary of a person who is acting in an employment context.
  3. Controller “: Similar to the European concept, the CPA defines a responsible person as a natural or legal person who “alone or jointly with others decides on the purposes and means of processing personal data”.
  4. “Dark Pattern”: Dark patterns are increasingly being covered by new regulations and drafts. Under the CPA, dark pattern means “a user interface designed or tampered with with the essential effect of undermining or impairing the autonomy, decision-making, or choice of users”.
  5. “Personal data”: Personal data is simply defined as “information that can be, or can reasonably be linked to, an identified or identifiable person; and does not contain any anonymized data or publicly available information. “
  6. Processor”: A processor is a natural or legal person who processes personal data on behalf of a controller. These are often service providers and providers.
  7. “Profiling”: Profiling means “any type of automated processing of personal data in order to evaluate personal aspects regarding the economic situation, health, personal preferences, interests, reliability, behavior, whereabouts or relocation of a specific or identifiable natural person, to analyze or predict. ”The requirements for profiling affect the use of artificial intelligence and other automated processing systems for personal data.
  8. Sale”: The sale of personal information is also handled by the CPA, which defines the sale as “exchanging personal information for money or other valuable consideration”. This definition of sale includes “other consideration of value” in the definition, which is similar to California data protection law.
  9. Targeted advertising “: The CPA defines targeted advertising as displaying an advertisement based on personal data “derived or derived over time from the consumer’s activities on non-affiliated websites, applications or online services in order to predict consumer preferences or interests”.

Notable requirements

Rights of the data subject

Controllers must grant Colorado consumers the following data subject rights:

  1. Right to object to the processing of personal data, including the processing for the sale of personal data or the creation of profiles in support of decisions that have legal or similarly significant effects;
  2. Right of access to confirm whether a controller is processing personal data;
  3. Right to rectification of inaccuracies in personal data;
  4. Right to delete personal data; and
  5. Right to receive a portable copy of the data.

Responsibilities of the controller and the processor

While many of the requirements for controllers and processors set out in the CPA are known, including data subject rights (listed above) and other requirements related to the secure handling of personal data, some notable requirements under the CPA are:

  • Privacy ratings: Controllers must carry out a data protection assessment for processing activities involving personal data that pose an increased risk of harm, including, for example, the processing of personal data for targeted advertising or the processing of sensitive data.
  • Obligations of the processor: Processors must support data controllers with their obligations under the CPA, including assisting with requests from data subjects, by taking appropriate technical and organizational measures.
  • Subcontractor Restrictions: Processors must also give controllers the opportunity to object before engaging a subcontractor. This is often an issue in data processing contracts between controllers and processors.
  • Data processing contracts: Processing by a processor must take place within the framework of a contract between the controller and the processor that is binding on both parties. Specific provisions must be included, such as the type of personal data that are the subject of the processing, the duration of the processing and processing instructions by which the processor is bound.
  • Restrictions on the use of personal data: Several obligations are imposed on the person responsible, which limit the use of personal data. This includes the obligation to avoid secondary use so that the controller does not process personal data for purposes that are not reasonably necessary or compatible with the stated purposes for which the personal data are processed. Controllers also have a duty to minimize data, so that the controller’s collection of personal data must be appropriate, relevant and limited to what is reasonably necessary.
  • Prohibition of dark patterns when obtaining consent: The CPA defines “consent” as opt-in consent (see definition above). In obtaining consent, the CPA deals with the use of dark patterns that are misleading or manipulative (see definition above). Dark patterns are gaining increasing attention from legislators and regulators as dark patterns can be obvious but are often subtle.


The CPA can be enforced by district attorneys and attorneys general through injunctions or civil sanctions. Civil penalties can be up to $ 2,000 per violation, up to a maximum of $ 500,000 for all related violations. Helpfully, the CPA provides for a healing phase until January 1, 2025. Before enforcement, the Attorney General or District Attorney must first report a violation if a cure is believed possible. The person responsible has sixty days to correct the violation.

There is no private right of action for violations of the CPA.

What’s next?

The CPA is scheduled to come into force on July 1, 2023. Further guidance can be published by the Attorney General. According to the CPA, until January 1, 2025, the Attorney General can issue rules for the procedure for issuing opinions and guidelines for interpretation.

Since both the new California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (CDPA) come into effect on January 1, 2023; Businesses are well advised to prepare for these laws for the remainder of 2021 and 2022. Much of the effort required to achieve compliance with the CPRA and CDPA will also contribute to compliance with the CPA.


About Author

Leave A Reply