The Colorado Privacy Act (CPA) passed in 2021, and has now taken effect, as of July 1, 2023. The law was passed with the intent to protect the data of Colorado residents, and follows similar bills that passed in California and Virginia.
While many of the bill’s regulations are similar to those passed in Virginia and California, along with the European Union’s General Data Protection Regulation (GDPR), there are some differences that make the CPA unique.
A General Overview of the Colorado Privacy Act
The CPA regulates what data a company can collect and store, as well as what they can use that data for. Importantly, both for businesses and individuals, it only regulates the data for Colorado residents acting in an ‘individual’ or ‘household’ context. That means data collected, stored, and utilized when a person is acting in a commercial or employment context is not subject to the regulations.
The law also regulates how companies operate with ‘sensitive’ data, including an opt-out requirement when it comes to the collection of this type of data. Data that falls under this category includes:
- Information regarding someone’s racial or ethnic origin, religious beliefs, health conditions, sexual orientation, and citizen status
- Genetic or biometric data that can be used for the purpose of identifying a person
- Personal data of a minor
In addition to the types of data allowed to be collected, the CPA also outlines requirements on data protection and availability.
Companies under the CPA are required to perform data protection assessments before they use data in a way that could raise data privacy or security risks to an individual. This includes targeted advertising using personalized data, selling collected or processed data, processing sensitive data, and more.
Companies will also need to be able to comply with data subject access requests (DSARs), which tells an individual what data a company is collecting and processing from them.
What Organizations does the Colorado Privacy Act Apply to?
The CPA requires compliance from many organizations, with non-profit and healthcare organizations being the most notable inclusions to the rule.
The law does not set a revenue threshold for companies, instead it bases restrictions on the number of individuals whose data is collected and/or processed. For businesses that just collect data from consumers, the threshold is 100,000, but if the company profits off the sale of personal information, that number lowers to 25,000.
However, there are still a few carve outs in the CPA, at both the entity and process level.
At the entity level, there is an exemption for organizations regulated by the Gramm-Leach-Bliley Act, or from higher education institutions.
At the process levels, this includes data that is already regulated by the following laws:
- The Children’s Online Privacy Protection Act of 1998
- The Family Educational Rights and Privacy Act of 1974
- The Health Insurance Portability and Accountability Act
- The Fair Credit Reporting Act
What Consumer Protections does the Colorado Privacy Act Give?
The Colorado Privacy Act outlines 5 rights consumers will have on the data businesses collect on them.
- The right to opt out of targeted ads from companies, the selling of their personal data, or being profiled based on their personal data
- The right to request and see what data a company has collected from them.
- The right to correct or amend incorrect data collected about them.
- The right to request deletion of data collected about them.
- The right to ‘data portability,’ or, in other words, the right to access data in an accessible and transportable format.
Compliance Timeline with the Colorado Privacy Act
While the law went into effect on July 1, 2023, there is a slight grace period when it comes to full compliance.
For starters, companies have until July 1, 2024 to fully establish the technical specifications behind their required opt-out of data selling and targeted advertising.
Companies will also be given a right to cure violations through January 1, 2025, which will give them 60 days after a notification of violation to fix it. Starting in January 2025, there will be no cure period, and companies will be subject to penalties when they’ve been found to have infringed on the regulations.
Companies can also be required to present a data protection assessment to the Attorney General’s Office, which must be delivered within 30 days of the request.
Finally, compliance with a DSAR is set at a maximum of 45 days. However, businesses can request a 45 day extension for high volume and/or complex requests.
Enforcement Bodies and Possible Fines
Under the Colorado Privacy Act, there is no individual enforcement mechanism, and no specific body has been created to enforce the law. The enforcement is left up to the Colorado Attorney General’s Office.
Where the CPA stands out is on the individual fine size, with the Attorney General authorized to levy up to $20,000 per violation. However, penalties are capped at $500,000, insulating companies from ever-escalating fines.
Stay Compliant with Record Nations
Record Nations offers data storage and document management services that are compliant with the CPA, CCPA, and the VCDPA. Give us a call at (866) 385-3706, or fill out the form on the page, and we’ll work with you to find a data management solution that fits your needs.