New Colorado Privacy Act



Like Virginia and Washington before it, on March 19, 2021, Colorado introduced a data privacy bill, the Colorado Privacy Act (CPA). As currently drafted, the CPA would be similar to other U.S. state privacy laws, including California’s CCPA, Virginia’s Consumer Data Protection Act and Washington’s Privacy Act, although it also bears a close resemblance to the GDPR. If passed, the CPA would go into effect on January 1, 2023.

1. Who would be subject to the CPA?

The CPA applies to organizations that conduct business in Colorado or intentionally target their products / services to Colorado residents (individuals or households (“Consumers”)) that either: (1) control or process personal data of more than 100,000 Consumers per calendar year; or (2) derive revenue from the sale of personal data and control or processes the personal data of at least 25,000 Consumers. As with California’s CCPA, the CPA does not apply to employment records and other personal data governed by certain state and federal laws.

2. What are the main obligations?

The CPA grants certain rights to Consumers with certain rights, namely the right to:

  • Opt-out of the processing of personal data;
  • Authorize another person to act on their behalf to opt-out of the processing of personal data for purposes of targeted advertising or the sale of the Consumer’s data;
  • Confirm whether personal data is being processed and access that data in a portable and readily usable format;
  • Correct inaccurate personal data;
  • Delete personal data; and
  • Obtain consent before collection of certain sensitive personal data (personal data that reveals race or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status)

Organizations are also required to enter into data processing agreements with service providers before the transfer of personal data, and in some cases conduct data protection assessments prior to processing personal data.

Finally, organizations are required to provide Consumers with a “reasonably accessible, clear, and meaningful” privacy notice. This notice must contain disclosures regarding applicable data collection and sharing practices.

3. What are the main sanctions for noncompliance?

 The Colorado Attorney General’s office and state district attorneys would enforce the CPA. The bill provides for civil penalties of not more than $2,000 per violation, not to exceed $500,000 in total for any related series of violations. There is no private right of action. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Polsinelli | Attorney Advertising

Written by:


Polsinelli on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.