Delivering expert cyber security solutions to small and medium-sized businesses

Learn More

A Detailed Breakdown of the Colorado Privacy Act

The new Colorado Privacy Act will take effect on July 1, 2023. It borrows various elements from the European Union’s General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and the Virginia Consumer Data Protection Act (VCDPA). Therefore, organizations already in compliance with California and Virginia privacy laws are one step ahead of the rest. Though there is still room for improvement, this new privacy law, once in effect, will require specific organizations conducting businesses or producing products targeting Colorado residents to abide by personal data privacy rights.

Although a connected world brings more partnerships and increased opportunities, it also highlights the need for proactive countermeasures to protect the privacy and security of consumers’ data. As cyberattacks rise worldwide, consumers are more concerned about organizations collecting, storing, and using personal data. Primarily, the consumers want to exercise the right to control what happens to their data. As per a recent report, security attacks increased 31% from 2020 to 2021. Various nations and states have set their data protection and privacy rules and regulations to address this growing data insecurity.

About the Colorado Privacy Act

With the Colorado Privacy Act (CPA), Colorado becomes the third U.S state after California and Virginia to pass comprehensive data privacy legislation. Signed into law on July 8th, 2021, the CPA aims to safeguard the privacy rights of Colorado residents. The design of this privacy act protects consumers in their online activities. In addition, it gives people more control over their personally identifiable information, including making inquiries and requests to data controllers.

Under the CPA, consumers have five specific rights:

  • First, they have the right to opt out of data profiling or the processing of their data for targeted advertising or sale.
  • They can access any data that any organization collects about them.
  • They can make corrections to the stored data.
  • They have the right to delete the collected data.
  • With data portability, they can also transfer the data to another entity.

The CPA also compels organizations to establish a transparent process for consumers to appeal a denial of request and mention that they can contact the Attorney General if they have any concerns. Data controllers or organizations must respond to the verified consumer request within 45 days of receiving the request. Failure to produce acceptable documents for authentication can lead to denial of requests.

Understanding the applicability of the law

The CPA applies to any organization, including non-profits, that sells products or services intentionally targeted at residents of Colorado. It must also satisfy one of the following thresholds for the law to apply:

  1. Processing or controlling the personal data of 100,000 or more consumers annually
  2. Deriving revenue and receiving discounts from the sale or processing of personal data and control or process data of at least 25,000 consumers.

The Colorado and Virginia data privacy laws are very similar in applicability; the CPA appears narrower than the CCPA. For example, the CCPA has a $25M annual revenue threshold, but the CPA has no threshold. Moreover, the CPA’s consumer threshold is double the CCPA’s limit. 

Understanding exemptions of the law

In terms of exemptions, the CPA does not apply to information under the control of Colorado State government organizations, state-operated higher education institutions, the Health Insurance Portability and Accountability Act, financial institutions and affiliates subject to the Graham-Leach-Bliley Act, the Fair Credit Reporting Act, Family Educational Rights and Privacy Act, and the Children’s Online Privacy Protection Act. The exemptions under the CPA extend to job applicants or data shared in a commercial or employment setting and data covered under existing privacy laws.

Operationalizing the Colorado Privacy Act Requirements

Complying with data privacy laws builds trust and increases credibility because it better understands data collection, management, and storage processes. In addition, data privacy laws guide companies to improve their security posture. It recommends cybersecurity best practices to secure sensitive data and enhance consumer confidence. Staying compliant reduces the chances of any data breach and increases security resilience. As per a survey report, 79% of organizations comply with two or more privacy laws, whereas 10% report actively working to comply with 50 or more privacy laws at once.

The first step to staying compliant with the CPA is determining whether the organization falls within the above threshold. Next, organizations should create a centralized repository of resources, including complete CPA regulatory guidelines and its latest updates. Finally, automate data privacy options and enable your organization to adhere to the 45-day response timeline.

The CPA provides a 60-day curing period until January 1, 2025. After that, however, non-compliance with this law will result in penalties starting from $2,000 per violation. Some important things to remember about CPA compliance:

  • Update your organization’s privacy policy and include detailed information about collecting and processing personal data.
  • Conduct privacy impact assessments or readiness assessments to measure data security and identify cybersecurity gaps to remediate and minimize risks.
  • Enable opt-out requests to protect Colorado consumers from organizations seeking to profit from consumers’ profile data in marketing and advertisement situations.
  • Note primary CPA compliance attributes while data mapping and performing cross-border data transfers. It is also necessary to ensure minimized data collection and specify the purpose as per the CPA outline.


Privacy concerns often exist in the background because organizations are more focused on security. However, in managing an effective business that handles sensitive and private information. Today, several states in America are deciding to zero down on protecting the privacy of their residents by ensuring the companies adhere to strict privacy rules aimed at safeguarding interactions between businesses and consumers.

As a result, Colorado decided to implement its privacy law, the Colorado Privacy Act (CPA), which will impact organizations looking to conduct business within Colorado’s jurisdiction. The CPA is another revolutionary step to tackle the growing threat of data breaches and cyber-attacks—from offering consumers more control over personal data to setting guidelines for organizations to ensure data security.

While most privacy laws may appear similar, only a trained privacy expert can uncover subtle differences that matter. Therefore, for small to midsize businesses that conduct business with Colorado natives or interact with data within the said state, engaging with data privacy experts is a surefire way to guarantee quicker compliance with minimal effort and affordable prices.

CONTACT US FOR A FREE CONSULTATIONGetting started in security can be challenging. Let us help ease the burden of security and compliance with our small-mid sized business services and solutions.