Colorado Privacy Act (CPA)
On July 8, 2021, Jared Polis signed into law the CPA, making Colorado the third state to enact a comprehensive privacy law. The CPA will be enforced on July 1, 2023, and applies broadly to businesses operating in Colorado.
CPA’s Main Data Rights
- The right to opt-out: The right to opt-out of having personal data processed for advertisement targeting and sale of personal information.
- The right to access any data: Consumers have the right to access any personal data if they request it.
- The right to rectify data: Consumers are entitled to have their data corrected if they find any inaccuracies.
- The right to delete data: The right to delete their data at any time.
- The right to data portability: A consumer has the right to request that their data be transferred to a different company at most twice in 12 months.
The Businesses obligated to comply:
This law applies to any company that conducts business in Colorado and processes personal data of 100,000 Colorado consumers or more in a year.
The Colorado Privacy Act applies to businesses that deliver products or services that target Coloradans if they derive a portion of profits from the sale of personal data and control the data of 25,000 or more consumers.
Exemptions to the act:
Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), COPPA-compliant entities, national securities associations, and air carriers are exempted from the scope of CPA. Customers’ data at public utilities or authorities or collected and maintained by a Colorado institution of higher education falls under a legal exemption if the personal data is processed according to federal or state laws.