Gartner estimates that, by the end of 2023, 75% of the world’s population will have their personal data covered under modern privacy regulations. The GDPR has taken action to protect European data. What about the Colorado Privacy Act (CPA)? Has it done the same for Colorado?

The third law of its kind in the United States, this law secures new privacy rights for Colorado consumers. But how exactly can consumers exercise their rights under the CPA, and who is required to comply? What are the rights granted both to Colorado consumers and to Colorado companies with respect to their personal data? Carry on reading for a crash course on all you need to know about the Colorado Privacy Act compliance.


What about other U.S. states? To learn more about the big picture of data privacy in the United States and access our updated map and law tracker, head to our dedicated blog post:


Featured image of a blog post on consumer data privacy laws in the United States, along with a flag of the USA and the label "Country Focus"







What is the Colorado Privacy Act (CPA)? 


On July 7, 2021, Colorado Governor Jared Polis enacted the Colorado Privacy Act (CPA) through SB21–190. The act aims to protect Colorado residents' fundamental right to privacy and requires companies to protect user data while continuing to conduct business. 


The Act represents the third data privacy legislation passed at the U.S. state level. The first two are the California Consumer Privacy Act (CPPA) and Virginia's Consumer Data Protection Act (VCDPA).

The Colorado Privacy Act not only contains some similar terms with the EU's General Data Protection Regulation (GDPR), but also shares similarities with the California Consumer Privacy Act (CCPA) and Virginia's Consumer Data Protection Act (VCDPA).


The similarities to the California Privacy Rights Act lie in the right to opt out of the processing of personal data and targeted advertising, the right to access and delete personal information, and the right to be informed of data collection.


The similarities to the Data Protection Act VCDPA are in the control and processing of personal data during a calendar year.


When it comes to differences between the three laws, the three define "sensitive data" differently. That’s why companies need to take into account the little details to reach compliance within the different regions. In addition to that, there are some differences in the compliance requirements and sanctions as well. 


“Controller” and “Processor,” who are they?

‘Controllers' and 'processors' must respond to the obligations of the Colorado Privacy Act. But who are these two figures? 


  • A ‘controller’ is the person who determines the purposes for and means of processing personal data

  • A ‘processor’ is the person who processes personal data on behalf of the controller. 


Processors follow the controller's instructions and assist and cooperate with the controller. Their interaction enables them to fulfill their duties.


Under the CPA, what are controllers required to do? 


  • Give consumers a clear, accessible, and understandable privacy notice;

  • Inform users of any sale of personal data and how they can opt out of targeted advertising or processing of personal data;

  • Collect only data that is strictly necessary and that is used to fulfill the purposes set out when the data was collected in the very first place;

  • Secure personal data depending on the scope, volume, and nature of the data collected;

  • Process sensitive data only after receiving clear consent from the user. The user must be able to give consent in an informed, unambiguous manner and specifically in relation to the data that is to be collected.


What should your notice include according to the CPA? 

The notice must contain a certain amount of information, such as:


  • The purpose for which the data is collected;

  • The categories of personal data collected or processed by the organization or its partners

  • The categories of personal data shared with third parties

  • The categories of third parties with whom an individual's data is shared


How consumers can exercise their rights under the Colorado Privacy Act


Mockup of a consent banner presenting various option to users, including "do not sell or share my personal information", "limit the use of my sensitive personal infromation", and "agree and close", along with a label "Global Privacy Control signal detected and applied". On the left side of the image, an american flag.


The Colorado Privacy Act lists a core set of rights granted to Colorado consumers with respect to their personal data. They are:


  • The right to opt-out not only of the sale of personal data but also of the collection and use of personal data for targeted advertising;

  • The right to access their personal data; 

  • The right to correct their personal data;

  • The right to delete your personal data; 

  • The right to data portability (i.e. the right to take their sensitive data and transfer it to another company).  


The Colorado Privacy Act lists a core set of rights granted to Colorado companies with respect to their personal data: 


  • Companies should be transparent about how they manage user data;

  • Companies must take care of users' personal data and their privacy;

  • Companies' compliance and responsibility must be emphasized through data protection assessments.


Furthermore, the Colorado Attorney General and District Attorneys have the power to access and evaluate a company's data protection policy and sanction it for non-compliance.


Who is required to comply? 


The first question that comes to everyone's mind is: “Do I have to comply with the CPA?”. And we’re here to give you the answer you’re looking for!


All companies should be working on giving more value to their customers, both from a legal and ethical point of view. 


But beyond that, we are here to inform you about what types of companies are involved. If one or more of the following points apply to you, then your company needs to comply with the Colorado Consumer Protection Act.


If your company conducts business in Colorado or provides products or services to Colorado residents, it may be affected if: 


  • Controls or processes the personal data of 100,000 consumers or more during a calendar year;

  • Controls the personal data of 25,000 consumers or more and derives revenue from the sale of personal data and processes.


In contrast to the CCPA and the VCDPA, it lacks a minimum dollar value of business revenue (according to both the CCPA and the VCDPA, you must earn a minimum of 50% of your revenue from selling personal data). 


Those are the rules. However, with 93% of consumers reporting that they would switch to a company that prioritizes consumer personal data privacy (Data Privacy Feedback Loop 2020), this may be a topic of interest for most of the companies out there if they don’t want to lose any clients as well as missing out on new ones.


Who is exempt from the CPA?


Certain persons, data, and specific activities are exempt from the CPA.


Data excluded from the scope of the CPA: 


  • If the entity collecting the personal information or the personal information collected is already covered by certain industry laws, such as the Children's Online Privacy Protection Act or the Family Educational Rights and Privacy Act; 

  • If the personal information has been collected for purposes of law affecting Colorado health insurance; 

  • If personal data has been de-identified or pseudonymised; 

  • If personal data is used for employment documentation purposes.

  • If personal data is used by a consumer reporting agency. 


Persons excluded from the scope of the CPA: 


  • Financial institutions so long as they are subject to the Gramm-Leach-Bliley Act (GLBA);

  • Air carriers; 

  • National Securities Association; 

  • Customer personal data maintained by a public utility or an authority only if the personal data is processed only as authorized by state or federal laws; 

  • Personal data maintained by a Colorado institution of higher education, the state of Colorado, the judicial department of the state of Colorado, or a county or municipality provided that the personal data is processed only as authorized by state or federal laws.


Who will enforce the CPA, and what are the risks of non-compliance with the CPA? 


Privacy is much more than just CPA compliance. It is a consumer right and transparency in privacy practices. 


However, whilst the purpose of CPA is so much more than just CPA compliance, it’s worth mentioning that a violation of CPA is deemed a deceptive trade practice.


The Colorado Attorney General and district attorneys are charged with the enforcement of the CPA. However, unlike California's laws, there is not a private right of action within the CPA.


The universal opt-out mechanism is specified by the Colorado Attorney General. The rules on opt-out mechanisms must: 


  • Allow the controller to accurately authenticate the consumer as a Colorado resident and inform the consumer that the opt-out mechanism allows them to opt out of targeted advertising or sales.

  • Use a mechanism that shows the user's affirmative, freely given, and unambiguous choice to refuse the processing of personal data; 

  • Use a mechanism that is well-described and easy to adopt by the average consumer; 

  • Do not allow a controller to be unfairly disadvantaged by other products that offer a universal opt-out mechanism; 

  • Use a mechanism that is as similar as possible to any other mechanism required by law in the United States; 

  • Require controllers to inform users when they opt out; 


Penalties for CPA violations:

In case of non-compliance, there is a ​​heightened risk of facing severe sanctions. Pursuant to the Colorado Privacy Act, Colorado will be able to issue far stiffer penalties than California and Virginia


You can be punished by civil penalties of up to $2,000 if you violate the CPA, and they can reach a maximum penalty of $500,000 for related violations. 


“Right to cure” until January 1, 2025

In case of a breach, the controller has 60 days (the so-called "cure period") to fix it before any action can be brought against him. This cure period will last until 1 January 2025, at which time the Colorado Attorney General may act without such notice.



The principle of comparative fault may apply when several controllers or processors are involved in the same violation. Businesses had until July 1, 2023, to comply with the Colorado Privacy Act.


Is there an easy way to comply with the CPA?


We’re coming to the end of our Colorado Privacy Act crash course. But we’re now reaching the most important part. 


It’s all very well knowing the CPA requirements, but how can companies implement these in an effective and fool-proof manner at every point of personal data collection and personal data classification? How can organizations’ data be managed effectively without affecting annual gross revenue? 


CPA compliance should not be underestimated and should be a matter of interest for everyone. At least if you want to avoid sensitive data breaches and government records. Is there an easy way to comply with the CPA? Yes. This is where Didomi steps in.


Didomi helps companies demonstrate transparent privacy practices to their users and comply with local regulations. Didomi helps you think of the user as the customer and not the product and build a trust-worthy relationship with them.


Our consent and preference management technology allows companies to comply with CPA regulations, allowing them to: 


  • Build real-time, customer-friendly interfaces to inform their users about the personal data collected and allowing them to personalize their consent choices and preferences;

  • Effectively collect, store, manage, and provide proof of user consent across digital assets and physical data collection points;

  • Prove the robustness of their personal data practices to users and regulators thanks to a clear data inventory that allows for CPA consumer requests. 


97% of companies have seen benefits like a competitive advantage or investor appeal from investing in privacy (Cisco 2019 Consumer Privacy Survey).


Ensure CPA cookies compliance with a bespoke Didimi consent notice. A Consent Management Platform (CMP) will allow you to collect billions of consents every month and won’t let you sacrifice performance or data visualization. 


Companies should understand the implications of illegally collecting sensitive data. People want to have a clear understanding of how their personal data is collected and what is done with it. So better not to hide it in the depths of a 30-page terms and conditions document.


It’s not a question of no longer collecting data. It’s a question of collecting personal data in a way that ensures consumer personal data rights and builds user trust.


And, with 88% of consumers saying that the extent of their willingness to share personal information is based on how much they trust a company (PwC Survey, 2017), the commercial benefit of optimal consent management technology should not be underestimated. 


Reach out to us for any CPA queries or for more information on our solutions. We’ll ensure you achieve CPA compliance.


Talk to an expert