The Colorado Privacy Act (CPA) which was signed into law on July 7 by Governor Polis and takes effect July 1, 2023, gives consumers the right to ask companies not to sell their personal information while also giving them the right to access any data companies have stored about them.
At a high level, the CPA applies to any legal entity that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado.” As the law is notably vague about what constitutes conducting business in Colorado, it is generally safe to assume that anything that would cause tax liability or personal jurisdiction in the State would also trigger CPA.
The CPA is similar but not identical to the precedent-setting data privacy laws of California and Virginia via the “CCPA” (and the “CPRA” taking effect January 1, 2023) and the “VCDPA,” respectively. The CPA will grant Colorado residents the right to access, correct, and delete the personal data held by companies subject to the law. Under the new law, Colorado residents will have the right to opt-out of the processing of their personal data for purposes of targeted advertising and the sale of their personal data or profiling. The CPA resembles the VCDPA by requiring opt-in consent for the processing of “sensitive data” and imposes certain GDPR-style obligations such as the requirement to conduct data protection assessments.
Given the similarities to CCPA and VCDPA, many companies conducting business in Colorado should be able to expand upon the data privacy compliance measures they currently have in place.*
Please see below for detailed information to consider as you evaluate your compliance requirements with respect to CPA.
*The above information is not a substitute for qualified legal advice and we recommend businesses consult with an experienced attorney for review of their data privacy compliance measures and policies.