Products
By Use Cases By Roles
Data Command Center
View
Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

US California CPRA

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Knowledge Center » Data Privacy Automation

What is Colorado Privacy Act (CPA)

By Securiti Research Team

Published January 20, 2023 / Updated August 23, 2023

Colorado has become the third US State to pass a comprehensive data privacy law. Colorado Privacy Act (CPA) was signed into law on July 8th, 2021. Modeled pretty similarly to the Virginia Data Protection Act (VCDPA) passed earlier this year, the CPA provides comprehensive privacy rights to state residents of Colorado and imposes a new set of obligations and duties on data controllers managing consumer personal information.
With the increasing importance of privacy in today's digital age, the Colorado Privacy Act represents a major step forward in the protection of personal data for residents of the state.

What is the Colorado Privacy Act?

The Colorado Privacy Act, also known as Senate Bill 21-190, is a comprehensive privacy law that was enacted in Colorado on July 7, 2021. This legislation provides significant protections for the personal information of Colorado residents, establishing new standards for the collection, use, and protection of personal data by businesses operating in the state.

Definition of Personal Data

Personal data means any information that is linked or reasonably linkable to an identified or identifiable individual.
The CPA also categorizes certain data as “Sensitive Personal Data” which includes:
- Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status;
- Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or
- Personal data from a known child.
Publicly available and de-identified personal data are not covered under the law.
Certain forms of Personal Data are exempt from the law:
- Medical data covered under any medical laws: Many forms of health information, records, data and documents protected and covered under HIPAA, or other federal or state medical laws have been exempted.
- FCRA covered data: Any personal information of consumers collected or used for consumer credit scoring and reporting protected under the federal Fair Credit Report Act (FCRA);
- Driver data: Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994;
- FERPA data: Personal data regulated by the federal Family Educational Rights and Privacy Act (FERPA);
- Employment data: Personal data maintained for employment records;

Time period to fulfill DSR request: All data subject rights’ requests (DSR requests) must be fulfilled by the data controller within a 45 day period.
Extension in time period: data controllers may seek for an extension of 45 days in fulfilling the request depending on the complexity and number of the consumer's requests.
Denial of DSR request: If a DSR request is to be denied, the data controller must inform the consumer of the reasons within a 45 days period.
Appeal against refusal: Consumers have a right to appeal the decision for refusal of grant of the DSR request. The appeal must be decided within 45 days but the time period can be further extended by 60 additional days.
Limitation of DSR requests per year: Requests for data portability may be made only twice in a year.
Charges: DSR requests must be fulfilled free of charge once in a year. Any subsequent request within a 12 month period can be charged.
Authentication: A data controller is not to respond to a consumer request unless it can authenticate the request using reasonably commercial means. A data controller can request additional information from the consumer for the purposes of authenticating the request.

Who must comply?

CPA applies to all data controllers who conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado - if they match any one or both of these conditions:
- If they control or process the personal data of 100,000 consumers or more during a calendar year; or
- If they derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 consumers or more.
The following entities are exempt from complying with CPA:
- GLBA entities: Financial Institutions or data which is subject to the federal Gramm-Leach-Bliley Act (GLBA) 15 U.S.C. SEC. 6801 ET SEQ., as amended, and implementing regulations, including Regulation P, 12 CFR 1016. are exempt.
- COPPA compliant entities: Controllers and processors that comply with the Children's Online Privacy Protection Act (COPPA) will be deemed to be in compliance with the CPA;
- Air Carriers: an air carrier as defined in and regulated under 49 U.S.C. SEC. 40101 ET SEQ., as amended, and 49 U.S.C. SEC. 41713 are exempt.
- National Securities Association: A National Securities Association registered pursuant to the federal "Securities Exchange Act Of 1934", 15 U.S.C. SEC. 78o-3, as amended, or implementing Regulations are exempt.
- Public Utilities and Authorities: customer data maintained by a public utility as defined in Section 40-1-103 (1)(a)(I) or an authority as defined in Section 43-4-503 (1) is exempt from the law if the data is not collected, maintained, disclosed, sold, communicated, or used except as authorized by state and federal law.
- State Institution: data maintained by a state institution of higher education, as defined in Section 23-18-102 (10), the state, the judicial department of the state, or a county, city and county, or municipality if the data is collected, maintained, disclosed, communicated, and used as authorized by state and federal law for noncommercial purposes is exempt from the law.

Important Exceptions

The CPA does not apply to:

Data processed in an employment or commercial (business-to-business) context: Personal data processed by a controller, processor, or third party is exempt from the application of this law:
- If the individual data subject is acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.
- If the personal data is maintained for employment records purposes.
- As the emergency contact information of an individual used for emergency contact purposes;
Data processed for free speech or household purposes: Nothing in this law applies to information made available by a third party that the controller has a reasonable basis to believe is protected speech pursuant to applicable law or the processing of personal data by an individual in the course of a purely personal or household activity.
Data processed for internal purposes: Nothing in this law restricts a controller or processor from processing personal data to conduct internal research to improve or repair products, services, or technology or to identify and repair technical errors that impair existing or intended functionality or to undertake internal operations reasonably aligned with the consumer’s expectations for performance of a service or provision of a product.
Data processed for legal obligations: Nothing in this law restricts a controller or processor from complying with other applicable laws, to claim or defend legal claims or cooperate with government authorities or investigations.
Data processed to protect vital interests or security: Nothing in this law restricts a controller from processing data for protecting the vital interests of the consumer or of another individual or to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action.
Data processed for public health reasons: Nothing in this law restricts controllers from processing personal data for reasons of public interest in the area of public health, but solely to the extent that the processing is subject to suitable and specific measures to safeguard the rights of the consumer whose personal data are processed; and is under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law.

What is the Purpose of the Colorado Privacy Act?

Colorado Privacy Act protects the personal information of Colorado residents by setting new standards for the collection, use, and protection of personal data by businesses operating in the state. The act seeks to give individuals greater control over their personal information and to promote transparency and accountability in the handling of such information by companies.

It further addresses the growing concerns around the misuse and exploitation of personal data, particularly in light of recent high-profile data breaches and privacy violations. The act requires businesses to implement appropriate security measures to protect personal data, and to be transparent about their data practices by providing individuals with information about the data they collect, how it is used, and whom it is shared with.

In short, the Colorado Privacy Act aims to ensure that businesses handle personal information responsibly and securely and to give individuals greater control and visibility over how their personal data is collected, used, and protected.

The provisions of this act shall become effective on July 1, 2023 unless a referendum petition is filed within 90 days after final adjournment of the general assembly and the people vote for the proposed changes to the act within the referendum at the general election to be held in November 2022. In such a case, the amended provisions will take effect July 1, 2023, or on the date of the official declaration of the vote thereon by the governor, whichever is later.

The CPA is structurally very similar to the VCDPA. There are only a few significant differences between the two acts.

Data Protection Assessments under the CPA must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks. It is important to note that the controller shall make the data protection assessments available to the attorney general upon request.

The requirement to conduct Data Protection Assessments under the CPA shall apply to processing activities created or generated after July 1, 2023, and is not retroactive.

The CPA defines a minor below 13 years of age for the additional protections it provides.

There is no 12 months time limit as found in the CPRA or CCPA after which the business can re-ask for the consent of the consumer who chooses to exercise the right to opt-out.

The CPA requires that opt-in consent be collected for processing of children’s Personal Data, use of Sensitive Personal Data and use of Personal Data beyond the initial purpose for which it was collected for.

The Colorado Privacy Act (CPA) is a data privacy law enacted in Colorado, USA. It sets regulations for how businesses handle and protect consumers' personal data. It grants Colorado residents certain rights over their data and places obligations on businesses regarding data collection, processing, and disclosure.

The Colorado Privacy Act applies to businesses that conduct business in Colorado, process personal data of at least 100,000 Colorado consumers, or derive revenue from selling personal data and process the data of at least 25,000 Colorado consumers. The law focuses on businesses that meet these criteria, regardless of their physical presence in Colorado.

Colorado is a one-party consent state for recording conversations. This means that as long as one participant in the conversation consents to the recording, it is generally legal. However, it's important to understand and adhere to the specific legal requirements and limitations.

Automating privacy operations across your organization

The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.

Get the Book

“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”

- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.