alt text
alt text

Login as existing user

Get started free
  • Blog
  • The Colorado Privacy Act (CPA)
Categories

The Colorado Privacy Act (CPA)

Simon Coulthard July 15, 2021

2-minute read
GDPR & Data Privacy Regulations
CONTENTS

Colorado is the third US state after California and Virginia, to pass a law meant to protect the data of its citizens. 
The Colorado Privacy Act was signed into law by Governor Jared Polis on the 7th of July, 2021. This new privacy act will go into effect in July 2023. Here’s what you, as a website owner, need to know about this.

Colorado Privacy Act in a Nutshell


According to the Colorado General Assembly, the legislature of the State of Colorado, this bill’s purpose is to create and implement personal data privacy rights and:

  • “Applies to legal entities that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents and that either:
  • Control or process personal data of more than 100,000 consumers per calendar year; or
  • Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers; and
  • Does not apply to certain specified entities, personal data governed by listed state and federal laws, listed activities, and employment records.

 

Consumers have the right to opt-out of the processing of their personal data; access, correct, or delete the data; or obtain a portable copy of the data. The bill defines a "controller" as a person that, alone or jointly with others, determines the purposes and means of processing personal data. A "processor" means a person that processes personal data on behalf of a controller.”

 

The Similarities and Differences between US Data Privacy Laws

As mentioned before, CPA follows the principles of its counterpart laws the California Consumer Privacy Act (CCPA) and The Virginia Consumer Data Protection Act (VCDPA), both of which are based on the principles of the European General Data Protection Regulation, also known as the GDPR.

 

Defining consumer rights: All of these 3 laws provide rights for access, deletion, correction, portability, and opt-out for targeted advertising, sales, and certain profiling decisions that have legal or similar effects. A difference between CCPA and CPA is that Colorado consumers need to use an authorized agent for sale opt-out requests.

 

Addressing consumer rights decisions: Colorado’s consumer appeal process is similar to Virginia’s. Under CPA, if a consumer has a valid request, the controller must allow the consumer to appeal its decision. The controller must also let the consumer know the reasons for rejecting the request and also inform him or her of the right  to contact the Attorney General “if the consumer has concerns about the result of the appeal.”

 

Opt-out requests: Unlike in the Californian law, which makes the global privacy control optional, controllers must comply with the universal opt-out under CPA. The technicals specifications for this process are still in debate but will be announced well before the law goes into effect in July 2023.

 

Data processing consent: Similar the Virginia law, CPA requires opt-in consent for processing sensitive personal data such as:

  • citizenship;
  • racial or ethnic origin;
  • religious beliefs;
  • genetic or biometric data used for identifying any unique individual. 

The Colorado Privacy Act also requires consent for processing under 13 year’s old children’s information.

Controller obligations: CPA’s list of duties for controllers include:

  • transparency; 
  • purpose specification;
  • data minimization; 
  • avoiding secondary use;
  • avoiding unlawful discrimination;
  • other duties regarding sensitive data. 

Which are very similar to the ones mentioned in the CCPA and VCDPA.

 

Data protection assessments: CPA demands DPAs (data protection assessments) to be in place for activities such as targeted advertising, sales, certain profiling, and processing of sensitive personal data. As with VCDPA, the Colorado Attorney General has the right to access the controller’s DPAs.

 

Choose a CPA compliant analytics tool for your website

Here at TWIPLA, helped by a great team of privacy lawyers, we do our best to keep you informed about data privacy laws and to offer you an analytics tool that’s always going to be compliant with the constant legal changes from all over the world.

TWIPLA is CPA, CCPA and VDCPA compliant.

If you haven’t tried our tool yet, you can register for free, and import your Google Analytics historical data with a few clicks. 

 

Get Started for Free

Gain World-Class Insights & Offer Innovative Privacy & Security

Categories
You might also like
Why You Don't Actually Need a Cookie Banner
Why cookie banners aren't necessary
05 April 2024 - by Simon Coulthard
Why You Don't Actually Need a Cookie Banner
What is GDPR. Implications of GDPR on Marketers
what-is-gdpr-implications-of-gdpr-on-marketers.jpg
09 February 2022
What is GDPR. Implications of GDPR on Marketers
Cookieless Tracking - the Privacy-First Solution to Website Analytics
cookieless-tracking-the-privacy-first-solution-to-website-analytics.jpg
17 March 2023
Cookieless Tracking - the Privacy-First Solution to Website Analytics
mail-insigh.svg

Insights to Your Inbox

Receive a monthly summary of website intelligence news, advice, and also product updates. And don't worry, we won't tell sales!

SUBSCRIBE

Read next

SCHUFA: ECJ Rules Credit Agency Processes Violate GDPR
SCHUFA - GDPR - Court Decisionn
11 December 2023 - by Simon Coulthard
SCHUFA: ECJ Rules Credit Agency Processes Violate GDPR
Meta's 2024 Twist: Facebook Subscription with Opt-Out Tracking Charges
Facebook Subscription - Meta Charging Users Who Want Their Privacy Rights - TWIPLA Website Intelligence
23 October 2023 - by Simon Coulthard
Meta's 2024 Twist: Facebook Subscription with Opt-Out Tracking Charges
23andMe Privacy Mess: Hacker Steals Millions of Profiles
23andMe privacy - customer profiles available on Dark Web - TWIPLA Website Intelligence blog
16 October 2023 - by Simon Coulthard
23andMe Privacy Mess: Hacker Steals Millions of Profiles
German Data Privacy Laws: Why They’re So Uncompromising
German data privacy laws - why privacy matters in Germany - TWIPLA website intelligence
05 October 2023 - by Simon Coulthard
German Data Privacy Laws: Why They’re So Uncompromising
up-arrow.svg