Skip to main content
# Website Accessibility

The Colorado Privacy Act and Why It Matters

Authored by Civic Plus Logo


March 16, 2023
4 min

Colorado is the latest U.S. state to enact detailed privacy laws. But what is this new Act? And what potential impact could it have on entities that operate in Colorado?

The Colorado Privacy Act is a new data privacy law that applies to any legal entity that ‘‘conducts business in Colorado or delivers commercial products or services that are intentionally targeted to residents of Colorado.’’

The Act has been designed to give Colorado residents the right to opt out of targeted advertising, the sale of their personal data, and certain types of profiling.

Starting July 1, 2024, controllers will need to honor user-selected universal opt-outs for targeted advertising and sales. This means that website visitors will need to be given clear notice on how their personal data is being used, as well as an option to opt out of this practice. Ultimately, this will lead to a greater degree of online transparency and choice regarding how an individual’s personal data is collected, stored and used.

The passing of this act is significant in that it makes Colorado only the third state to have comprehensive privacy laws in place.

While in some important respects, the CPA is very similar to the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (CDPA), there are some crucial distinctions that should be made clear.

For example, while both California and Virginia´s Acts took effect in January of 2023, the CPA does not come into force until July 1, 2024.

Another notable difference is that, unlike the CCPA, the CPA does not include any revenue thresholds, meaning that organizations cannot become subject to the law solely based on their annual revenues.

Also, while both Virginia’s and California’s privacy laws each include an exemption for nonprofit organizations, the CPA does, in fact, apply to nonprofits that meet certain thresholds.

Understanding the Scope of Colorado’s Privacy Act

Under the CPA, ‘‘personal data’’ is defined as ‘‘information that is linked or reasonably linkable to an identified or identifiable individual.’’

Organizations covered by the Act are obliged to provide website visitors with clear privacy notices and to conduct data protection assessments for any personal data processing that presents a heightened risk of harm to others. While this is not something that is precisely defined in the Act, organizations would be well advised to take a wide view when assessing what personal information could be considered to present a “heightened risk of harm to others.”

Ultimately, when compared with the CCPA, the scope of the CPA is broader in some regards and narrower in others, and when compared with the CDPA, it is notably broader in scope.

Just like the Acts in California and Virginia, the CPA will apply to organizations that control the personal data of 100,000 or more consumers per year. In addition, the CPA will also apply to businesses that handle or process the personal data of 25,000 or more consumers, as well as those who derive revenue or receive a discount on the price of goods and services from the sale of personal data.

It is important to note, however, that all three of the Acts include exemptions for organizations that are already regulated under federal laws.

Enforcement and Compliance

As with the Virginia CDPA, the CPA does not provide for a private right of action, meaning that the Attorney General and district attorneys will have sole authority to enforce the act.

Organizations covered by Colorado’s new privacy laws should immediately start taking steps to ensure they are in line with its requirements. These steps should include:

  • Implementing cybersecurity safeguards.
  • Creating a process to allow consumers to submit personal data requests.
  • Creating a process for appealing personal data request decisions.
  • Making it clear that website visitors have the right to opt out of targeted advertising and the sale of their personal data.
  • Establishing a user-selected universal opt-out mechanism by July 1, 2024.
  • Updating your Privacy Policy to explain how data is collected and used.
  • Updating your contracts with third parties to ensure compliance with the laws.
  • Obtaining consent before collecting visitor data.
  • Setting up a procedure to establish when a data protection assessment should be conducted.

By following all the above steps, you can rest assured that you are doing everything within your power to prepare your organization’s website for the CPA’s requirements and to deliver your visitors with a level of data protection they have come to expect and, quite frankly, deserve.

Final Advice

While at the time of writing, Colorado remains one of only three states to successfully pass comprehensive data privacy laws, it’s clear other states will soon follow in their wake. Wherever your organization operates, it is only a matter of time before a similar law is passed that applies to your area.

In other words, now is a good time to check your website’s handling of personal information.

Ultimately, staying ahead of the game when it comes to data privacy is sure to provide huge benefits for both you and your website visitors somewhere down the line.

Written by

Authored by Civic Plus Logo


Ready to Optimize Your Government Website?