Colorado is now the third state to enact a privacy law, behind California and Virginia, creating even more of a patchwork of laws that businesses must keep up with. Similar to the Virginia Consumer Data Privacy Act (VCDPA), Colorado lawmakers used the Washington Privacy Act as the framework for the new privacy regulation. 

The CPA was passed within a three-month period, making it one of the fastest-passed privacy laws in the U.S. However, as ransomware attacks continue to affect the data of millions of individuals, the focus on data privacy could not come at a better time. With more states added to the mix, this pushes federal lawmakers to enact a federal privacy law that streamlines data privacy requirements to reduce the patchwork of state law requirements that may not fully align with one another. 

Who Is in Scope Under the CPA?

The CPA applies to organizations that conduct business in Colorado or provide products or services that are intentionally targeted to Colorado residents. Most of the CPA’s provisions will not take effect until July 1, 2023, giving businesses in scope a two-year grace period to prepare. 

Those covered under the CPA include legal entities that process or control the personal data of 100,000 or more consumers per year or make money or get discounts from selling personal data of 25,000 or more consumers. Companies also would have to make clear the type of data they collect, what they plan to do with it, and how long they store it.

Similar to the VCDPA, the new privacy regulation does not contain a monetary threshold for applicability. The CPA already includes various exemptions that other privacy regulations are already familiar with. 

Who Enforces the CPA? 

The Colorado attorney general’s office and state district attorneys will be responsible for enforcing the CPA. There will be a right to cure period for organizations that violate the CPA. This means the attorney general or district attorneys must first notify a business of an alleged violation. Once an organization is notified, it has 60 days to correct the violation. However, this right to cure provision will sunset on Jan. 1, 2025, and after this date, the ability to cure an alleged violation will need significant attention and advice of counsel. 

Organizations that violate the CPA can incur civil penalties of no more than $2,000 per violation and not exceed $500,000 in total for any related series of violations. 

What Are the Top 3 Requirements Businesses Should Know?

  1. Any organization that does business in Colorado must ensure it is in scope of the CPA. Unlike the California Consumer Privacy Act, a business does not have to be within a certain financial threshold to be considered responsible for complying with the CPA. It is critical for organizations to identify how much data they control, process, share, and sell that belongs to Colorado residents. Performing a data audit to categorize the type of data the organization processes is critical because the CPA will require covered businesses to provide their consumers with clear notice and the opportunity to opt-out of processing sensitive information. It is critical to flag any personal consumer data that could be deemed as sensitive information.
  2. Covered businesses must start thinking about how they are going to implement a universal opt-out mechanism for consumers. Effective Jan. 1, 2024, any organization that processes data for targeted advertising purposes or the sale of personal data must allow users to opt-out of the processing of such data through a user-selected universal opt-out mechanism.
  3. The CPA will require organizations to conduct data protection assessments for each of their processing activities involving personal data that presents a heightened risk of harm to consumers. This means organizations engaged with targeted advertising, sale of data, and certain types of profiling, processing of sensitive data, or processing activities that present a heightened risk of harm to consumers must conduct and document data protection assessments.

As bad actors are constantly finding new ways to penetrate networks and server ecosystems, businesses need to have plans in place to protect consumer privacy from ransomware and other attacks that leave personal data vulnerable. 

Colorado’s new data privacy regulation proves that states are prioritizing protecting personal data. As new laws are still awaiting review, businesses will need to keep up with a patchwork of individual state regulations. In addition, it can be nearly impossible for organizations to meet consent, policies, and data deletion requirements that fall under global and U.S. privacy regulations such as the CPA without stringent data privacy and data security policies in place. Implementing strong cybersecurity practices allows organizations to prevent, detect, and respond to malicious activity that could jeopardize access to sensitive data. Access our on-demand webinar You Can’t Protect Privacy Without Security with data privacy experts to learn more about what you can do to protect your data.

Monique Becenti

Product Marketing Manager | Pondurance

Monique is a Product Marketing Manager and has worked in cyber security roles for more than 5 years. Prior to joining Pondurance, Monique worked with Truyo powered by Intel®, specializing in data privacy rights automation and consent management and was a product and channel marketing specialist at SiteLock. Monique has a passion for cyber security and leveraging her knowledge to create better experiences for consumers and businesses throughout their customer journey. Outside of cyber security, Monique loves photography and taking pictures of the beautiful Arizona sunsets and landscape.