
What is CPA?
CPA is Colorado Privacy Act was signed into law on March 24, 2022. It is a privacy law similar to US CCPA.
The “sale of personal information” is defined as “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.
Differences with CCPA, VCDPA, UCPA, GDPR
- The CPA does not include any revenue thresholds
- Unlike the CCPA and CDPA, the CPA is applicable even when a company derives less than 50% of its gross annual revenue from selling data
Who does the CPA apply to?
- Controls or processes the personal data of at least 100,000 consumers or more during a calendar year; or
- Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.
Personally Identifiable Information (PII)
- Biometric information
- Credit and debit card numbers
- Drivers’ license and license plate numbers
- Email addresses
- Employment information
- Financial data
- Healthcare and insurance information
- Mailing addresses
- Military ID numbers
- Passport ID numbers
- Passwords
- Physical addresses
- Social Security Numbers
- Student ID numbers
- Telephone numbers
- Usernames
Sensitive personal information
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health condition or diagnosis
- Sex life or sexual orientation
- Citizenship or citizenship status
- Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual
- A known child
Consumer rights under CPA
- Right of access
- Right to correction
- Right to delete
- Right to data portability
- Right to opt out for targeted advertising, sale or profiling using their personal data
- Right to appeal
CPA enforcement and fines
The controller has 60 days to cure the violation.
a noncompliant entity may be fined up to $20,000 per violation.
CPA and consent management
Opt-out model: like the other state-level laws adopted in the US to date, in most cases data controllers do not need to get consumers’ consent before collecting their personal information.
Controllers are likewise prohibited from processing 'sensitive data' without consent. Consent must be “freely given, specific, informed, and unambiguous.”
Absent consent, the CPA dictates a controller shall not process personal data for “purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed.”
The Colorado Privacy Act (CPA) Timeline
- Signed into law on July 8, 2021
- The CPA will take effect on July 1, 2023
Other US State Privacy Laws
- CCPA: California Consumer Privacy Act, learn more at CCPA
- CPRA: California Privacy Rights Act, learn more at CPRA
- CPA: Colorado Privacy Act, learn more at CPA
- VCDPA: Virginia Consumer Data Protection Act, learn more at VCDPA
- UCPA: Utah Consumer Privacy Act, learn more at UCPA
- CTDPA: Connecticut Data Protection Act, learn more at CTDPA
- COPPA: Children’s Online Privacy Protection Act, learn more at COPPA
Compare different US State Privacy Laws
How to compliant with and implement the Colorado Privacy Act Compliance Solution?
Use a consent management platform like UniConsent to offer consumers full control of data collection, opt-out features, manage the preferences communication.
Trusted by 5000+ of global publishers and marketers
Get started to make your website and application compliant for EU GDPR, US CPRA, CA PIPEDA etc
Sign up