• Blog
  • The Colorado Privacy Act (CPA)

The Colorado Privacy Act (CPA)

Simon Coulthard July 15, 2021

2 Minute Read

Colorado is the third US state after California and Virginia, to pass a law meant to protect the data of its citizens. 
The Colorado Privacy Act was signed into law by Governor Jared Polis on the 7th of July, 2021. This new privacy act will go into effect in July 2023. Here’s what you, as a website owner, need to know about this.

Colorado Privacy Act in a Nutshell

According to the Colorado General Assembly, the legislature of the State of Colorado, this bill’s purpose is to create and implement personal data privacy rights and:

  • “Applies to legal entities that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents and that either:
  • Control or process personal data of more than 100,000 consumers per calendar year; or
  • Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers; and
  • Does not apply to certain specified entities, personal data governed by listed state and federal laws, listed activities, and employment records.


Consumers have the right to opt-out of the processing of their personal data; access, correct, or delete the data; or obtain a portable copy of the data. The bill defines a "controller" as a person that, alone or jointly with others, determines the purposes and means of processing personal data. A "processor" means a person that processes personal data on behalf of a controller.”


The Similarities and Differences between US Data Privacy Laws

As mentioned before, CPA follows the principles of its counterpart laws the California Consumer Privacy Act (CCPA) and The Virginia Consumer Data Protection Act (VCDPA), both of which are based on the principles of the European General Data Protection Regulation, also known as the GDPR.


Defining consumer rights: All of these 3 laws provide rights for access, deletion, correction, portability, and opt-out for targeted advertising, sales, and certain profiling decisions that have legal or similar effects. A difference between CCPA and CPA is that Colorado consumers need to use an authorized agent for sale opt-out requests.


Addressing consumer rights decisions: Colorado’s consumer appeal process is similar to Virginia’s. Under CPA, if a consumer has a valid request, the controller must allow the consumer to appeal its decision. The controller must also let the consumer know the reasons for rejecting the request and also inform him or her of the right  to contact the Attorney General “if the consumer has concerns about the result of the appeal.”


Opt-out requests: Unlike in the Californian law, which makes the global privacy control optional, controllers must comply with the universal opt-out under CPA. The technicals specifications for this process are still in debate but will be announced well before the law goes into effect in July 2023.


Data processing consent: Similar the Virginia law, CPA requires opt-in consent for processing sensitive personal data such as:

  • citizenship;
  • racial or ethnic origin;
  • religious beliefs;
  • genetic or biometric data used for identifying any unique individual. 

The Colorado Privacy Act also requires consent for processing under 13 year’s old children’s information.

Controller obligations: CPA’s list of duties for controllers include:

  • transparency; 
  • purpose specification;
  • data minimization; 
  • avoiding secondary use;
  • avoiding unlawful discrimination;
  • other duties regarding sensitive data. 

Which are very similar to the ones mentioned in the CCPA and VCDPA.


Data protection assessments: CPA demands DPAs (data protection assessments) to be in place for activities such as targeted advertising, sales, certain profiling, and processing of sensitive personal data. As with VCDPA, the Colorado Attorney General has the right to access the controller’s DPAs.


Choose a CPA compliant analytics tool for your website

Here at TWIPLA, helped by a great team of privacy lawyers, we do our best to keep you informed about data privacy laws and to offer you an analytics tool that’s always going to be compliant with the constant legal changes from all over the world.

TWIPLA is CPA, CCPA and VDCPA compliant.

If you haven’t tried our tool yet, you can register for free, and import your Google Analytics historical data with a few clicks. 


Get Started for Free

Gain World-Class Insights & Offer Innovative Privacy & Security