The Colorado Privacy Act (CPA) is a comprehensive data privacy law that protects the rights of Colorado residents regarding the processing of their personal information by companies that conduct business in the state. The law, which went into effect in July 2023, requires many companies to:

• Provide a detailed privacy disclosure regarding how personal information is processed.
• Provide individuals with the right to access their information, obtain copies, and correct and delete data (with exceptions). Companies also must let individuals opt-out of information being used for profiling and targeted advertising.
• Restrict processing of sensitive information (such as health data, precise geolocation, and children’s information) unless the processing is necessary for a stated purpose without the individual’s opt-in consent.
• Conduct a written risk assessment regarding processing sensitive information, children’s information, or using information for profiling or targeted advertising.
• Enter into detailed agreements with third parties that handle personal information (outsourcing and data sharing).

Who is covered under the CPA?

The law applies to companies that conduct business in Colorado, deliver products or services targeted to Colorado residents, or process the personal information of Colorado residents and hit a certain user or revenue threshold. It does not matter whether the companies are located in the state or whether they are for-profit corporations. Personal information includes data such as online identifiers, cookie information, precise geolocation, and biometrics.

Why is the CPA important?

Shortly after the law went into effect in July 2023, Colorado Attorney General Phil Weiser began sending letters to dozens of businesses as part of an enforcement sweep. The Attorney General’s office stated that compliance with the law is being taken seriously, but that consideration will be given to companies demonstrating an effort to comply.

How can Fox Rothschild help?

For years, Fox Rothschild has helped companies comply with similar privacy laws, including the European Union’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA). Our team advises on general compliance and responds to specific questions, keeping clients ahead of regulators. We have helped companies:

• Draft privacy notices that are “human readable” and pass the “clear and conspicuous” test.
• Design websites to address the collection and sharing of information through cookies and pixels.
• Develop processes for timely, completely, and accurately responding to consumer requests (access, correction, deletion, opt out, etc.).
• Analyze uses of sensitive information to determine whether consent is necessary and how to obtain consent in Colorado (similar to the complex GDPR consent, as outlined here).
• Prepare and draft data protection impact assessments (DPIA) that comply with the Colorado law.
• Draft and negating the processor and third-party agreements that are required with vendors.

Resources

• The Colorado Privacy Act: What is New in the Final Version of the Rules?
• Denver Business Journal  Are Businesses Ready for the Coming Colorado Privacy Act?
• New Day, New Colorado CPA Rules Revisions
• Revised Colorado CPA Rules Are Here: What You Need to Know
• CPA Draft Rules: A Six-Part Series; Part 1: Colorado Issues Draft Rules to Supplement Privacy Law
• IAPP Why US-Based Companies Should Care About the Norway DPA's Interpretation of GDPR Consent

For more information, please contact Odia Kagan at okagan@foxrothschild.com or another member of Fox Rothschild's national Privacy & Data Security Practice.