December 4, 2022

Volume XII, Number 338


December 02, 2022

Subscribe to Latest Legal News and Analysis

New Colorado Privacy Act

Like Virginia and Washington before it, on March 19, 2021, Colorado introduced a data privacy bill, the Colorado Privacy Act (CPA). As currently drafted, the CPA would be similar to other U.S. state privacy laws, including California’s CCPA, Virginia’s Consumer Data Protection Act and Washington’s Privacy Act, although it also bears a close resemblance to the GDPR. If passed, the CPA would go into effect on January 1, 2023.

Who would be subject to the CPA?

The CPA applies to organizations that conduct business in Colorado or intentionally target their products / services to Colorado residents (individuals or households (“Consumers”)) that either: (1) control or process personal data of more than 100,000 Consumers per calendar year; or (2) derive revenue from the sale of personal data and control or processes the personal data of at least 25,000 Consumers. As with California’s CCPA, the CPA does not apply to employment records and other personal data governed by certain state and federal laws.

What are the main obligations?

The CPA grants certain rights to Consumers with certain rights, namely the right to:

  • Opt-out of the processing of personal data;

  • Authorize another person to act on their behalf to opt-out of the processing of personal data for purposes of targeted advertising or the sale of the Consumer’s data;

  • Confirm whether personal data is being processed and access that data in a portable and readily usable format;

  • Correct inaccurate personal data;

  • Delete personal data; and

  • Obtain consent before collection of certain sensitive personal data (personal data that reveals race or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status)

Organizations are also required to enter into data processing agreements with service providers before the transfer of personal data, and in some cases conduct data protection assessments prior to processing personal data.

Finally, organizations are required to provide Consumers with a “reasonably accessible, clear, and meaningful” privacy notice. This notice must contain disclosures regarding applicable data collection and sharing practices.

What are the main sanctions for noncompliance?

 The Colorado Attorney General’s office and state district attorneys would enforce the CPA. The bill provides for civil penalties of not more than $2,000 per violation, not to exceed $500,000 in total for any related series of violations. There is no private right of action. 

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume XI, Number 99

About this Author


Liz is a dual-qualified attorney in Colorado and the United Kingdom who counsels clients on data privacy, advertising and technology licensing matters.  Prior to practicing in the U.S., she practiced law in the U.K. for over 10 years counseling clients on EU privacy and technology matters.

Liz’s practice involves three key areas: privacy, advertising, and technology licensing.  She has significant experience counseling clients on how to comply with their EU privacy obligations, with a particular focus on how to prepare for, respond to, and implement...

Ephraim T. Hintz Technology Transactions Attorney Polsinelli Denver, CO

Ephraim Hintz is an associate attorney in the Technology Transactions and Data Privacy practice group. Ephraim’s practice is made up of three (3) subset areas: incident response, technology transactions, and data privacy compliance. Ephraim routinely advises his clients on how to effectively investigate and respond to data security incidents. Ephraim is a skilled drafter and assists his clients with negotiating and drafting SaaS licensing agreements, cloud computing agreements, maintenance and online service terms, and data processing addendums. Ephraim’s knowledge and experience with...

Thomas P. Weber Technology Transactions Attorney Polsinelli Denver, CO

Thomas Weber is an associate in the Technology Transactions and Data Privacy practice. He helps clients with data compliancy matters, including compliance with the California Consumer Privacy Act (CCPA), the European Union’s General Data Protection Regulation (GDPR), and Gramm-Leach-Biley Act (GLBA). Thomas also advises clients in breach response matters. Prior to joining the firm, he was a law clerk to the Honorable Judge Rebecca R. Freyre.