🆕  2025 U.S. State Privacy Laws: what you need to know

Colorado Privacy Act

The U.S. still doesn’t have a comprehensive privacy law and is mostly governed under a handful of sectoral laws such as COPPA, HIPAA and GLB. In response to what they perceive is a vacuum at the federal level, a number of U.S. states have enacted their own comprehensive privacy laws. The Colorado Privacy Act (CPA) was signed into law on July 8, 2021. It is the third U.S. state to pass a comprehensive data privacy law protecting its residents, following California and Virginia.

Keep reading to learn more about the Colorado Privacy Act:
‍
‍

  • What kinds of companies are affected
  • What’s expected of your organization
  • Practical steps to make your company compliant
Colorado privacy law at a glance

The Colorado Privacy Act (CPA), effective July 1, 2023, is similar in many respects to recent privacy laws passed in California, Connecticut, Nevada, Utah, and Virginia.

What these U.S. state laws have in common is the implementation of a notice and opt-out choice regime. A “notice and opt-out choice regime” means that business can process most types of data as long as there is a consumer-facing privacy notice that describes the intended use of data, and the consumer (data subject) is provided with the opportunity to opt-out of certain uses of such data (e.g., profiling, sale, targeted ads).
‍

What makes the Colorado Privacy Act unique?


Like California’s CCPA/CPRA, the CPA is supplemented by a set of regulations. A regulation is a rule or order that is issued by a government agency to implement a law. The Colorado attorney general crafted the CPA regulations with some input from the public, including the business community. Regulations are usually more specific than laws, and they provide guidance on how to comply with the law. 

The Colorado Privacy Act (CPA) goes into effect on July 1, 2023 and will be enforced by the Colorado Attorney General. It’s notable that certain obligations don’t go into effect until January 1, 2024 and there’s a 60-day right to cure most violations until January 1, 2025.

Disclaimer
‍
Ketch specializes in giving brands and businesses a platform to simplify privacy operations in a complex regulatory landscape. We are not trying to provide legal advice. Keep reading for a crash-course in CPA compliance, including how Ketch can help you meet your regulatory compliance goals.
Who does the Colorado Privacy Act apply to?

The CPA applies to companies that conduct business in Colorado and/or produce or deliver commercial products or services that are intentionally targeted to Colorado residents and that either:

Controls or processes the personal data of 100,000 or more consumers during a calendar year
Both derives revenue or receives discounts from selling personal data and processes or controls the personal data of 25,000 or more Colorado consumers.


The CPA defines “consumers” to mean Colorado residents acting only in an individual or household capacity. It does not include Colorado residents acting in a commercial or employment capacity.

Understanding the CPA requirements

The CPA mostly adopts a notice and opt-out choice regime, and enables consumers to opt-out of sale, targeted advertising and profiling. Colorado also provides consumers with the right to access, correct and delete their data. But there are some nuances to the Colorado Privacy Act which are worth noting.

Key Concepts in the Colorado Privacy Act


Broad definition of personal information

Like most privacy and data protection laws promulgated over the past five years, Colorado has adopted a broad definition of personal information. It is designed to cover pseudonymous personal data (e.g., IP address, Mobile Advertising ID (MAID), Hashed Email (HEM)) and identifiable personal data (e.g., email or postal address, telephone number). There are exemptions for “public” information and “de-identified” data.
‍
Consumer Choice / Consent
Colorado mostly has a notice and opt-out choice regime. That means that you can process most types of data, so long as:

  • There’s a privacy notice provided that describes the intended use of the data, and
  • The data subject is provided with the opportunity to opt-out of certain uses of such data (e.g., profiling, sale, targeted ads)

But be careful! Colorado’s guidance requires consent if your use of data is outside the scope of the privacy policy under which the data was initially collected (i.e., a secondary use of data). Also, Colorado requires opt-in consent for the processing of “sensitive information” (see below).  

Data Subject Access Requests
A data subject access request (DSAR) is a formal request from an individual (the data subject) to a company, requesting a copy of their personal data stored with the company. The CPA provides consumers with the right to see the data that companies have on them (including pseudonymous data, in many instances). Consumers then have the right to correct and/or delete that information.

Sensitive Data
The CPA has created a new category of data called “Sensitive Data.” Sensitive Data is modeled on “special category” data in EU data protection law. It includes personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; (b) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or (c) personal data from a known child. 

Colorado requires opt-in consent prior to processing sensitive data. More importantly, the CPA Guidance’s inclusion of inferences and derivative data indicates that “health conditions” and other forms of sensitive data should be construed broadly. Collecting potentially sensitive data will likely require some adjustments to many companies’ data taxonomy and data governance ruleset.

Controller / Processor
The CPA utilizes the GDPR terms for controller (i.e., controls the means of processing) and processor (i.e., takes direction from the controller). Moreover, the CPA requires processors to offer controllers an opportunity to object to the use of sub-processors and provides certain rights for controllers to audit the privacy practices of their processors.

Data Governance
Like some other states, Colorado places guard rails around how companies may process data. The expectation is for companies to only collect data that is absolutely necessary (“data minimization”) and to store it for as little time as possible (“data retention”).
‍
Privacy Impact Assessment
Another concept borrowed from EU data protection law, Colorado requires companies to complete Privacy Impact Assessments (PIAs): systematic evaluations of their data collection and use practices with an eye towards identifying risks and minimizing or eliminating those risks. The Colorado AG’s guidance provides a roadmap for what the AG expects to see within a privacy impact assessment.
‍
Data Processing Agreements
The CPA suggests a data processing agreement (DPA) between controllers and processors. The purpose of a DPA is to outline how the parties plan to ensure that their intra-party data transfers are compliant with privacy laws, and to specify the permitted uses of the data.
‍

The Price of Non-Compliance:
Regulatory Fines Across U.S. State Privacy Laws


While GDPR ushered in a new era of large privacy and compliance fines, a few of the U.S. State Privacy Laws also incorporated some fairly aggressive fine structures. The first CCPA fine was $1.2 million. Fines are often determined by the number of violations–which is often dependent on the number of records in your database. Needless to say, those numbers can add up quickly if you’re working with millions of consumers in one of the states–and the fines typically don’t include legal fees or injunctive relief.

Here’s a thumbnail of the fine structures across various U.S. states, including Colorado:

How to Ensure You’re CPA Compliant

If you’ve read this far, you know that building a privacy-compliant business is important, but also far from easy. Here are eight key steps every business should take to ensure they don’t fall foul of regulators:

01
Focus on the scope of the privacy notice(s) presented to data subjects

CPA generally operates under a notice and opt-out choice privacy regime. However, the CPA and CPA Regulations impose an opt-in consent standard where data is used or shared for a “secondary use.” As a result, it’s really important to provide clear and detailed privacy notices–and the privacy notice that data was collected under so as to ensure that you’re not tripping into an opt-in consent standard inadvertently.

02
Label your data

The only way to manage data governance across a full data ecosystem is to individually label every single bit of data you collect, effectively creating a layer of metadata that articulates how any given fact or unit of information can be used [APC1] .

Ketch can automatically crawl and scan your data ecosystem to create and maintain that classification of data labeling metadata so that you can understand, and act on data that’s within the scope of the Colorado privacy regulation.

 Learn more here
03
Stay flexible

Your data labels can’t be written in permanent ink. Instead, they need to reflect the rules under which the data subject is operating (which may be subject to change). For that reason, it’s important that your systems are nimble and flexible enough to allow users to change their minds and revoke or modify permissions at any moment.

04
Tell your partners

Data labels can’t be anchored in your own internal data-handling processes; instead, they need to be incorporated into the data itself. That’s vital because it’s the only way to ensure that changes made by your users will propagate out to your outside partners, and define their data-handling processes too.

05
Document everything

Given the amount of time and energy the Colorado AG has dedicated to creating the CPA Regulations, we believe that it is likely that the CPA will be robustly enforced–even during the period where the CPA has a 60 day notice and cure period in place. Keeping clear records about how you’re handling data is vital when it comes to communicating with users and regulators.

06
Understand the Global Privacy Control

Like many of the other U.S. States, Colorado requires adherence to opt-out requests sent by a “Universal Opt-Out Mechanism” (UOOM). These provisions are not set to go into effect until January 1, 2024. While the Colorado AG will create a list of recognized UOOMs and provide controllers with six months to implement newly added UOOMs. Given the limited timeline for implementation, it would be prudent to say abreast of new UOOMs so as to ensure that you are in position to honor their signals.

07
Engage a qualified legal or privacy professional

Unlike GDPR, the CPA does not require the appointment of a data protection or privacy officer with a legally mandated set of responsibilities. Regardless, it’s still a good idea to have an internal person or team dedicated to ensuring privacy compliance. And bringing in an outside resource such as a privacy lawyer can help you make sure you understand all of your compliance obligations.

08
Stay up to date

Rules change, and new privacy rules are being written all the time. By encoding compliance metadata directly into your data, you can ensure that your datasets can quickly be brought into compliance not just with Colorado Privacy Act as they exist today, but with any new iterations or copycat statutes introduced by other states.

Getting CPA compliant with Ketch

Meeting your company’s obligations under the Colorado Privacy Act can seem daunting, especially if you aren’t a regulatory or policy specialist. When you partner with Ketch, we help you ensure your company is compliant with the CPA, as well as all other U.S. State Privacy Laws.

With the Ketch Data Permissioning Platform, you can:

  • Use our “clicks-not-code” interface to create policies for how data is handled throughout your data ecosystem, leveraging our templates for Colorado-specific compliance
  • Create customized, jurisdictionally-aware privacy notices for your customers
  • Deploy Ketch data mapping and discovery tools to find and classify sensitive and personal data in every internal and external system
  • Assign data processing purposes (like analytics or targeted advertising) and permissions to data, so you know exactly how your data may be used, sold, and/or shared
  • Use our drag-and-drop DSR workflow tool to create automated, end-to-end DSR fulfillment processes that replace internal stakeholder tasks with automated execution of access and deletion requests 

When you automate these processes, you enable your internal stakeholders: 

  • Your developers and marketers can do their jobs without fretting about regulations
  • Your legal team can set guidelines for notice and consent, secure in the knowledge that any changes they make will ripple through your whole data ecosystem (including vendors or third-party companies using your data!)
Get in touch today to learn more about how Ketch can help