Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Colorado - Data Protection Overview
workspace-icon
Back

Colorado - Data Protection Overview

October 2023

1. Governing Texts

The Colorado State Governor signed, on July 7, 2021, Senate Bill ('SB') 21-190 for an Act concerning additional protection of data relating to personal privacy, otherwise known as the Colorado Privacy Act ('CPA'), which was re-passed, on June 8, 2021, by the Colorado Senate following their consideration of amendments made to the CPA by the Colorado House of Representatives. Then, the Colorado Privacy Act Rules ('the CPA Rules') were published by the Attorney General of Colorado ('AG') on March 15, 2023.

Please note that the CPA and the CPA Rules came into force on July 1, 2023.

1.1. Key acts, regulations, directives, bills

  • the CPA; and
  • the CPA Rules.

1.2. Guidelines

The AG has published a Frequently Asked Questions & General Information section on its CPA Portal.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The CPA applies to controllers that conduct business, produce, or deliver commercial products or services that are intentionally targeted to Colorado residents and that satisfy one or both of the following thresholds, namely: (§6-1-1304(1) of the CPA):

  • control or process personal data of 100,000 consumers or more per calendar year; or
  • derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data of at least 25,000 consumers.

2.2. Territorial scope

The CPA applies to controllers that conduct business or produce or deliver commercial products or services that are intentionally targeted to Colorado residents (§6-1-1304(1) of the CPA).

2.3. Material scope

The CPA applies to personal data which is defined as information that is linked or reasonably linkable to an identified or identifiable individual (§6-1-1303(17)(a) of the CPA).

The CPA does not apply to certain personal data governed by listed state and federal laws such as certain protected health information, certain healthcare information, identifiable private information under Title 45 Code of Federal Regulations among others, and listed activities, and employment records (§6-1-1304(2) of the CPA).

Moreover, when processing de-identified data, the CPA does not require a controller or processor to do any of the following solely for purposes of complying with the CPA (§6-1-1307(1) of the CPA):

  • reidentify de-identified data;
  • comply with an authenticated consumer request to access, correct, delete, or provide personal data in a portable format pursuant to §6-1-1306(1) of the CPA, if all of the following are true:
    • the controller is not reasonably capable of associating the request with the personal data; or
    • it would be unreasonably burdensome for the controller to associate the request with the personal data;
    • the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer; and
    • the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party, except as otherwise authorized by the consumer; or
  • maintain data in an identifiable form or collect, obtain, retain, or access any data or technology in order to enable the controller to associate an authenticated consumer request with personal data.

Furthermore, the rights contained in §6-1-1306 (1)(b) to (1)(e) of the CPA do not apply to pseudonymous data if the controller can demonstrate that the information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information (§6-1-1307(3) of the CPA).

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The AG is the regulator within Colorado.

3.2. Main powers, duties and responsibilities

The CPA provides that the AG and/or District Attorney ('DA') with the power to enforce the CPA (§6-1-1311 of the CPA).

Moreover, the CPA notes that the AG may promulgate rules for the purposes of establishing an opt-out mechanism and is required to do so by July 1, 2023. Please note that from July 1, 2024, data controllers are required to allow consumers to exercise their right to opt out where their personal data is processed for the purposes of targeted advertising or the sale of personal data through a user-selected universal opt-out mechanism that meets the technical specifications established by the AG (§6-1-1306(1)(a)(3)(b) of the CPA).

In addition, the CPA outlines that by January 1, 2025, the AG may adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for business that includes a good faith reliance defense of an action that may otherwise constitute a violation of the CPA. The rules must become effective by July 1, 2025 (§6-1-1311(1)(d) of the CPA).

Furthermore, as per §6-1-107 of the CPA, when the AG or a DA has reasonable cause to believe that any person, whether in Colorado or elsewhere, has engaged in or is engaging in any deceptive trade practice have the following powers:

  • to issue subpoenas (§6-1-108 of the CPA);
  • restraining order or injunctions ((§6-1-110 of the CPA).

4. Key Definitions 

Data controller: A person that, alone or jointly with others, determines the purposes for and means of processing personal data (§6-1-1303(7) of the CPA).

Data processor: A person that processes personal data on behalf of a controller (§6-1-1303(19) of the CPA).

Personal data: Information that is linked or reasonably linkable to an identified or identifiable individual; and does not include de-identified data or publicly available information.as used in (§6-1-1303(17)(a) of the CPA).

In addition, publicly available information means information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public (§6-1-1303(17)(b) of the CPA).

Sensitive data: The CPA defines 'sensitive data' as personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or personal data from a known child (6-1-1303(24) of the CPA).

Health data: The CPA defines 'health-care information' as individually identifiable information relating to the past, present, or future health status of an individual (§6-1-1303(13) of the CPA).

Biometric data: Not applicable.

Pseudonymization: The CPA defines 'pseudonymous data' as personal data that can no longer be attributed to a specific individual without the use of additional information if the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to a specific individual (§6-1-1303(22) of the CPA).

Data subject: The CPA does not provide a definition for 'data subject' but instead refers to 'consumers', which are defined as individuals who are Colorado residents acting only in an individual or household context, and does not include an individual acting in a commercial or employment context as a job applicant, or as a beneficiary or someone acting in an employment context (§6-1-1303(6) of the CPA).

5. Legal Bases

5.1. Consent

The CPA defines 'consent' as a clear, affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data. The following does not constitute consent (§6-1-1303(5) of the CPA):

  • acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;
  • hovering over, muting, pausing, or closing a given piece of content; and
  • agreement obtained through dark patterns.

Part 7 of the CPA Rules sets forth extensive provisions on consent requirements (Rule 7.01 of the CPA Rules). Importantly, the CPA Rules specify that consent is not freely given when it reflects acceptance of general terms of use or a similar document that contains descriptions of personal data processing, along with other unrelated information (Rule 7.03(C)(2)(a) of the CPA Rules). Additionally, after stating that consent must be specific, the CPA Rules clarify that controllers may request consent to process personal data for multiple processing purposes that are not reasonably necessary to, or compatible with, one another using a single consent request as long there is also an option for more granular consent within the same consent interface (Rule 7.03(d)(1)(a) of the CPA Rules). Furthermore, another clarification is provided by the CPA Rules with respect to the element of specificity of consent, whereby it is provided that consent to process personal data for one specific purpose does not constitute valid consent to process personal data for other purposes that are not reasonably necessary to, or compatible with, that specific purpose (Rule 7.03(d)(2) of the CPA Rules).

Uniquely, the CPA Rules establish the rules on consent refresh and introduce the provision that when a consumer has not interacted with a controller in the prior 24 months, the controller must refresh consent to continue processing sensitive data, or to continue processing personal data for a secondary use, if the secondary use involves profiling for a decision in a variety of specified cases. It is specified that controllers are not required to refresh consent where a consumer has access and the ability to update their opt-out preferences at any time through a user-controlled interface (Rule 7.08 of the CPA Rules).

5.2. Contract with the data subject

The obligations imposed under the CPA do not restrict a controller or processor's ability to provide a product or service specifically requested by a consumer or the parent or guardian of a child, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract (§6-1-1304(3)(a)(VIII) of the CPA).

5.3. Legal obligations

The obligations imposed under the CPA do not restrict a controller or processor's ability to (§6-1-1304(3)(a)(I) to (III) of the CPA):

  • comply with federal, state, or local laws, rules, or regulations;
  • comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
  • cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local law; or
  • investigate, exercise, prepare for, or defend actual or anticipated legal claims.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

The CPA provides that the obligations imposed on controllers or processors do not restrict their ability to process personal data for reasons of public interest in the area of public health, but solely to the extent that the processing (§6-1-1304(3)(a)(XI) of the CPA):

  • is subject to suitable and specific measures to safeguard the rights of the consumer whose personal data are processed; and
  • is under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law.

5.6. Legitimate interests of the data controller

While the CPA does not expressly address the processing of data for the legitimate interest of the controller, it indirectly provides that the CPA's obligations on controllers and processors do not restrict their ability to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action (§6-1-1304(3)(a)(X) of the CPA).

5.7. Legal bases in other instances

The obligations imposed on controllers or processors under the CPA do not apply where compliance would violate an evidentiary privilege under Colorado law or prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Colorado law as part of a privileged communication.

6. Principles

The CPA outlines data protection principles including the following (§6-1-1308 (1-5) of the CPA):

  • Duty of transparency: providing consumers with a reasonably clear, accessible, and meaningful privacy notice;
  • Duty of purpose specification: specifying the express purposes for which personal data will be collected and processed;
  • Duty of data minimization: collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to its specified purposes;
  • Duty to avoid secondary use: not to process personal data for other purposes not compatible with the initial specified purpose unless the controller obtains the consumer's consent;
  • Duty of care: taking reasonable measures to secure personal data both in storage and authorization acquisition; and
  • Duty to avoid unlawful discrimination: not to process personal data which violates laws that prohibit unlawful discrimination against consumers.

In addition, the CPA requires data controllers to adhere to the following obligations (§6-1-1308(2)-(7) of the CPA):

  • collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to its specified purposes;
  • not to process personal data for other purposes not compatible with the initial specified purpose unless the controller obtains the consumer's consent;
  • taking reasonable measures to secure personal data;
  • not to process personal data which violates laws that prohibit unlawful discrimination against consumers; and
  • not to process a consumer's sensitive data without first obtaining the consumer's consent or, in the case of the processing of personal data concerning a known child, without first obtaining consent from the child's parent or lawful guardian.

Purpose specification

The final version of the CPA Rules reiterates that controllers must specify the express purposes for which each category of personal data is collected and processed, in both external disclosures and internal documentation. Compared to the previous draft of the CPA Rules, the final version specifies that the express purpose must be described in a level of detail that gives consumers a meaningful understanding of how each category of their personal data is used, and notes that controllers should not specify so many purposes for which personal data could potentially be processed, such as potential future processing activities, that the purpose becomes unclear or uninformative.

Data minimization

Similar, to the previous draft rules, the CPA Rules mandate that controllers must determine the minimum personal data that is necessary, adequate, or relevant for each processing purpose, and to document such assessment with the objective to ensure that only personal data that is reasonably necessary for the relevant purpose is collected (Rule 6.07(a) of the CPA Rules).

In any case, personal data should only be kept in a form which allows identification of consumers for as long as is necessary for the express processing purposes. To ensure compliance with the data minimization obligation, controllers shall set specific time limits to erasure or to conduct a periodic review of the personal data retained (Rule 6.07(B) of the CPA Rules). Compared to the draft CPA Rules, their version further adds that sensitive data for which controllers no longer have consent to process should be deleted or otherwise rendered permanently anonymized or inaccessible within a reasonable period of time after withdrawal of consent.

Secondary use

In terms of provisions on secondary use, the CPA Rules do not feature any major substantive change from the draft version. As such, the CPA Rules state that, in case of processing of personal data for purposes that are not reasonably necessary to, or compatible with, the purpose(s) disclosed to consumers before the time the personal data is collected from the same, the controller must obtain the consent of the consumer (Rules 6.08(a) and 6.08(b) of the CPA Rules).

An addition to the previous draft version of the CPA Rules is the provision that, when carrying out the reasonable necessity or compatibility assessment, the controller may consider various factors, such as the reasonable expectation of an average consumer concerning how their personal data would be processed once it was collected (Rule 6.08(c) of the CPA Rules). On this point, the draft CPA Rules specifically required the controllers to consider these factors.

Duty of care

Provisions on the duty of care exhibit major innovations and additions when compared to those of the draft CPA Rules. The CPA Rules provide that personal data must be processed in a manner that ensures reasonable and appropriate administrative, technical, organizational, and physical safeguards of personal data collected, stored, and processed. The CPA Rules further add that controllers should consider various factors when determining the reasonable and appropriate safeguards, and that such reasonable and appropriate administrative, technical, organizational, and physical safeguards must be designed to (Rule 6.09 of the CPA Rules):

  • protect against unauthorized or unlawful access to, or use of, personal data and the equipment used for the processing and against accidental loss, destruction, or damage;
  • ensure the confidentiality, integrity, and availability of personal data collected, stored, and processed;
  • identify and protect against reasonably anticipated threats to security or the integrity of information; and
  • oversee compliance with data security policies by the controller and processors through reasonable requirements.

7. Controller and Processor Obligations

The CPA outlines that where more than one controller or processor, or both a controller and a processor, involved in the same processing violates the CPA, the liability shall be allocated among the parties according to principles of comparative fault (§6-1-1310 of the CPA).

Privacy notice principles

Part 6 of the CPA Rules clarifies the responsibilities of controllers. In particular, Rules 6.02, 6.03, and 6.04 of the CPA Rules lay down obligations that center around privacy notices. In particular, the CPA Rules do not change the intelligibility requirements outlined in the original draft, namely that the information be clear, accessible, and specific. Insofar as the controller's privacy notice includes all of the required information and makes it clear that Colorado consumers are entitled to the rights outlined in §6-1-1306 of the CPA, the controller is not required to offer a separate Colorado-specific privacy notice or section of a privacy notice (Rule 6.2(b) of the CPA Rules).

In relation to the specific information that must be provided, the CPA Rules detail that the privacy notices must comprise the following (Rule 6.03(a) of the CPA Rules):

  • a list of the data rights available;
  • a comprehensive description of the controller's data processing practices, linked in a way that gives consumers a meaningful understanding of how each category of their personal data will be used when they provide that personal data to the controller for a specified purpose;
  • whether the controller processing activities involve the processing of personal data for profiling purposes and the decision produces legal or similarly significant effects concerning a consumer;
  • a description of the methods through which a consumer may submit requests to exercise data rights;
  • a controller's contact information;
  • if the controller will delete the personal data within 24 hours and a description of the sensitive data inferences subject to the provision, and the retention and deletion timeline for such sensitive data inferences;
  • instructions on how a consumer may appeal a controller's action in response to the consumer's request; and
  • the date the privacy notice was last updated.

In the case of substantive changes to a privacy notice, consumers must be notified, using a method regularly used for communications by the controller, and where a material change arises to the level of a secondary use, consent must be obtained from the consumer in order to process the personal data that was collected before the change to the privacy notice for that secondary use (Rules 6.04(a) and 6.04(b) of the CPA Rules).

Importantly, where the controller's privacy notice includes all of the required information and makes it clear that Colorado consumers are entitled to the rights outlined in §6-1-1306 of the CPA, the controller is not required to provide a separate Colorado-specific privacy notice or section of a privacy notice (Rule 6.2(b) of the CPA Rules).

7.1. Data processing notification

Not applicable.

7.2. Data transfers

The CPA does not address the transfer of personal data. Instead, and regarding de-identified data, it highlights that a controller or processor is not required to comply with an authenticated consumer rights request if they do not sell personal data to any third party or otherwise voluntarily disclose the personal data to any third party, except as otherwise authorized by the consumer (§6-1-1307(1)(b)(III) of the CPA).

7.3. Data processing records

Not applicable.

7.4. Data protection impact assessment

The CPA notes that a controller shall not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities that involve personal data acquired on or after the effective date of this section that presents a heightened risk of harm to a consumer (§6-1-1309(1) of the CPA). For purposes of §6-1-1309 of the CPA, 'processing that presents a heightened risk of harm to a consumer' includes the following (§6-1-1309(2) of the CPA):

  • processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of:
    • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
    • financial or physical injury to consumers;
    • a physical or another intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or
    • other substantial injury to consumers;
  • selling personal data; and
  • processing sensitive data.

In addition, the CPA notes that data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks. The controller shall factor into this assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed (§6-1-1309(3) of the CPA).

Controllers are also required to make data protection assessments available to the AG upon request. The AG may evaluate the data protection assessments for compliance with the duties contained in Section 6-1-3108 of the CPA and other laws regards to compliance with the duties contained in the CPA (§6-1-1309(4) of the CPA).

Data protection assessments are confidential and exempt from public inspection and copying under the 'Colorado Open Records Act', under § 24-72-201 to 206 of the Colorado Revised Statutes pursuant to a request from the AG under §6-1-1309(4) of the CPA does not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise exist with respect to the data protection assessment and any information contained in the data protection assessment (§6-1-1309(4) of the CPA).

Moreover, the CPA outlines that single data protection assessments may address a comparable set of processing operations that include similar activities (§6-1-1309(5) of the CPA).

Please note that data protection assessment requirements apply to processing activities created or generated after July 1, 2023, and are not retroactive (§6-1-1309(6) of the CPA).

Part 8 of the CPA Rules clarifies the requirements associated with the conducting of data protection assessments (Rule 8.01 of the CPA Rules). In particular, a data protection assessment is required for each personal data processing activity that presents a heightened risk of harm to a consumer. In particular, the data protection assessments should (Rule 8.02 of the CPA Rules):

  • identify and describe the risks to the rights of consumers associated with the processing;
  • document the measures considered and taken to address and offset those risks;
  • contemplate the benefits of the envisaged processing; and
  • demonstrate that the benefits of the processing outweigh the risks offset by safeguards in place.

To this end, a data protection assessment must involve all relevant internal stakeholders from across the controller's organization and all relevant external parties, in order to identify, assess, and address the risks entailed by the processing of data (Rule 8.03 of the CPA Rules). Furthermore, the level of detail and scope of data protection assessments should take into account the scope of risk presented, the size of the controller, the personal data processed, the data processing activities subject to the assessment, and the complexity of safeguards applied (Rule 8.02 of the CPA Rules).

More specifically, the CPA Rules list the minimum content that any data protection assessment must present, which includes (Rule 8.04 of the CPA Rules):

  • a short summary of the processing activity;
  • the categories of personal data to be processed and whether they include sensitive data, including personal data from a known child;
  • the context of the processing activity, including the relationship between the controller and the consumers whose personal data will be processed, and the reasonable expectations of those consumers;
  • the nature and operational elements of the processing activity;
  • the core purposes of the processing activity, as well as other benefits of the processing that may flow, directly and indirectly, to the controller, consumer, other expected stakeholders, and the public;
  • the sources and nature of risks to the rights of consumers associated with the processing activity posed by the processing activity;
  • measures and safeguards the controller will employ to reduce the risks identified by the controller;
  • a description of how the benefits of the processing outweigh the risks identified, as mitigated by the safeguards identified;
  • if a controller is processing sensitive data, the details of the process implemented to ensure that personal data and sensitive data inferences are not transferred and are deleted within 24 hours of the personal data processing activity;
  • relevant internal actors and external parties contributing to the data protection assessment; and
  • dates the data protection assessment was reviewed and approved, and names, positions, and signatures of the individuals responsible for the review and approval.

A controller must make the data protection assessment available to the AG within 30 days of the AG's request. Notably, where a data protection assessment conducted for the purpose of complying with another jurisdiction's law or regulation is not similar in scope and effect to a data protection assessment under the CPA Rules, a controller may submit that assessment with a supplement that contains any additional information required by this jurisdiction.

With regard to the timing of data protection assessments, controllers should carry them out before initiating a data processing activity that presents a heightened risk of harm to a consumer (Rule 8.05 of the CPA Rules). Additionally, the CPA Rules mandate controllers to review and update their data protection assessments as often as appropriate considering the type, amount, and sensitivity of personal data processed, and the level of risk presented by the processing, throughout the processing activity's lifecycle.

7.5. Data protection officer appointment

Not applicable.

7.6. Data breach notification

The CPA does not provide for breach notification requirements.

However, processors must adhere to the instructions of a controller and assist the controller in meeting their duties or requirements under the CPA, including helping to meet the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system

7.7. Data retention

Not applicable.

7.8. Children's data

In the case of the processing of personal data concerning a known child, the CPA outlines that such data cannot be processed without first obtaining consent from the child's parent or lawful guardian (§6-1-1308(7) of the CPA).

A child refers to an individual under 13 years of age (§6-1-1303(4) of the CPA).

7.9. Special categories of personal data

The CPA states that a controller shall not process a consumer's sensitive data without first obtaining the consumer's consent (§6-1-1308(7) of the CPA).

7.10. Controller and processor contracts

The CPA outlines that processors shall adhere to the instructions of the controller and assist the controller in meeting its obligations under the CPA taking into account the nature of processing and the information available to the processor, the processor shall assist the controller by (§6-1-1305(2) of the CPA):

  • taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to consumer requests to exercise their rights pursuant to §6-1-1306 of the CPA;
  • helping to meet the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to §6-1-716 of the CPA; and
  • providing information to the controller necessary to enable the controller to conduct and document any data protection assessments required by §6-1-1309 of the CPA the controller and processor are each responsible for only the measures allocated to them.

In addition, the CPA states that processing by a processor must be governed by a contract between the controller and processor that is binding on both parties and that sets out, among other things (§6-1-1305(5) of the CPA):

  • the processing instruction to which the processor is bound including the nature and purpose of the processing;
  • the type of personal data subject to the processing and the duration of the processing;
  • implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement measures; and
  • making available to the controller all information necessary to demonstrate compliance with the obligations as outlined in Part 13 of the CPA.

Moreover, the CPA notes that in no event may a contract relieve a controller or a processor from the liabilities imposed on them by virtue of its role in the processing relationship as defined by the CPA (§6-1-1305(6) of the CPA).

8. Data Subject Rights

8.1. Right to be informed

In accordance with §6-1-1308(1)(a) to (b) of the CPA, controllers must provide consumers with a privacy notice that includes:

  • the categories of personal data collected or processed by the controller or a processor;
  • the purposes for which the categories of personal data are processed;
  • how and where consumers may exercise the rights pursuant to §6-1-1306 of CPA, including the controller's contact information and how a consumer may appeal a controller's action with regard to the consumer's request;
  • the categories of personal data that the controller shares with third parties, if any;
  • the categories of third parties, if any, with whom the controller shares personal data; and
  • if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.

Rule 6.02 of the CPA Rules states that privacy notices must provide consumers with a meaningful understanding and accurate expectations of how their personal data will be processed, inform them about their rights under the CPA, and provide any information necessary for them to exercise those rights. Additionally, privacy notices must be clear, specific, and easily accessible.

Pursuant to Rule 6.04 of the CPA Rules, controllers must notify consumers of material changes to a privacy notice in a manner by which the controller regularly interacts with the consumers. Material changes may include, but are not limited to, changes to:

  • categories of personal data processed;
  • processing purposes;
  • controller's identity;
  • the act of sharing personal data with third parties;
  • categories of third parties personal data is shared with; or
  • methods by which consumers can exercise their data rights requests.

The CPA Rules provide that privacy notices must comprise the following information:

  • a comprehensive description of the controller's online and offline personal data processing practices, including the following, linked in a way that gives consumers a meaningful understanding of how each category of their personal data will be used when they provide that personal data to the controller for a specified purpose (Rule 6.03(A)(1) of the CPA Rules):
    • an explanation of the processing purpose, which should cover how personal data is used for the purpose in question;
    • whether the processing purpose encompasses targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer;
    • the categories of personal data that the controller sells to, or shares with, third parties, if any;
    • the categories of third parties with whom the controller shares, or to whom the controller sells, personal data, described in a sufficiently granular level of detail; and
    • the categories of personal data processed, including, but not limited to, whether personal data of a child or other sensitive data is processed: categories shall be described in a level of detail that provides consumers a meaningful understanding of the type of personal data processed;
  • if applicable, the disclosures required under Rule 9.03 of the CPA Rules concerning profiling (Rule 6.03(A)(2) of the CPA Rules);
  • a list of the data rights available and a description of the means through which a consumer may exercise the same, including, effective July 1, 2024, an explanation of how requests to opt out using Universal Opt-Out Mechanisms will be processed (Rules 6.03(A)(3) and 6.03(A)(4) of the CPA Rules);
  • in case of deletion of sensitive data inferences, a description of the sensitive data inferences involved, the retention and deletion timelines (Rules 6.03(A)(5) of the CPA Rules);
  • the contact information of the controller (Rules 6.03(A)(6) of the CPA Rules);
  • instructions on how to appeal a controller's response to a request submitted by a consumer (Rules 6.03(A)(7) of the CPA Rules); and
  • the date of the privacy policy latest update (Rules 6.03(A)(8) of the CPA Rules).

8.2. Right to access

A consumer has the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer's personal data (§6-1-1306(1)(b) of the CPA).

When responding to an access request, a controller must provide the consumer with all the specific pieces of personal data it has collected and maintains about the consumer and that are the subject of the request, which includes the personal data that the controller's processors obtained from the controller in providing services to the controller (Rule 4.04(A) of the CPA Rules).

A controller is not required to disclose certain categories of personal data when responding to an access request, including (Rule 4.04(D) of the CPA Rules):

  • a consumer's government-issued identification number;
  • a financial account number;
  • a health insurance or medical identification number;
  • an account password;
  • security questions and answers;
  • biometric identifiers; or
  • biometric data.

However, in such instances, a controller shall nonetheless inform the consumer that it has collected said type of information, i.e. a controller shall respond that it collects 'unique biometric data including a fingerprint scan' without disclosing the actual fingerprint scan data (Rule 4.04(D) of the CPA Rules).

In addition, if a controller cannot authenticate the consumer submitting a data right request using reasonable efforts, it is not required to comply with said request. In this case, the controller must inform the consumer that their identity cannot be authenticated, provide information on how to remedy any deficiencies, and may request additional personal data if reasonably necessary to authenticate the consumer (Rule 4.08(F) of the CPA Rules).

8.3. Right to rectification

A consumer has the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data (§6-1-1306(1)(c) of the CPA).

Rule 4.05(A) of the CPA Rules provides that consumers have the right to correct inaccuracies in their personal data subject to C.R.S. § 6-1- 1306(c).

Additionally, Rule 4.05(B) of the CPA Rules establishes that if a consumer submits a correction request, controllers must amend the personal data in its existing systems, except archive or backup systems. Thereby, the controller must also use agreed-upon technical, organizational, or other measures or processes to instruct its processors to make the necessary corrections in their respective systems processors involved to make the necessary corrections in their respective systems.

A controller, having exhausted the steps provided in Rules 4.05(E)(1) to 4.05(E)(4) of the CPA Rules may decide not to act upon a consumer's correction request if the controller determines that the contested personal data is more likely than not accurate (4.05(E)(5) of the CPA Rules).

In addition, if a controller cannot authenticate the consumer submitting a data right request using reasonable efforts, it is not required to comply with said request. In this case, the controller must inform the consumer that their identity cannot be authenticated, provide information on how to remedy any deficiencies, and may request additional personal data if reasonably necessary to authenticate the consumer (Rule 4.08(F) of the CPA Rules).

8.4. Right to erasure

A consumer has the right to delete personal data concerning the consumer (§6-1-1306(1)(d) of the CPA).

Pursuant to the CPA Rules, a controller may maintain records of a consumer's deletion request consistent with Rule 6.11 of the CPA Rules, and as needed to effectuate the deletion request (Rule 4.06(B) of the CPA Rules).

In addition, if a controller cannot authenticate the consumer submitting a data right request using reasonable efforts, it is not required to comply with said request. In this case, the controller must inform the consumer that their identity cannot be authenticated, provide information on how to remedy any deficiencies, and may request additional personal data if reasonably necessary to authenticate the consumer (Rule 4.08(F) of the CPA Rules).

8.5. Right to object/opt-out

A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of (§6-1-1306(1)(a) of the CPA):

  • targeted advertising;
  • the sale of personal data; or
  • profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

Moreover, a consumer may authorize another person, acting on the consumer's behalf, to opt out of the processing of the consumer's personal data for one or more of the purposes specified in §6-1-1306(1)(a)(i) of the CPA, including through a technology indicating the consumer's intent to opt out such as a web link indicating a preference or browser setting, browser extension, or global device setting. a controller shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer's behalf if the controller is able to authenticate, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf (§6-1-1306(1)(a)(II) of the CPA).

A controller that processes personal data for purposes of targeted advertising or the sale of personal data shall provide a clear and conspicuous method to exercise the right to opt out of the processing of personal data concerning the consumer pursuant to §6-1-1306(1)(a)(i) of the CPA. The controller shall provide the opt-out method clearly and conspicuously in any privacy notice required to be provided to consumers under the CPA, and in a clear, conspicuous, and readily accessible location outside the privacy notice (§6-1-1306(1)(a)(III) of the CPA).

Pursuant to Rule 5.02(A) of the CPA Rules, consumers may exercise their right to opt out of the processing of their personal data for purposes of targeted advertising or for the sale of personal data through a user-selected universal opt-out mechanism that meets the technical and other specifications provided in the CPA Rules.

According to the CPA Rules, a controller must comply with an opt-out request by (Rule 4.03(A) of the CPA Rules):

  • ceasing to process the consumer's personal data for the opt-out purpose(s) as soon as feasibly possible and without undue delay from the date the controller receives the request, considering the size and complexity of the controller's businesses and the burden of operationalizing the opt-out. Additionally (Rule 4.03(A)(1) of the CPA Rules):
    • if a controller does not know the identity of a consumer submitting an online opt-out request, such that the controller is unable to opt the consumer out of the processing of offline or other connected personal data, the controller may request the additional information necessary to do so subject to Rules 4.08 and 5.05 of the CPA Rules; and
    • if a consumer submits a request to exercise more than one data right and a controller can complete the opt-out request in a timelier manner than other data rights requests, the controller should complete the opt-out request prior to any other data rights request; and
  • maintaining a record of the opt-out request and response in compliance with 4 CCR 904- 3, Rule 6.11 (Rule 4.03(A)(2) of the CPA Rules);
  • using agreed-upon technical, organizational, or other measures or processes to instruct its processors, pursuant to C.R.S. § 6-1-1305(2)(a), to stop processing the personal data as needed to effectuate the consumer's opt-out request (Rule 4.03(A)(3) of the CPA Rules).

Pursuant to Rule 5.02(B) of the CPA Rules, the purpose of a Universal Opt-Out Mechanism is to provide consumers with a simple and easy-to-use method by which they can automatically exercise their opt-out rights with all controllers they interact with without having to make individualized requests with each controller.

Specifically, a Universal Opt-Out Mechanism may (Rule 5.02(C) of the CPA Rules):

  • express a consumer's choice to opt out of the processing of personal data for both the processing of personal data for purposes of targeted advertising and the sale of personal data; or
  • express a consumer's choice to opt out of the processing of personal data for only one of these two purposes.

In this regard, if a platform, developer, or provider provides a Universal Opt-Out Mechanism, it must make clear to the consumer, whether in its configuration or disclosures to the public, that the mechanism is meant to allow them to exercise the right to opt out of the processing of personal data. Additionally, the CPA Rules indicate specific contents that such notices to the consumer must have (Rule 5.03(A) of the CPA Rules).

In any event, a valid Universal Opt-Out Mechanism must represent the consumer's affirmative, freely given, and unambiguous choice to opt out of the processing of their personal data. Furthermore, controllers are not obligated to honor consumer rights requests for purposes other than those listed above, when transmitted through a Universal Opt-Out Mechanism (Rule 5.03(B) of the CPA Rules).

In addition, the CPA Rules address the issues that might arise in relation to Universal Opt-Out Mechanisms and default settings, providing some examples (Rule 5.04 of the CPA Rules). For instance, the CPA Rules illustrate that, if a browser is pre-installed on every device provided with an operating system by the vendor, and by default, the browser delivers a Universal Opt-Out mechanism signal without prompting the consumer to enable this setting, such mechanism would not meet the requirements set out in the CPA Rules, as the consumer's decision to use the browser does not constitute an affirmative, freely offered, and unambiguous choice to use the Universal Opt-Out Mechanism (Rule 5.04(A)(1) of the CPA Rules). Conversely, the CPA Rules consider it an acceptable option if a tool that does not come pre-installed with a device, such as a browser or operating system, is nonetheless marketed as a tool designed to exercise a user's rights to opt out of the processing of personal data (Rule 5.04(B)(1) of the CPA Rules).

Once the right to opt out has been exercised by the consumer through a Universal Opt-Out Mechanism, a controller may enable a consumer to provide a new declaration of consent to opt in (Rule 5.09(A) of the CPA Rules). However, controllers shall not interpret the absence of a Universal Opt-Out Mechanism signal as consent to opt back in (Rule 5.09(B) of the CPA Rules).

Separately, the Colorado Department of Law is tasked with the responsibility of recognizing Universal Opt-Out Mechanisms, and maintaining a public list of the same. The initial list shall be published on January 1, 2024, at the latest, with periodical updates afterward (Rule 5.07(A)(1) of the CPA Rules). To be recognized by the Colorado Department of Law, a Universal Opt-Out Mechanism must meet at least the following standards (Rule 5.07(C) of the CPA Rules):

  • comply with all the relevant technical and other specifications laid down in the CPA Rules; and
  • not confuse consumers or controllers about the features of the various Universal Opt-Out Mechanisms included in the public list.

Controllers have until June 30, 2024, to prepare for Universal Opt-Out Mechanisms. In fact, effective July 1, 2024, controllers will be obliged to abide by the requirements set out for Universal Opt-Out mechanisms and to honor any opt-out request received through the same (Rules 5.08 of the CPA Rules).

If a controller cannot authenticate the consumer submitting a data right request using reasonable efforts, it is not required to comply with said request. In this case, the controller must inform the consumer that their identity cannot be authenticated, provide information on how to remedy any deficiencies, and may request additional personal data if reasonably necessary to authenticate the consumer (Rule 4.08(F) of the CPA Rules).

8.6. Right to data portability

When exercising the right to access personal data pursuant to §6-1-1306(1)(b) of the CPA, a consumer has the right to obtain the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance. A consumer may exercise this right no more than two times per calendar year. Nothing in §6-1-1306(1)(e) of the CPA requires a controller to provide the data to the consumer in a manner that would disclose the controller's trade secrets (§6-1-1306(1)(e) of the CPA).

Pursuant to Rule 4.07 of the CPA Rules, in order to comply with a data portability request, a controller must transfer to a consumer the personal data it has collected and maintains about them through a secure method in a commonly used electronic format that, to the extent technically feasible, is readily usable and allows the consumer to transmit the personal data to another entity without hindrance. Additionally, a controller is not required to provide personal data to a consumer in a manner that would disclose the controller's trade secrets. In particular, controllers must provide as much data as possible in a portable format without disclosing such trade secrets.

If the controller decides not to act on a consumer's data subject request, it must include the grounds for such denial to the consumer, including, but not limited to (Rule 4.09(C) of the CPA Rules):

  • any conflict with federal or state law;
  • the relevant exception to the CPA and a description of the exception;
  • the controller's inability to verify a consumer's identity, in which case the controller must describe in documentation their reasonable efforts to authenticate the consumer's identity and why it was unable to do so;
  • any factual basis for a controller's good-faith claim that compliance is impossible; or
  • any basis for a good faith documented belief that the request is fraudulent or abusive.

Furthermore, if a controller denies a consumer data right request based on inability to authenticate, the controller must describe in the documentation required by Rule 6.11 of the CPA Rules their reasonable efforts to authenticate and why they were unable to do so (Rule 4.09(C)(1) of the CPA Rules).

Pursuant to Rule 4.07 of the CPA Rules, in order to comply with a data portability request, a controller must transfer to a consumer the personal data it has collected and maintains about them through a secure method in a commonly used electronic format that, to the extent technically feasible, is readily usable and allows the consumer to transmit the personal data to another entity without hindrance. Additionally, a controller is not required to provide personal data to a consumer in a manner that would disclose the controller's trade secrets. In particular, controllers must provide as much data as possible in a portable format without disclosing such trade secrets.

In addition, if a controller cannot authenticate the consumer submitting a data right request using reasonable efforts, it is not required to comply with said request. In this case, the controller must inform the consumer that their identity cannot be authenticated, provide information on how to remedy any deficiencies, and may request additional personal data if reasonably necessary to authenticate the consumer (Rule 4.08(F) of the CPA Rules).

8.7. Right not to be subject to automated decision-making

A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer (§6-1-1306(1)(a)(I)(C) of the CPA).

The CPA defines 'profiling' as any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements (§6-1-1303(20) of the CPA).

Notably, the CPA Rules provide for the consumers' right to opt out of profiling in furtherance of decisions that produce legal or other similarly significant effects concerning a consumer. The controller may not fulfill such a request when the profiling is based on human-involved automated processing. In this case, the controller must provide the consumer with information on the decision subject to the profiling, the specific personal data that is to be processed, the logic used, the role of human involvement in the profiling, the decision-making process, and how the consumer can rectify or delete the personal data processed as part of the decision-making process (Rule 9.04(A), (B), and (C) of the CPA Rules).

Controllers are mandated to provide a method to exercise the right to opt out of profiling in furtherance of decisions that produce legal or other similarly significant effects concerning a consumer clearly and conspicuously at or before the time such processing occurs (Rule 9.04(D) of the CPA Rules).

A controller is not required to comply with a request to exercise any of the rights under §6-1-1306(1) of the CPA if the controller is unable to authenticate the request using commercially reasonable efforts (§6-1-1306(2)(d) of the CPA).

8.8. Other rights

Not applicable.

9. Penalties

The CPA does not authorize a private right of action for a violation of its provisions of law. §6-1-310(1) of the CPA neither relieves any party from any duties or obligations imposed, nor alters any independent rights that consumers have, under other laws, including the CPA, the Constitution of the State of Colorado , or the United States Constitution (6-1-1310(1) of the CPA).

The AG and DA have exclusive authority to enforce the CPA by bringing an action in the name of the state or as parens patriae on behalf of persons residing in the state to enforce this CPA, including seeking an injunction to enjoin a violation of the CPA (§6-1-1311 of the CPA).

Prior to any enforcement action pursuant to (§6-1-1311(1)(a) of the CPA, the attorney general or district attorney must issue a notice of violation to the controller if a cure is deemed possible. If the controller fails to cure the violation within 60 days after receipt of the notice of violation, an action may be brought pursuant to this section. Please note that §6-1-1311(1)(d) of the CPA is repealed, effective January 1, 2025 (§6-1-1311(1)(d) of the CPA).

9.1 Enforcement decisions

On July 12, 2023, the AG announced the launch of enforcement of the CPA. As such, the Department of Justice began mailing letters to businesses focused on educating them about the law and their new legal obligations under the CPA and CPA Rules; examples of these letters are available on the CPA Portal of the AG's website.

Privacy Law ConceptsPrivacy Law Reform

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback