The Colorado Privacy Act (CPA), effective July 1, 2023, establishes comprehensive privacy rights for Colorado residents. The law shares many features with Virginia's privacy law while adding some unique consumer-friendly provisions, including requirements for universal opt-out mechanisms. Understanding your rights under the CPA helps you protect your personal information from unwanted collection and use.
Who Is Protected
The CPA protects Colorado residents acting in an individual or household context. Like Virginia's law, Colorado excludes individuals acting in commercial or employment contexts, focusing protection on consumers rather than business relationships. If you live in Colorado and interact with businesses as a consumer, the CPA likely covers your data.
The law applies to businesses that conduct business in Colorado or target products or services to Colorado residents and either control or process personal data of at least 100,000 consumers annually, or control or process data of at least 25,000 consumers while deriving revenue from selling personal data.
Certain entities and data types are exempt, including those covered by HIPAA, Gramm-Leach-Bliley, the Fair Credit Reporting Act, and other federal privacy laws. Nonprofits and higher education institutions also fall outside the law's scope.
Your Right to Access and Know
Colorado residents can confirm whether a business is processing their personal data and access that data. Businesses must disclose the categories of personal data processed, purposes for processing, categories of personal data shared with third parties, and the categories of third parties with whom data is shared.
Businesses have 45 days to respond to access requests, with one 45-day extension permitted when reasonably necessary. Responses must be provided free of charge, though businesses can charge a reasonable fee for excessive or repetitive requests.
Your Right to Delete
You can request that businesses delete your personal data. This right covers data you provided directly and data obtained from other sources. Upon receiving a valid deletion request, businesses must delete your personal data and direct any processors to do the same.
Exceptions allow businesses to retain data for completing transactions, fulfilling warranties, providing services you requested, complying with legal obligations, and other necessary purposes. Data outside these exceptions must be deleted upon request.
Your Right to Correct
The CPA includes the right to correct inaccurate personal data. If a business holds incorrect information about you, you can request correction. The business must take reasonable steps to correct inaccuracies, considering the nature of the data and purposes for processing.
Your Right to Data Portability
You can obtain your personal data in a portable, readily usable format that allows transmission to another entity. This right facilitates switching between service providers and maintaining your own data records.
Your Right to Opt Out
Colorado provides robust opt-out rights covering three categories of data processing. You can opt out of targeted advertising, which means advertising based on personal data from your activities across different businesses, websites, or applications. You can opt out of the sale of your personal data to third parties. You can also opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.
Universal Opt-Out Mechanisms
One of Colorado's most significant provisions requires businesses to recognize universal opt-out mechanisms. Beginning July 1, 2024, businesses must honor opt-out signals sent by browser settings, device settings, or other technical mechanisms that communicate your opt-out preferences.
This means you can configure your browser or device to automatically send opt-out signals to every website you visit, rather than submitting individual requests to each business. Global Privacy Control (GPC) is one example of such a mechanism that Colorado businesses must recognize.
The universal opt-out requirement makes exercising your rights dramatically easier. Instead of navigating countless privacy settings and opt-out forms, you can set your preferences once and have them respected across all covered businesses.
Sensitive Data Requires Consent
Processing sensitive data requires your affirmative consent under the CPA. Sensitive data includes racial or ethnic origin, religious beliefs, mental or physical health conditions, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data used for identification, personal data from known children, and precise geolocation data.
Businesses cannot process these categories without first obtaining your opt-in consent. This provides stronger protection than standard opt-out rights, recognizing that sensitive data deserves heightened safeguards.
Transparency Requirements
Businesses must provide clear, accessible privacy notices that explain their data practices. These notices must describe categories of personal data collected, purposes for processing, how consumers can exercise their rights, categories of data shared with third parties, and categories of third parties receiving data.
If a business sells personal data or uses it for targeted advertising, the privacy notice must clearly disclose these practices. Transparency requirements help you make informed decisions about which businesses to engage with.
How to Exercise Your Rights
Submit requests through methods the business provides, which may include online forms, email addresses, or other contact methods. You must provide information sufficient for the business to verify your identity and locate your data.
If a business denies your request, you can appeal the decision. The business must respond to appeals within 45 days. If the appeal is denied, you must be informed of how to file a complaint with the Colorado Attorney General.
Enforcement
The Colorado Attorney General has exclusive enforcement authority. There is no private right of action for CPA violations. If you believe a business has violated your rights, file a complaint with the Attorney General's office.
The Attorney General must provide 60 days' notice and opportunity to cure before bringing an enforcement action. Civil penalties can reach $20,000 per violation, with potential increases for willful violations.
Conclusion
The Colorado Privacy Act provides meaningful protections for Colorado residents, with the universal opt-out mechanism requirement making it easier to exercise your rights at scale. By understanding your rights to access, delete, correct, and opt out, and by configuring universal opt-out mechanisms, you can take significant control over how businesses collect and use your personal information.