Colorado Privacy Act (CPA)

In this guide:

Key details of the CPA

The State of Colorado’s data privacy act, commonly known as the CPA, grants consumers new rights to access, review, correct, and remove their personal information. Effective July 1, 2023, the CPA allows Colorado residents to opt-out of the sale of their personal data and deny its use for advertising efforts, and block certain types of profiling. The law also holds businesses and other relevant entities accountable by forcing these organizations to effectively safeguard personal data, provide details about the data they possess, review and improve internal data protection processes regularly, and obtain consent before collecting and processing this data in the first place. It’s truly a win for external data privacy.

A controller—which is any person, business or group processing data—must now get a consumer’s affirmative consent for each of the following scenarios under the CPA:

  • Prior to collecting and processing sensitive personal data (SPI). Note: SPI includes personal data for a child under 13 years of age; data revealing health conditions, race or ethnicity, citizenship status, preferences, & more; and biometric data.
  • Prior to processing personal data for reasons other than those specified when the data was initially collected.
  • Prior to selling or processing personal data for targeted advertising efforts, after a consumer already opted-out previously.

Put more simply, the CPA enhances consumer data rights by requiring an organization to declare their intentions with your data. Then, the organization must get a positive response from you when browsing their website or registering for a rewards program, for example, and protects you again if the reasons for collecting this data changes at any point.

Specifically, the CPA grants consumers the following enumerated rights:

  • The right to opt-out from the sale of their personal data, or use of personal data for targeted advertising and certain types of profiling.
  • The right to know whether a controller (person, business, or other group) is collecting personal data.
  • The right to access personal data that a controller has collected about them.
  • The right to correct personal data.
  • The right to delete personal data.
  • The right to download and remove personal data from a platform in a format that allows the transfer to another platform.

Source: The Colorado Attorney General’s Website

Ensure technical compliance

Any individual or organization conducting business in Colorado, or providing products or services to Colorado residents, would be subject to CPA mandates if they meet the following criteria:

  • Process the personal data of more than 100,000 individuals in any calendar year. OR
  • Get revenue or discounts on goods or services in exchange for the sale of the personal data of 25,000 or more individuals.

The CPA requires these individuals and organizations (“controllers”) to be transparent about how they collect, store, use, share and sell personal data. Plus, controllers must clearly inform consumers of the reasons for doing so while minimizing the amount of data collected and stored. This regulation is technical and explicit in its care for consumers’ access rights, creating more stringent advertising consent requirements.

Controllers must do their best to secure any data collected, using “reasonable” security practices and conducting data protection assessments before selling or processing sensitive & personal data. If and when a Colorado resident requests to review their personal data, controllers must respond to these requests to remain compliant with the law. In this way, the CPA adds to business data responsibilities.

There’s only one way this plays out: either data collectors and processors update websites, prompts and practices to provide all of the consumer rights outlined, or they face legal consequences from the state.

How Privacy Bee protects you

Whether you’re a single person or a business in need of more robust external data privacy, Privacy Bee offers the proactive protection necessary to prevent identity theft or an expensive data breach. For businesses, Privacy Bee can also ensure website cookie practices are compliant to avoid legal repercussions from the Attorney General.

There’s a multi-billion dollar industry that’s buying and selling access to you, your family, and—if you’re a business—your employees and customers. This is bought by aggressive salespeople, spammers, recruiters, and others with minimal accountability who will harass your employees, destroy their productivity, and distract them with relentless job offers.

Within this industry, Data Brokers hoard your information for a profit, buying and selling it to numerous organizations you couldn’t possibly know and control. It’s easy to see how having private information floating around the web makes for some dangerous situations in the hands of a cybercriminal. All it takes is one event for your identity to be stolen, and when this happens it can open the door for hackers and other threat actors to compromise the members of your family, or your most sensitive business data.

Before this occurs, register for Privacy Bee to discover every location across the internet and dark web where your data is exposed and scrub it away with little to no effort on your part. In doing so, you’re proactively protected from identity theft (or if you’re a business, a data breach) along with any others you choose to bring into the service. Privacy should not be contested, bartered, nor political, but rather a basic human right, which is why the Privacy Bee team works so hard to monitor user data for any security compromise. Wherever your personal or sensitive data is found, we obligate organizations to erase it and opt-out of any further data collection.

Privacy Bee protects users against:

  • Spam emails
  • Telemarketer calls
  • Cyberstalking
  • Swatting
  • Doxxing
  • Blackmail
  • And, of course, identity theft

For businesses, Privacy Bee improves the digital hygiene of the entire organization, reduces spam outreach to increase worker productivity, mitigates employee poaching and the risk of expensive data breaches, and so much more.

Whether you’re an individual looking to proactively protect yourself and your family, or a business looking to protect employees and customers while maintaining compliance, Privacy Bee is here to give you back control of your private data.

Learn More
Data privacy risk scores are essential to operations today. What's yours and how was it calculated?
Previous article

Your Privacy Risk Score:  What Is It and How is it Calculated?
Next article

California Privacy Rights Act (CPRA)

Trusted by thousands of companies.

Instant access to the world's leading business privacy platform. Dive into your account:

By registering, you're agreeing to our Terms of Service

Or prefer to speak with sales?