Colorado Privacy Act (CPA)
Protects Consumers’ Privacy Right, Especially Online Activities.
In 2021, the state of Colorado signed into law the Colorado Privacy Act (CPA), which will go into effect on July 1, 2023. This act protects the privacy rights of Colorado residents regarding their personal data, particularly their online activities. Based on this act, companies must protect five consumer rights, including the right to:
• Data portability
Companies doing business in Colorado must comply with these laws.
This includes via a website or an app, and/or processing the data of Colorado residents who meet threshold requirements – a) processing personal data of 100,000 or more residents annually, or (b) processes personal data of at least 25,000 residents annually and derive revenue or receive discounts on goods and/or services due to the sale of that data. The companies do not need to have a physical presence in Colorado. There are stipulations for small companies that do not meet the revenue threshold or the number of data processing. In addition, Colorado exempts many organizations, including airlines, public utilities, governmental entities in Colorado, and higher education institutions. However, the CPA applies to charitable organizations and nonprofits that meet the threshold requirements.
The CPA also stipulates companies’ obligations regarding the collection and use of data.
These duties include:
• Purpose specification
• Data minimization
• Secondary use
• Unlawful discrimination
• Sensitive Data
If a company or entity is in violation of CPA, the Colorado Attorney General’s office will notify the organization with an option for corrective action. The company or entity has 60 days from when the notice was received to correct the violation. The CPA does not specify fines for a violation but it can be from $2,000 to $20,000 per violation or between $10,000 to $50,000 per violation against an elderly person. Additionally, CPA violations can lead to criminal charges.
Meet Your Colorado Privacy Rights Legal Team
Dilyn spent 14 years as a Staff Officer with the United States Department of Defense. She brings a wealth of experience in cybersecurity and privacy law, and national security and intelligence law. Dilyn has also worked as in-house counsel with oil and gas and defense companies.
Danyelle is strong-willed, disciplined, and works diligently hard not only for her clients but for justice in general. She approaches each case with thoughtfulness and care. Danyelle nurtures her client relationships to develop trust and understanding between her and her clients. Due to her empathetic nature, Danyelle fiercely represents her clients and their needs.
Sebastian Garcia has worked on legal issues surrounding data privacy policies and cybersecurity throughout his career. As a legal intern, he assisted the supervising legal counsel on cybersecurity standards NIST 800-171 and DFARS 252.204.7012. Additionally, he served as a legislative fellow in the United States Senate.
Get Started in
3 EASY STEPS
Explore Your Options
We Will Advocate For You