Skip to main content

Colorado’s Privacy Act: Do Not Be Caught Off-Guard

February 14, 2023

The Colorado Privacy Act (CPA) will change the landscape for a wide range of businesses doing business in Colorado or with Colorado residents on July 1, 2023. With only five months until this law takes effect, companies should move rapidly to ensure they are in full compliance with the new act. Failure to comply with the CPA can result in severe economic punishment for violators. 

The CPA Probably Applies to Your Business

The CPA applies to all businesses, including nonprofits, that (1) conduct business in Colorado or delivers products or services to Colorado and either (2)(a) controls or processes personal data of 100,000+ consumers per calendar year or (b) receives revenue from the sale of personal data and processes or controls the personal data of 25,000+ consumers. The CPA’s application has few exceptions including, but not limited to, HIPAA, the Gramm-Leach-Bliley Act, and the Family Educational Rights and Privacy Act (FERPA).

For purposes of the act, “processing” personal data means taking any action with personal data. Likewise, “control” of personal data means the business determines the purposes and means of processing personal data. Be aware that businesses cannot contract around either the controller or processor roles. 

The CPA Covers My Business. Now What?

The CPA requires controllers to take multiple steps to protect consumers and their personal data including, but not limited to implementing appropriate technical and organizational safeguards, providing consumers with clear and understandable privacy notices, minimizing the personal data collected, and avoiding using the data for any purpose other than that disclosed at the time of collection.

The CPA requires processors to take multiple steps to protect consumers and their personal data including, but not limited to following the controller’s directions and implementing appropriate technical and organizational measures to secure the personal data. 

What Are Consumers’ Rights?

The CPA grants consumers rights that, with few exceptions, controllers and processors must abide by if they wish to avoid liability. Those rights include:

  1. The right to opt out of targeted advertising and the sale of the consumer’s personal data.
  2. The right to access and learn what personal data a business has about that consumer.
  3. The right to correct personal data.
  4. The right to have personal data deleted.
  5. The right to data portability to move to a different controller or processor.

A business who violates these rights violates the CPA. 

What is the Worst that could Happen if my Business Violates the CPA?

Any violation of the CPA is a deceptive trade practice that the Colorado Attorney General and district attorneys can pursue. Each violation can result in a civil penalty of $20,000. 

Key Takeaways for Businesses

  • The Colorado Privacy Act takes effect July 1, 2023.
  • The Act covers almost any business that transacts with consumers.
  • Enforcement of the Act can lead to high dollar amount civil penalties for violators.
  • Businesses should begin taking steps to comply with the act now to avoid those penalties.

Please note that the entirety of the CPA is not in this article. Also, because the CPA is not yet in effect, no Colorado court has yet to analyze or clarify any portion of the act such that the information and opinions stated above may be subject to change.

This blog was drafted by David Brininger, an attorney in the Spencer Fane Houston office. For more information, visit