Colorado Passes Comprehensive Privacy Legislation

News & PR
July 8, 2021
Colorado has officially passed a specific data privacy rule, become the third state to do so. Let's examine what this law means.

Colorado Passes Comprehensive Privacy Legislation

Colorado Becomes the Third State to Sign a Privacy Act into Law 

As of June 8th, 2021, the third state has officially passed a specific data privacy rule. After a few revisions along the way, the Colorado Privacy Act (CPA) has passed quickly through both the Colorado House and Senate early this month. Governor Polis officially signed this act into law on July 7th, 2021. 

Here is everything you need to know about the CPA.

What is the goal of the CPA?

The Colorado Privacy Act seeks to provide additional protections for Colorado citizens’ personal data. It is modeled after Virginia’s passed Consumer Data Protection Act (CDPA), and the failed Washington Privacy Act, although it differs slightly from either of these. 

When does this go into effect? 

The Colorado Privacy Act will go into effect on July 1st, 2023. 

Who will this apply to? 

The CPA will apply to entities that do business or produce products or services that are intended for Colorado residents, and also meet one of the following requirements: 

  • Handle or process the personal data of 100,000 or more Colorado consumers per year 
  • Receive revenue as a result of the sale of personal data, and process the personal data of 25,000 or more individuals. They also distinguish that for this purpose a discount on goods or services will count as “receiving revenue” in this context. 

As always, this does not only apply to companies operating or headquartered in Colorado but rather any organization that processes, stores, creates, or handles above the parameters of Colorado resident’s information in any form. 

Defining Key Terms 

Let’s start by defining a few term references that the CPA makes that are important in order to clarify in order to fully understand the act as a whole. The first is one that every privacy law has used but all have defined uniquely. The CPA defines “personal data” as “information that is linked or is reasonably linkable to an identified or identifiable individual.” This does not include information that has been de-identified or that is publicly available via the federal, state, or local government’s records.

The CPA refers to both “controllers” and “processors” as key roles within the text of the law. A controller is someone who “determines the purposes and means of processing personal data.” This puts them at the top of this chain of information sharing. Next, we have the processors who handle personal data on behalf of the controllers. 

Next, the CPA uses the concept of a “third-party” which they define as “a person, public authority, agency, or body other than a consumer, processor, or affiliate of the processor or the controller.” 

It is also important to look at how the CPA defines the word “sale” considering that one of the keys to this law being applicable to a company is their receiving revenue from selling protected data. Sale in the CPA is broadly defined as the exchange of personal data for something valuable (either monetary value or an alternative valuable asset). 

Penalties & Enforcement Process 

The CPA is actually the very first passed or attempted privacy act that will be able to be enforced by both the state’s attorney general or district attorneys. Any violator of the CPA will be subject to both an injunction and civil fines of $2,000 or less per violation and are not to exceed $500,000 for the total of a series of violations. 

In order to investigate and eventually enforce a punishment for a potential violation, the attorney general or district attorneys will be required to notify the organization of the alleged violation first thing. The business will then be allotted 60 days to fix this violation. This allowed time frame to solve the problem will only last until January 1, 2025. This is intended to allow a bit more leniency for a short period after the law goes into effect. 

The Colorado Privacy Act does not allow for the private right of action for consumers. 


As with most laws of this type, there are a few exceptions to the CPA that are important to outline. First, companies that process or collect information for employment purposes, or sell, process, or disclose information in accordance with the HIPAA, GLBA, FCRA, FERPA, COPPA, and DPPA are exempt. This follows suit for the other state privacy laws that we have seen either passed or discussed in that HIPAA remains the key to enforcement on ensuring the safety of protected health information. 

Although the CPA won’t significantly affect the operations of many of our clients, Accountable will continue to bring you the most up-to-date information on this privacy legislation. And for now, if you are an organization under HIPAA, then maintaining compliance with its requirements can remain your priority. 

Get Started
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Ready to chat?

See how some of the fastest growing companies use Accountable to build trust through privacy and compliance.
Trusted by