On July 7, 2021, the Colorado Privacy Act (CPA) was signed into law by Governor Jared Schutz Polis with an effective date of July 1, 2023. The CPA follows in the footsteps of the California Consumer Privacy Act and the Virginia Consumer Data Protection Act, and is applicable to entities that conduct business or produce products and services that are targeted at Colorado residents. This infographic gives an overview of the CPA and the new requirements covered entities should be aware of.

What is the CPA?

The CPA is a comprehensive data privacy law that will enter into effect on July 1, 2023. The CPA aims to give individuals more control over their personal data and under the CPA, Colorado residents have the right to know what personal data is being collected about them, how it is being used, and with whom it is being shared.

The CPA applies to businesses that process the personal data of Colorado residents and meet certain thresholds, such as those that conduct business in Colorado or process data of a certain volume. Businesses are required to implement certain data protection practices, such as conducting privacy impact assessments and providing clear and concise privacy notices. The CPA includes provisions for enforcement and penalties for non-compliance, including fines of up to $20,000 per violation. 

Key compliance areas under the CPA

The CPA imposes several obligations on businesses that process personal data of Colorado residents, some of the key areas of compliance include:

• Transparency and accountability - Businesses must provide clear and concise privacy notices that explain what personal data is being collected, how it is being used, and with whom it is being shared
• Data Subject Rights -  Colorado residents have the right to request access, correction, deletion, or portability of their personal data
• Security of data - Businesses must implement appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, or destruction
• Risk assessments - Businesses must also conduct privacy impact assessments (PIAs) to identify and mitigate privacy risks associated with data processing activities
• Vendor Management - Businesses must have written contracts with third-party service providers that process personal data on their behalf.

Colorado Privacy Act overview infographic

Download the OneTrust DataGuidance overview infographic to find out more about key compliance areas under the CPA, including:

• Scope
• Exclusions
• Key definitions
• Consumer rights
• Enforcement

The CPA will enter into effect on July 1, 2023, giving organizations covered by the law time to implement the appropriate solutions and policies. Download the infographic for an overview of the CPA’s requirements or request a demo to see how OneTrust DataGuidance can help you have a deeper understanding of these requirements.

Follow OneTrust DataGuidance on LinkedIn to keep up to date with upcoming webinars, insights, and more.