Complying with the Colorado Privacy Act (CPA)

4 minute read. Learn the basics of the Colorado Privacy Act (CPA) and how it impacts your business.

‍

Companies that do business in Colorado have until July 1, 2023 to comply with the Colorado Privacy Act (CPA). The CPA imposes obligations on companies to protect the privacy of consumers’ personal data, defined as information that is linked or reasonably linkable to an identified or identifiable individual.

It doesn’t matter where your business is located-–the CPA applies to your company if your customers reside in Colorado. If you fail to comply with CPA regulations, you may face expensive financial penalties and possible damage to your reputation. But there are solutions that simplify compliance.

In this article, we provide information that can help business owners successfully navigate the CPA.

Protecting Consumer Privacy

Similar to other consumer privacy laws, the CPA grants consumers five key privacy rights, including the right to:

1. Opt out of any processing for purposes of targeted advertising, sale to third parties, or profiling
2. Access personal data
3. Correct personal data inaccuracies
4. Request that businesses delete their personal data
5. Obtain a portable copy of their personal data.

The CPA applies to any legal entity that conducts business in Colorado or produces or delivers “commercial products or services that are intentionally targeted to the residents of Colorado,” and that satisfies one or both of the following thresholds:

• Conducts business in Colorado or produces or delivers commercial products or services that intentionally target residents of Colorado; and
• controls or processes the personal data of at least 100,000 consumers or more during a calendar year; or
• derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.

Because the CPA does not impose a revenue threshold, a business cannot become subject to the law merely due to its annual revenues; however, smaller, regional businesses that meet other thresholds may find that they need to comply with it.

The CPA extends applicability to businesses that process the personal data of 25,000 consumers and receive any revenue or discount from the sale of data. The CPA is applicable even when a company derives less than 50% of its gross annual revenue from selling data.

CPA defines a consumer as “a Colorado resident acting only in an individual or household context” and explicitly omits individuals acting in “a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.”

The “sale of personal information” is defined as “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.”

Satisfying the Colorado Privacy Act

To cost-effectively ensure they are complying with CPA, businesses will have to manage and track consumers’ requests to opt-out, review, access, delete, and obtain their data.

Business owners and leaders need a system for tracking consumer requests to opt-out, review, access, delete, and obtain their data. Without an accurate system for tracking the status of each request, business owners risk costly penalties and damage to their reputations.

To strengthen and enhance customer loyalty, PrivacyCare offers a system that features:

1. Customizable data-subject-request (DSR) forms that consumers can use to initiate their data request.
2. Consumer authentication.
3. A flexible record-keeping system that can support any DSR process, helping businesses comply with multi-state data privacy laws.
4. A database of the DSRs and their status.
5. A cost-effective solution that avoids unnecessary upgrades involving data analytics, data management, and data security functions.
6. A SaaS platform that eliminates the need for businesses to purchase and manage hardware or software.
7. Up-to-date with latest changes to data privacy laws across the U.S.

‍

For help with your data privacy compliance challenges, contact PrivacyCare today.

‍