Colorado Passes Comprehensive Privacy Legislation

News & PR
July 8, 2021
Colorado has officially passed a specific data privacy rule, become the third state to do so. Let's examine what this law means.

Colorado Passes Privacy Law

Colorado Becomes the Third State to Sign a Privacy Act into Law 

As of June 8th, 2021, a third state has officially passed a very specific data privacy rule. After a few revisions, the Colorado Privacy Act (CPA) has passed quickly through both the Colorado House and Senate earlier this month. Colorado Governor, Jared Polis, officially signed the CPA into law on July 7th, 2021. 

Here is everything you need to know about the CPA.

What is the goal of this comprehensive CPA?

The Colorado Privacy Act seeks to provide additional protections for Colorado citizens’ personal data. It is modeled after Virginia’s privacy legislation, called the 'Consumer Data Protection Act (CDPA)', as well as the failed Washington Privacy Act. 

When does this privacy legislation go into effect? 

The Colorado Privacy Act went into effect on July 1st, 2023. 

Who does this detailed Colorado-based privacy legislation apply to? 

The CPA will apply to entities that do business or produce products or services that are intended for Colorado residents, and also meet one of the following requirements: 

  • Handle or process the personal data of 100,000 or more Colorado consumers per year 
  • Receive revenue as a result of the sale of personal data, and process the personal data of 25,000 or more individuals. They also distinguish that for this purpose a discount on goods or services will count as “receiving revenue” in this context. 

As always, this does not only apply to companies operating or headquartered in Colorado but rather any organization that processes, stores, creates, or handles above the parameters of Colorado resident’s information in any form. 

Defining Key Terms found in the CPA

Let’s start by defining a few term references that the CPA makes which are important in order to clarify and fully understand the act. The first principle is one that every privacy law has touched upon but all defined uniquely. The CPA defines “personal data” as “information that is linked or is reasonably linkable to an identified or identifiable individual.” This does not include information that has been de-identified or that is publicly available via the federal, state, or local government’s records.

The CPA refers to both “controllers” and “processors” as key roles within the text of the law. A controller is someone who “determines the purposes and means of processing personal data.” This puts them at the top of this chain of information sharing. Next, we have the processors who handle personal data on behalf of the controllers. 

Next, the CPA uses the concept of a “third-party” which they define as “a person, public authority, agency, or body other than a consumer, processor, or affiliate of the processor or the controller.” 

It is also important to look at how the CPA defines the word “sale” considering that one of the keys to this law being applicable to a company is their receiving revenue from selling protected data. Sale in the CPA is broadly defined as the exchange of personal data for something valuable (either monetary value or an alternative valuable asset). 

Penalties & Enforcement Process 

The CPA is actually the very first passed or attempted privacy act that will be able to be enforced by both the state’s attorney general or district attorneys. Any violator of the CPA will be subject to both an injunction and civil fines of $2,000 or less per violation and are not to exceed $500,000 for the total of a series of violations. 

In order to investigate and eventually enforce a punishment for a potential violation, the attorney general or district attorneys will be required to notify the organization of the alleged violation first thing. The business will then be allotted 60 days to fix this violation. This allowed time frame to solve the problem will only last until January 1, 2025. This is intended to allow a bit more leniency for a short period after the law goes into effect. 

The Colorado Privacy Act does not allow for the private right of action for consumers. 

Exceptions to CPA Compliance

As with most laws of this type, there are a few exceptions to the CPA that are important to outline. First, companies that process or collect information for employment purposes, or sell, process, or disclose information in accordance with the HIPAA, GLBA, FCRA, FERPA, COPPA, and DPPA are exempt. This follows suit for the other state privacy laws that we have seen either passed or discussed in that HIPAA remains the key to enforcement on ensuring the safety of protected health information. 


Although the CPA won’t significantly affect the operations of many of our clients, Accountable will continue to bring you the most up-to-date information on this privacy legislation. And for now, if you are an organization under HIPAA, then maintaining compliance with its requirements can remain your priority. 

Thanks for stopping by the Accountable Blog today and feel free to contact us via email if you ever need a hand!


Compliance Managment Full Hexagon logo

Expert compliance support, on-demand

Accountable Compliance Success Managers are dedicated to making sure your company is fully compliant as we guide you step-by-step through the process of achieving HIPAA compliance.
chevron left
Expert guidance
chevron left
Build trust
chevron left
Dedicated Compliance Success Managers
chevron left
HIPAA Training
chevron left
Decrease risk
chevron left
Close more deals