• Skip to primary navigation
  • Skip to main content
  • Skip to footer
The Evolution of ESG RegulationThe Evolution of ESG RegulationThe Evolution of ESG Regulation

CUBE global

  • Products
        • RegPlatform product overviewOur enterprise product, providing regulatory intelligence for large, global financial institutions looking to tackle complex compliance.
        • RegAssure product overviewOur highly intuitive, seamless compliance product, that grows with your small or medium sized business.
        • CUBE's technology
  • Solutions
        • PrivacyGlobal governance for data privacy regulations, the world over
        • RecordsHolistic oversight of ever-growing regulations for records
        • CybersecurityAutomated workflows for up to date, relevant data on cyber
        • Technology riskEffective policies and controls to mitigate technology risk
        • Financial crime and AMLWatertight audit trails to show risk-based rationale
        • View all solutions
  • Resources
        • Resource hubLifting the lid on financial services, compliance, and regulation
        • Read

        • Case Studies
        • Blog posts
        • Reports
        • RegNews
        • Brochures
        • Find

        • Compliance Corner
        • Compliance confessions
        • ESG Conference
        • CUBE’s regulation game
        • Listen

        • Videos
        • Webinars
        • Podcasts
  • Partners
        • Advisory and consulting partnersEnhance your regulatory compliance offering with the entire suite of CUBE regulatory data.
        • Integration partnersCompliance is complex enough without over-complicated integration procedures.
        • Technology partnersAdd value to existing customer applications with a unified window into regulatory intelligence.
        • Partners overview
  • About us
        • About usThe story of who we are, how we got here and why we’re exceptionally proud of what we do
        • TeamThe visionaries and leaders powering CUBE’s success
        • NewsThe latest news from CUBE
        • CareersOur movement to transform regulatory data into regulatory intelligence
        • ContactWant to know more? Get in touch
  • Request a demo
Customer login
Home » Resources » The Colorado Privacy Act (CPA): an overview

Estimated reading time: 4 minutes

The Colorado Privacy Act (CPA): an overview

How well does your business protect the personal information of customers?

The lack of a Federal data privacy law in the US means that businesses have relative freedom around the identifiable information of their consumers. This doesn’t come without risk though, and can leave some customers – especially those of financial institutions – worried about who has access to their sensitive personal data.

Colorado residents may now be breathing a sigh of relief, as the Colorado Privacy Act passed on July 8th 2021. Governor Jared Polis signed the act into law, to be enacted from July 1st 2023.

The state joins California and Virginia as one of the first to safeguard the sensitive data of Colorado consumers. Businesses who qualify will be required to think about their compliance obligations as well as updating processes as part of consumer protection enforcement.

What does the Colorado Privacy Act do?

The purpose of the Colorado Privacy Act is to protect consumers and enforce stricter ethical standards around the collection and treatment of data. Colorado’s law provides clearer information around consumer rights, and ensures that businesses become responsible data custodians.

For example, companies who use consumer data to inform their targeted advertising must disclose the information held to customers who request it.

A violation of the Colorado Privacy Act by either data controllers or processors may be viewed as an infringement of privacy rights and will lead to monetary sanctions. Therefore, it’s important for firms to stay on the right side of the regulator.

Who does the Colorado Privacy Act apply to?

The CPA largely affects companies who conduct business within the state or specifically target customers with Colorado citizenship status. Businesses and financial institutions with a nexus in Colorado, for example, are likely to fall within the brackets.

The other threshold refers to the volume of data processed. Either, companies that are processing the personal data of more than 100,000 consumers, or derive revenue from the sale of more than 25,000 pieces of data. In this context, ‘sale‘ refers to exchange for money or other value.

There is no annual revenue threshold associated with the Colorado Privacy Act.

What is covered by the data protection law?

Colorado’s law gives more power to consumer rights and ensures there are consequences for companies who ignore the privacy legislation.

When requested, companies must be able to provide clear information about processing activities, as well as display transparency around data treatment and protection.

For example, some companies will anonymize their information (known as pseudonymous data) in order to protect the identities of their customers. They must be able to display how this information becomes de-identified data.

Consumer rights

  1. Access: consumer requests to access the information that companies hold on them must be fulfilled.
  2. Correction: customers have the consumer right to edit or change the information held about them if it is wrong.
  3. Deletion: businesses must adhere to consumer requests to delete personal data from company records.
  4. Opt-out: businesses must display a clear choice to opt-out of data collection and processing.

How can businesses comply?

The introduction of the Colorado Privacy Act will be welcomed by businesses that are striving to protect the data security of their customers. But there are some compliance obligations that you may want to consider.

Does your business meet the threshold?

Unlike other privacy legislation, there are no covered entity exemptions such as for healthcare companies.

Have you updated your public privacy policy?

Streamline compliance efforts by completing a data inventory. This might require reviewing vendor contracts and implementing a consent mechanism to collect personal data, for example.

The Colorado Privacy Act also calls for data protection assessments and the implementation of reasonable data security measures. Those who already work within GDPR guidelines should not experience too much of a change.

Finally, you should develop a standard operating procedure for responding to customer requests. Failing to do so risks civil penalties of up to $2,000 per violation. It can also save precious time.


CUBE uses next-generation AI to track, capture and map every relevant regulatory obligation to your business and business areas. So you know what’s changed, what’s in force, and how it applies to your existing policy and control framework, in an instant.

Request a demo

Related resources
View all articles
Lightbulbs
Compliance Corner

Fintech vs Regtech: what is the difference?

Image shows a hand at a cash machine, typing in their pin.
Compliance Corner

What is the Bank Secrecy Act?

All about the California Consumer Privacy Act
Compliance Corner

California Consumer Privacy Act 2023 Update

Horizon scanning for regulatory change management
Compliance Corner

What is horizon scanning in the compliance and regulatory world?


Want CUBE updates and latest industry news sent straight to your inbox?

Footer

Add CUBE logo here

  • Products
    • Partners
    • Solutions
  • Resource hub
    • Blogs
    • Reports
    • Brochures
    • Compliance Corner
    • Webinars
    • Podcasts
    • Videos
  • Behind CUBE
    • About us
    • Meet the team
    • Careers
    • News US
    • Contact us
  • The legal bits
    • Privacy policy
    • Cookie policy
    • Terms of use
    • Accessibility
Follow us:
  • LinkedIn
  • Twitter
  • YouTube

© 2023 CUBE Content Governance Global Limited

  • English
  • US