NEW: 2024 Gartner Market Guide for Consent and Preference Management
Access now
Back to main menu

Compliance

CPA

CPA (Colorado Privacy Act) will considerably improve the lives of Colorado citizens, it will give them stronger data rights and more protection.

Cassie will be able to help you achieve compliance without you having to compromise your business goals.

Talk to us Book a demo
CPA Compliance

What is the Colorado Privacy Act (CPA)?

The Colorado Privacy Act is one of 5 U.S. data privacy laws to go into effect in 2023, becoming effective from July 1st. Its primary focus is to protect consumers in their online activities. It will give them certain rights over their personal data, including making inquiries or requests to data controllers or data processors about it, as well as giving them the right to opt out of the processing of their data.

Although there are lots of similarities with the CPA and other US data privacy laws, there are differences between them that can make compliance more challenging for organizations that are subject to more than one of these laws. Cassie’s consent management platform allows your business to have confidence in knowing that you’re achieving compliance under U.S. privacy laws without needing to sacrifice any business goals.

business people talking

Will your business need CPA compliance?

CPA will apply to any entity that conducts business in the state of Colorado or who offers products and or services to its residents. These entities (including non-profit organizations) are responsible for adhering to CPA if they target more than 100,000 consumers annually in Colorado, or if they profit from selling the personal data of 25,000 or more people residing in Colorado.

Unlike other U.S. privacy laws, Colorado’s privacy law does not have an annual revenue threshold which can measure whether or not an entity must adhere to its regulations. Other privacy laws state that businesses must adhere to regulations when a certain percentage of their revenue stems from the selling data – this is not the case with CPA.

Colorado Privacy Act

Colorado Privacy Act: A guide for marketers

Do you provide digital marketing services or run targeted ads on your website or app?

Several provisions in the CPA aim directly at the activities of online advertisers. You’ll need to provide transparent information to Colorado consumers and offer them an opt-out of targeted marketing.

Download this guide to find out what you need to know.

View guide
meet cassie guide cover

How can we help you stay compliant with US privacy laws?

This downloadable guide allows you to get an understanding behind the fundamentals of Cassie’s consent management platform.

Ideal for supporting conversations with stakeholders, our guide covers:

  • Cassie’s core features
  • Who it’s for
  • How our platform centralizes data
  • What makes us different from our competitors
Download now

Choose Cassie for:

High Volume Icon

Protect individual privacy

Allow end users to take control of their preferences with granular consent controls enforced across domains, devices and platforms

Icon Customer Insight

Avoid fines and brand damage

Cassie enables organizations to meet the complex requirements of CPA and mitigate risk with a robust framework for managing consent, avoiding severe penalties and reputational damage

Icon Dedicated Experts

Pass audit inspections

Be prepared for compliance audits with demonstrable tracking and complete history logs, alongside advanced RoPA and DSAR modules to improve efficiencies and assess risk

Icon Unlimited Storage

Ensure data security

Cassie is SOC 2 certified, assuring organization’s data is safeguarded from unauthorized access or breaches with industry-leading encryption protocols and practices

Icon Audibility

Centralized source of truth

Use Cassie to honor and enforce consent data via APIs and integrations at high volume, in real-time for CPA compliance across your tech stack (CRMs, CMS, marketing automation tools, BI tools)

Icon Connector Red

Complex consent made simple

For every consent captured, Cassie can store unlimited key value pairs of additional information against those consents to unlock scalable, granular consent management

Colorado’s new comprehensive privacy law (CPA) FAQs

  • Who is the CPA applicable to?
    • The CPA applies to “controllers.” Your business is a “controller” if it conducts business in Colorado or target consumers in Colorado, and either:
      1. Controls or processes the personal data of more than 100,000 consumers per calendar year, or
      2. Derives revenue from the sale of personal data, and processes or controls the personal data of 25,000 or more consumers.
      Confused about whether this applies to you? That brings us on to the law’s definitions.  

      Definitions

       

      What’s “personal data”?

      The CPA defines “personal data” as “information that is linked or reasonably linkable to an identified or identifiable individual.” The definition excludes publicly available and de-identified personal data.  

      What’s “sensitive data”?

      As we’ll see below, the CPA contains certain special rules in relation to “sensitive personal data,” which includes information about a person’s:
      • Racial or ethnic origin
      • Religious beliefs
      • Mental or physical health
      • Sex life or sexual orientation
      • Citizenship or citizenship status
      Sensitive data also includes genetic or biometric information and information about children.  

      What’s a “consumer”?

      The CPA defines a “consumer” as a Colorado resident “acting only in an individual or household context,” and doesn’t include employees or job applicants.  

      What does “selling” personal data mean?

      The “sale” of personal data means “the exchange of personal data for monetary or other valuable consideration to a third party.” “Valuable consideration” can include any benefit you derive from disclosing or transferring personal data. As such, this is a broad definition of “sale”—similar to that of the California Consumer Privacy Act (CCPA). But there are exceptions. The “sale” threshold is not met if you’re disclosing personal data:
      • To a processor
      • To a third party in order to provide products or services requested by the consumer
      • To an affiliate
      • As part of a merger, acquisition, or bankruptcy
      • At the consumer’s request
      • That has been made public via “mass media”
  • What are the consumer rights under CPA?
    • The CPA provides consumers with five rights over their personal data. Broadly speaking, the CPA’s consumer rights are:
      • The right to opt out: Consumers may opt out of targeted advertising, the sale of their personal data, and profiling in respect of decisions with “legal or similarly significant effects.”
      • The right of access: Consumers have the right to access a copy of the personal data a controller holds about them.
      • The right to correction: Consumers have the right to correct any inaccurate personal data a controller holds about them.
      • The right to deletion: Consumers have the right to delete personal data a controller holds about them.
      • The right to data portability: Consumers may receive a copy of their personal data in a portable and readily usable format.
      You must respond to a consumer request within 45 days. A possible 45-day extension is available if “reasonably necessary.”
  • What are the duties of the controllers under CPA?
    • The CPA imposes seven “duties” on controllers. Broadly speaking, the CPA’s duties are:
      • Duty of transparency: Controllers must provide consumers with a privacy notice detailing the controller’s processing activities.
      • Duty of purpose specification: Controllers must specify the purposes for which they are collecting and processing personal data.
      • Duty of data minimisation: Controllers must only collect personal information that is adequate, relevant, and limited to what is necessary in relation to a specified purpose.
      • Duty to avoid secondary use: Unless reasonably necessary, controllers must not process personal data for further purposes that are incompatible with the specified original purpose for which it was collected.
      • Duty of care: Controllers must take reasonable security measures to protect personal data.
      • Duty to avoid unlawful discrimination: Controllers must not process personal data in violation of anti-discrimination law.
      • Duty regarding sensitive data: Controllers must not process sensitive data about a consumer without the consumer’s consent.
  • Do I need to complete data protection assessment under CPA?
    • Controllers must undertake a “data protection assessment” if they’re planning to carry out certain data processing activity, including:
      • Targeted advertising where there are reasonably foreseeable risks to the consumer
      • Selling personal data
      • Processing sensitive data
      A data protection assessment involves weighing the risks and benefits of the processing operation and identifying reasonably foreseeable risks.
  • What enforecement is there under the CPA?
    • Violations of the CPA are punishable by a civil penalty of up to $2,000 per violation. The law does not contain a private right of action, meaning that consumers cannot take controllers to court for infringing their rights under the CPA.