Colorado Privacy Act (CPA)
View Law TextMaximum Fine
$20,000 per violation
Scope
State
Regulator
AG
Status
Active
Need Help with Colorado Privacy Act (CPA) Compliance?
Get expert guidance on implementing CPA requirements and ensuring ongoing compliance for your organization.
Get Expert HelpOverview
The Colorado Privacy Act establishes comprehensive privacy rights for Colorado residents and obligations for businesses processing personal data.
Key Facts
- Effective July 1, 2023
- Enforced by Colorado Attorney General
- Includes consumer rights and business obligations
- Requires data protection assessments
- Universal opt-out mechanism required
Key Principles
Consumer Rights
Rights granted to Colorado residents under CPA.
Requirements
- Right to access
- Right to delete
- Right to data portability
- Right to correct
- Right to opt-out of targeted advertising
- Right to opt-out of sales
- Right to opt-out of profiling
Examples
- Access request procedures
- Deletion mechanisms
- Data portability formats
- Correction processes
- Opt-out systems
Transparency
Disclosure requirements for controllers.
Requirements
- Privacy notice requirements
- Processing disclosures
- Rights information
- Sharing practices
- Contact information
Examples
- Privacy policies
- Notice updates
- Rights notifications
- Processing records
Duty of Care
Requirements for protecting personal data.
Requirements
- Data security
- Purpose limitation
- Data minimization
- Avoid unfair processing
- Secondary use restrictions
Examples
- Security measures
- Processing records
- Purpose documentation
- Risk assessments
Compliance Requirements
Data Protection Assessments
Required assessments for processing activities.
Implementation Steps
- Identify processing requiring assessment
- Document risks and benefits
- Evaluate safeguards
- Consider alternatives
- Implement controls
Required Documentation
- Assessment procedures
- Risk analyses
- Control documentation
- Review records
- Mitigation plans
Consumer Request Handling
Procedures for handling consumer rights requests.
Implementation Steps
- Establish request procedures
- Implement verification methods
- Set response timelines
- Train staff
- Document responses
Required Documentation
- Request procedures
- Verification methods
- Response templates
- Training materials
- Request logs
Universal Opt-Out
Requirements for honoring universal opt-out mechanisms.
Implementation Steps
- Implement technical measures
- Update processes
- Train staff
- Monitor compliance
- Regular testing
Required Documentation
- Technical specifications
- Process documentation
- Training materials
- Compliance records
- Test results
Enforcement & Penalties
Attorney General Enforcement
The Colorado Attorney General has authority to enforce the CPA.
Penalty Categories
Civil Penalties
Up to $20,000 per violation
For each violation of the Act
Injunctive Relief
Varies
Court orders to cease violations
Example Cases
Example Case 1
$100,000
2023 - Multiple violations of consumer rights
Example Case 2
$50,000
2023 - Failure to conduct required assessments