State Privacy Laws: Colorado
Colorado Privacy Act (CPA)
Overview
Colorado enacted the Colorado Privacy Act (CPA) in June of 2021, becoming the third U.S. state to adopt a comprehensive privacy law. The CPA contains express consumer rights, controller and processor obligations, and provisions relating to CPA enforcement and interpretive guidance.
Key Dates
- Signed into law: July 2021
- Effective date: July 1, 2023
Thresholds
CPA applies to legal entities that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents and that either:
- Control or process personal data of at least 100,000 consumers per calendar year; or
- Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.
Consumer Rights
- The right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data.
- The right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.
- The right to delete personal data concerning the consumer.
- The right to obtain personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance.
- The right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
Sensitive Data
The law defines sensitive data to include personal data revealing.
- Racial or ethnic origin
- Religious beliefs
- A mental or physical health condition or diagnosis
- Sex life or sexual orientation
- Citizenship or citizenship status
- Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual
- Personal data of a known child\
Penalties
Up to $20,000 per violation.
Configure Your Consent Banner for CPA
Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. CPA in Colorado). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like CPA in Colorado).
Recommended Consent Settings
Based on the current laws, we recommend the following regional settings:
- Consent Mode: Implied
- Blocking Mode: Strict
- Google Consent Mode V2: Basic
- Consent Duration: 12 months
- Enable Limit Sensitive Information: Enabled
- Enable Do Not Sell Consent: Enabled
- Enable Global Privacy Control: Enabled
For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document https://www.concord.tech/docs/configure-consent-banner-difference-regions.
Important Note: While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.
