Have you heard the news yet? The Colorado Privacy Act has raised the brrr for the Centennial State. This past summer, Colorado’s governor signed the CPA into law, making it the third comprehensive privacy rights law among the states. On July 1, 2023, the CPA will take effect, six months after the California Privacy Rights Act (an update to the CCPA) and Virginia’s Data Protection Act (CDPA). The CPA’s passage raises a number of important questions for organizations conducting business in Colorado, such as: what does the CPA entail; who must comply; how will the law be enforced, and; what do companies need to know to comply with the CPA?

A Sneak “Peak” into the CPA

The law applies to entities that conduct business or produce commercial products or services intentionally targeted to Colorado residents, and that control or process personal data or derive revenue from the sale of personal data. The CPA applies to both for-profit and nonprofit entities. However, state and local governments and institutions of higher education are excluded.[1]

Controllers are defined as any person that, alone or jointly with others, determines the purposes and means of processing personal data. The CPA specifies how controllers must fulfill their duties regarding consumers’ rights, transparency, purpose specification, data minimization, avoiding secondary use and unlawful discrimination, care, and sensitive data.

The CPA also requires controllers to conduct a data protection assessment for each processing activity involving personal data that presents a high risk of harm to consumers. Examples of a foreseeable high risk include:

  • unfair or deceptive treatment or unlawful impact on consumers;
  • financial or physical injury;
  • selling of personal data; and
  • processing sensitive data.[2]

Also, the CPA seeks to empower “consumers to protect their privacy and to require companies to be responsible custodians of their data.”[3] Sensitive personal data is considered detailed personal information about an individual, and includes race, origin, set, religion, mental or physical health conditions or diagnoses, and sexual orientation. Under the CPA, controllers must obtain consumers’ consent before processing sensitive data.

Who has Enforcement Authority?

There is no private right of action under the CPA. The state’s attorney general’s office and state district attorneys are the CPA’s exclusive enforcement officers. Both the AG and DAs may bring enforcement actions directly or on behalf of a Colorado resident. Enforcement officers are also required to notify the business of any alleged violation before bringing a legal action. Upon notification, a business has 60 days to cure the alleged violation. Civil penalties start at $2,000 per violation but may not exceed $500,000 for any related series of violations. [4]

It’s All Downhill from Here

Although the CPA does not take effect until July 1, 2023, businesses should not delay determining their compliance obligations. By starting now, your organization can avoid being time pressed to complete any required comprehensive data inventories, update policies, and review contracts. This can help ensure a smooth and efficient transition for businesses subject to the CPA’s new requirements. [5]

Companies who have already invested in complying with state privacy laws may not have to adjust their practices much to comply with the CPA. Nonetheless, the CPA contains some key distinctions from other privacy laws that should not be overlooked by even the most seasoned privacy law experts.

If your organization is ready to create a record retention schedule, contact Zasio today to see how our innovative products and services can help meet your record-keeping and information governance needs.


[1] Protect Personal Data Privacy: Concerning additional protection of data relating to personal privacy.


[2] SB21-190: Protect Personal Data Privacy- Concerning additional protection of data relating to personal privacy.



[3] Colorado’s Emergent Consumer Privacy Bill Introduces Chance to Opt Out of Data Processing


[4] Colorado’s Consumer Data Protection Act Has Passed: What’s in It?


[5] Colorado Privacy Act: What Businesses Need to Know


Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.