Expert Commentary

Colorado Privacy Act: Application, Definitions, Rights, and Notices

The Colorado Privacy Act (CPA) will take effect July 1, 2023 (except that if a referendum petition is filed pursuant to section 1 (3) of article V of the Colorado constitution against the CPA or an item, section, or part of the CPA within the 90-day period after final adjournment of the general assembly, then the CPA, item, section, or part will not take effect unless approved by the people at the general election to be held in November 2022 and, in such case, will take effect July 1, 2023, or on the date of the official declaration of the vote thereon by the governor, whichever is later). It applies to conduct occurring on or after the applicable effective date of the CPA. This article discusses CPA application and definitions, consumer rights, and privacy notice requirements.


Cyber and Privacy Risk and Insurance
July 2021

The Colorado attorney general may promulgate rules for the purpose of carrying out the CPA. By January 1, 2025, the Colorado attorney general may adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for business that includes a good faith reliance defense of an action that may otherwise constitute a violation of the CPA, and the rules must become effective by July 1, 2025.

Notwithstanding any other provision of Article 1, the Colorado attorney general and district attorneys will have exclusive authority to enforce the CPA.

Application and Definitions

The CPA applies to a controller that does the following.

  • Conducts business in Colorado; or
  • Produces or delivers commercial products or services that are intentionally targeted to Colorado residents; and that
  • Controls or processes the personal data of 100,000 consumers or more during a calendar year; and/or
  • Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.

"Consumer" means an individual who is a Colorado resident acting only in an individual or household context and does not include an individual acting in a commercial or employment context, as a job applicant or as a beneficiary of someone acting in an employment context.

"Controller" means a person that, alone or jointly with others, determines the purposes for and means of processing personal data. Determining whether a person is acting as controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data are to be processed. A person that is not limited in its processing of personal data pursuant to a controller's instructions, or that fails to adhere to the instructions, is a controller and not a processor with respect to a specific processing of data. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, it is a controller with respect to the processing.

"Processor" means a person that processes personal data on behalf of a controller. Determining whether a person is acting as controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data are to be processed. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor.

"Process" or "processing" means the collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data and includes the actions of a controller directing a processor to process personal data.

"Personal data" means information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.

"Identified or identifiable individual" means an individual who can be readily identified directly or indirectly, in particular, by reference to an identifier such as a name, an identification number, specific geolocation data, or an online identifier.

"De-identified data" means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data does the following.

  • Takes reasonable measures to ensure that the data cannot be associated with an individual;
  • Publicly commits to maintain and use the data only in a de-identified fashion and not attempt to re-identify the data; and
  • Contractually obligates any recipients of the information to comply with the requirements of Col. Rev. Stat. § 6-1-1303(11).

"Sale," "sell," or "sold" means the exchange of personal data for monetary or other valuable consideration by a controller to a third party and does not include the disclosure of the following.

  • Of personal data to a processor that processes the personal data on behalf of a controller;
  • Of personal data to a third party for purposes of providing a product or service requested by the consumer;
  • Or transfer of personal data to an affiliate of the controller;
  • Or transfer to a third party of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets; or
  • Of personal data that a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party or intentionally made available by a consumer to the general public via a channel of mass media.

"Third party" means a person, public authority, agency, or body other than a consumer, controller, processor, or an affiliate of the processor or the controller.

"Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity. As used in Col. Rev. Stat. § 6-1-1303(1), "control" means the following.

  • Ownership of, control of, or the power to vote 25 percent or more of the outstanding shares of any class of voting security of the entity, directly or indirectly, or acting through one or more other persons;
  • Control in any manner over the election of a majority of the directors, trustees, or general partners of the entity or of individuals exercising similar functions; or
  • The power to exercise, directly or indirectly, a controlling influence over the management or policies of the entity as determined by the applicable prudential regulator, as that term is defined in 12 U.S.C. 5481 (24), if any.

"Targeted advertising" means displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer's activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests and does not include the following.

  • Advertising to a consumer in response to the consumer's request for information or feedback;
  • Advertisements based on activities within a controller's own websites or online applications;
  • Advertisements based on the context of a consumer's current search query, visit to a website, or online application; or
  • Processing personal data solely for measuring or reporting advertising performance, reach, or frequency.

"Profiling" means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

"Decisions that produce legal or similarly significant effects concerning a consumer" means a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, healthcare services, or access to essential goods or services.

"Consent" means a clear, affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data. The following does not constitute consent.

  • Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;
  • Hovering over, muting, pausing, or closing a given piece of content; and
  • Agreement obtained through dark patterns.

"Dark pattern" means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.

"Sensitive data" means the following.

  • Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status;
  • Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or
  • Personal data from a known child.

"Child" means an individual under 13 years of age.

"Pseudonymous data" means personal data that can no longer be attributed to a specific individual without the use of additional information if the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to a specific individual.

Consumer Rights

A consumer may exercise consumer personal data rights by submitting a request at any time to a controller using the methods specified by the controller in the privacy notice required under Col. Rev. Stat. § 6-1-1308(1)(a) specifying which of the following rights the consumer wishes to exercise.

  • Right of access. A consumer has the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer's personal data.
  • Right to correction. A consumer has the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.
  • Right to deletion. A consumer has the right to delete personal data concerning the consumer.
  • Right to data portability. When exercising the right to access personal data pursuant to Col. Rev. Stat. § 6-1-1306(1)(b), a consumer has the right to obtain the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance.
  • Right to opt out. A consumer has the right to opt out of the processing of the personal data concerning the consumer for purposes of the following.
    • Targeted advertising;
    • The sale of personal data; or
    • Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

A controller that processes personal data for purposes of targeted advertising or the sale of personal data must provide a clear and conspicuous method to exercise the right to opt out of the processing of personal data concerning the consumer pursuant to Col. Rev. Stat. § 6-1-1306(1)(a)(I) clearly and conspicuously in any privacy notice required to be provided to consumers under the CPA and in a clear, conspicuous, and readily accessible location outside of the privacy notice.

Privacy Notice Requirements

A controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes all of the following.

  • The categories of personal data collected or processed by the controller or a processor.
  • The purposes for which the categories of personal data are processed.
  • How and where consumers may exercise the rights pursuant to Col. Rev. Stat. § 6-1-1306, including the controller's contact information and how a consumer may appeal a controller's action with regard to the consumer's request.
  • The categories of personal data that the controller shares with third parties, if any.
  • The categories of third parties, if any, with which the controller shares personal data.

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose the sale or processing and the manner in which a consumer may exercise the right to opt out of the sale or processing.

A controller must specify the express purposes for which personal data are collected and processed.

A controller must specify in the privacy notice the methods that consumers may exercise consumer personal data rights.

A controller that processes personal data for purposes of targeted advertising or the sale of personal data must provide a clear and conspicuous method to exercise the right to opt out of the processing of personal data concerning the consumer pursuant to Col. Rev. Stat. § 6-1-1306(1)(a)(I) clearly and conspicuously in any privacy notice required to be provided to consumers under the CPA and in a clear, conspicuous, and readily accessible location outside of the privacy notice.


Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More