After California and Virginia, Colorado is the third state to enact its separate privacy regulation called the Colorado Privacy Act. The deadline to comply by the CPA or ColoPA is July 1, 2023. While many of the rules of CPA are similar to CCPA and GDPR, there are a few differences like its applicability, penalty amount, cure period, enforcement entities, etc. Let’s understand what it is and everything else that you should know about it.
Table of Contents
What Is the Colorado Privacy Act?
CPA or ColoPA is a privacy policy from Colorado. Just like California has introduced CCPA, CPRA and Virginia brought VCDPA, the state of Colorado wants to protect the privacy of its citizens with this new regulation. It’ll provide new privacy rights to the people living in the state, and these rights will impact how you deliver your ads to them. Similar to GDPR, you’re supposed to protect your visitors’ data and comply with their requests for accessing, correcting, or deleting the information you hold about them.
Is CPA Applicable To You?
Most probably, yes. If you control or process data of 100,000 or more Colorado residents in a calendar year, you’ve to comply with CPA. But, this is not the only condition that brings you under the purview of CPA. You’ve to abide by the law if:
- You’re a business functioning in the state.
- Or you’re providing goods and services to the state’s residents.
- Or you earn revenue from the sale of personal data and control or process the personal data of at least 25,000 Colorado residents.
So, you can check your analytics and find out whether you deal with the data of Colorado residents. If you’ve visitors from the state, you should prepare for compliance with CPA.
Sidenote: Even non-profit organizations have to follow the Colorado Privacy Act.
What Does “Sale of Data” Mean In the Colorado Privacy Act?
When it comes to privacy policies, the definition of ‘sale of data‘ causes most of the confusion. Publishers and ad tech vendors keep wondering whether they are selling the data in the eyes of the law. The Colorado Privacy Act is not much different.
Does California Privacy Law consider publishers as data controllers?
CPA defines any exchange of personal data for monetary or other valuable consideration by a controller to a third party as a sale. A controller is an entity that determines the purpose and means of processing personal data (very similar to the GDPR definition). So, your status as a controller depends on how you collect and use your visitor’s data, but publishers are typically data controllers.
“The US Constitution is only 4,543 words. Most privacy policies from large portals dwarf that already.”
What Should Publishers Know About The Colorado Privacy Act?
The state of Colorado has officially enacted the CPA on July 8, 2021. The official drafts and amendments have long lists of clauses. We’ve compiled the most important highlights for publishers here. They’ll help you understand how the Colorado law stands in contrast to CCPA from California and VCDPA from Virginia:
- The Attorney General and District Attorneys will enforce the Colorado Privacy Act. Any violation of the act will be considered a deceptive trade practice under the Colorado Consumer Protection Act. It means noncompliance can cost you up to $20,000 per violation. The maximum total amount can reach up to $500,000.
What is the cure period in California Privacy Law?
You’ll have a 60-day cure period before the enforcement authorities take action against you. It means you’ve to fix any violations within 60 days of receiving a notice from the authorities. The provision of the cure period will exist only till January 1, 2025.
- You cannot conduct any processing activity that presents a heightened risk of harm to a consumer. If you’re doing so, you’ve to perform and document a data protection assessment first.
- You’ve to provide a one-click opt-out mechanism to your visitors. The visitor is allowed to authorize another person to opt-out on one’s behalf. But, you can deny a request if it can’t be authenticated. Similar to CCPA, you’ve to respect universal opt-out signals like Global Privacy Control.
- If your consumer requests, you’ve to provide his personal or non-personal data in a portable format. This law comes under the Consumer Portability Rights. The consumer also has the right to request data deletion request deletion of personal information or correct inaccuracies in it.
- Similar to CCPA and GDPR, the Colorado Privacy Act also has the concept of sensitive data. Any personal data points that can reveal racial or ethnic origin, religious beliefs, health conditions, etc., are belong to the sensitive category. You are forbidden from processing any such data before taking prior consent from your visitors. It means you’ve to obtain opt-ins in the case of sensitive data.
Related Read: 5 Tips for publishers to improve their consent rate
What Should Publishers Do About The Colorado Privacy Act?
You can take the same approach that you took to follow other privacy laws. Begin with your privacy policies and explain what information you collect along with its purpose. You must’ve completed most of the groundwork if you comply with CCPA and GDPR. Ensure the safety of the data and implement data management solutions that you can use to fulfill requests from your visitors or legal authorities. Avoid collecting or processing any data points that aren’t required. Also, avoid dark patterns.
What’s Next?
You have enough time to prepare for CPA, so there’s no need to worry too much. Meanwhile, you should ensure that all your partners are also CPA compatible. Your analytics should also comply with privacy laws. You can refer to our CCPA article to understand how to make GA privacy compliant. Be ready for more such laws to come as other states like Ohio, Massachusetts, New York, North Carolina, and Pennsylvania prepare for their policies.
