Understanding Colorado's Cookie Consent Requirements: A Comprehensive Guide

The Colorado Consumer Privacy Act (CPA) allows you to use cookies freely; however, this does not grant businesses unrestricted data collection and processing freedom.

Cookies are small text files placed on a user's browser or device to remember preferences, track behavior, store information, or enable specific functionalities. The concern with cookies is that they utilize personal data to identify users, which is why data protection laws regulate their use.

Following the GDPR, CCPA, VCDPA, and numerous other data protection regulations globally, the Colorado CPA has also established rules for data processing activities affecting Colorado residents.

This article will explore an important part of the law - the cookie consent requirements and provide guidance on achieving compliance.

Does Colorado Consumer Privacy Act (CPA) Apply to Your Business?

The Colorado Privacy Act (CPA) applies to businesses, known as "controllers," that fulfill specific criteria. These businesses must:

1. Operate in Colorado or manufacture and deliver commercial products or services deliberately aimed at Colorado residents.
2. Satisfy at least one of the following conditions during a calendar year:
   undefinedundefined

In contrast to data privacy laws in other US states, such as the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), and Virginia's Consumer Data Protection Act (VCDPA), the CPA does not impose a revenue threshold for businesses to be subject to the regulation. This sets the CPA apart from several other state-level privacy laws in the United States.

Colorado CPA Cookie Consent Requirements

Under the CPA, businesses are not required to obtain opt-in consent for using cookies to collect and process personal data. There are only two exceptions - where the cookies or tracking technologies collect sensitive personal information or the data of a known child.

Instead of general opt-in, the law requires businesses to provide consumers with an opt-out mechanism, allowing them to prevent the sales of their data and object to online targeting activities.

So, the rule of thumb is that you don’t need cookie consent. In most cases, you must process only the minimum amount of data (data minimization principle) for the purposes stated in your privacy policy and provide users with a privacy notice. That would be all you need for most types of cookies, including functional cookies, user experience cookies, Google Analytics cookies, social media cookies unless they collect sensitive data, etc.

However, there are two specific scenarios where opt-in consent is required:

1. Sensitive Personal Information. Opt-in consent is necessary if your site uses cookies to collect sensitive personal data. Sensitive personal data includes information about racial or ethnic origin, religious beliefs, mental or physical health conditions or diagnoses, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data processed for uniquely identifying an individual, and personal data of a known child. This would mean you must serve users with a pop-up cookie banner upon arrival on the website, ask them for permission to use the cookies, and wait until they grant user consent. Then, you must let them withdraw the consumer’s consent from the cookie preferences center.
2. Children's Data. To collect and process children's data, you must obtain opt-in consent from their parents or guardians.

Although obtaining consent is not always required for cookies, businesses should be aware that using cookies to collect and process personal data may trigger other CPA requirements.

However, even in cases where you don’t need consent for data processing, the sole use of cookies collecting personally identifiable information triggers many other CPA legal requirements, including:

1. Privacy Notice. Businesses must provide a privacy notice informing users about the collection, use, and disclosure of their personal data through cookies. In most cases, you’ll provide this notice as a privacy policy. It shall include information about the types of cookies used, data collection and processing purposes, and how users can exercise their rights under the CPA.
2. Opt-Out Mechanism. Businesses should implement a user-friendly opt-out mechanism that enables users to prevent the sale of their data or to object to data processing in certain situations, such as profiling or targeted advertising. The controllers will establish the technical specifications of a user-selected universal opt-out mechanism by July 1, 2024.
3. Data Protection Assessments. When using cookies to collect and process personal data that presents a heightened risk of harm to consumers, businesses must conduct data protection assessments. It is not clear yet what constitutes a heightened risk of harm, but it is reasonable to expect the Colorado Attorney General may clarify this before the law comes into effect.
4. Consumer Rights. You need processes to address consumer requests related to their personal data collected through cookies. This includes the right of access and the right to correct, delete, and opt-out of data collection and processing activities.
5. Third-Party Vendor Vetting. Using the third-party tools you use to process data means sharing personal data collected through cookies with them. You must ensure appropriate contractual arrangements that comply with the CPA.
   

How to Comply with the Colorado CPA Cookie Consent Requirements?

Here’s step-by-step guidance to ensure your CPA cookie consent compliance:

1. Audit Cookie Use. Perform a comprehensive audit of the cookies used on your website or application, identifying the types of cookies, their purposes, and the personal data they collect and process. That will give you an idea of whether you need to obtain consent to process sensitive data or children’s data.
2. Install a Consent Management Platform (CMP). Even if your website doesn’t need explicit cookie consent, installing a CMP is useful because CMP providers, such as Secure Privacy, provide the tools to allow consumers to opt out of the sale and targeted advertising.
3. Update Privacy Notices. If your privacy policy does not include information about the use of cookies, the types of cookies used, their purposes, and the personal data they collect and process, it is time to add that. Moreover, ensure the privacy notice is easily accessible and clearly visible to users.
4. Implement Opt-Out Mechanisms. Users can opt-out of the sale of data, targeted advertising, and profiling. Depending on your data practices, you may need only a “Do Not Sell My Personal Data” link or a mechanism for opting out of all the practices. Be prepared to comply with the requirement of implementing a user-selected universal opt-out mechanism by July 1, 2024.
5. Establish Processes for Consumer Requests. You mustn’t decline consumer requests, except in rare cases. Controllers must generally respond to consumer requests within 45 days. That’s why you must develop and communicate procedures for addressing consumer requests about personal data collected through cookies, including the rights to access, correct, delete, and opt-out.
6. Obtain Opt-In Consent for Sensitive Personal Information and Children's Data. If your cookie audit shows that you need it, ensure that your website or application obtains user opt-in consent before collecting sensitive personal information or children's data through cookies.
7. Conduct Data Protection Assessments. it is nice to perform data protection assessments for cookie-related data collection and processing activities that present a heightened risk of harm to consumers. Even if you don’t explicitly need it, that will give you an overview of your privacy practices and the associated risks. Keep records of these assessments and be prepared to provide them to the Attorney General upon request.
8. Review and Update Third-Party Contracts. Your third-party service providers are your responsibility, so assess your relationships with them and ensure that the contracts with these parties include provisions that comply with the CPA.
9. Train Employees. Your business is only as strong as your weakest link. If your employees are unaware of the CPA requirements, you read this in vain. Educate your employees about the CPA's requirements related to cookies and ensure that they understand their roles and responsibilities in maintaining compliance.
10. Monitor Changes in Legislation. Stay informed about any updates or clarifications to the CPA, particularly regarding cookie consent requirements and the definition of a heightened risk of harm. The Colorado Attorney General may issue additional guidance before the law goes into effect. For users of our CMP solution, we track the changes in privacy legislation for our users and embed the requirements to ensure that you’ll be compliant.
    

Final Thoughts

Although the CPA does not require businesses to obtain opt-in consent for using cookies in general, its requirements for privacy notices, opt-out mechanisms, consumer rights, and data protection assessments are crucial for businesses to understand and implement. By taking the steps outlined above, businesses can ensure compliance with the CPA's cookie consent requirements and protect Colorado residents' personal data and privacy rights.

Note that the penalty is $20.000 per violation, although with a cure period and no private right of action.