Understanding the Colorado Privacy Act (CPA): What You Need to Know About Cookies and Compliance

If you are required to comply with the Colorado Consumer Privacy Act (CPA), you don’t need to ask for cookie consent. Many international privacy regulations require you to do so, but you can use cookies and other tracking technologies in Colorado without asking for permission.

However, using cookies and online trackers triggers many CPA requirements, and this article will delve deep into these requirements.

You’ll learn the following:

• Does the CPA affect your business?
• What are the CPA cookie consent requirements?
• What are the CPA opt-out requirements?
• What are the CPA consumer rights if you use cookies?
• The CPA penalties if you do not comply with the law
• How does CPA compare with other data protection laws such as the GDPR, CCPA, VCDPA, and others?
  

Does the CPA Affect Your Business?

The Colorado Privacy Act (CPA) applies to businesses (referred to as "controllers") that meet the following criteria:

They conduct business in Colorado or produce/deliver commercial products or services intentionally targeted to Colorado residents.

They meet either of the following thresholds during a calendar year:

1. Control the processing of personal data of 100,000 consumers or more.
2. Control the processing of personal data of 25,000 consumers or more and derive revenue from the sale of personal data (including by receiving a discount on the price of goods or services).

Unlike the California CCPA and CPRA, Virginia VCDPA, and other US states’ data privacy laws, the CPA has no applicable revenue threshold.

What Are the CPA Cookie Consent Requirements?

The CPA does not specifically mention cookies or set explicit requirements for cookie consent.

However, the CPA requires obtaining consumers’ consent for sensitive personal information processing, which means an opt-in is required.

Sensitive data includes data related to national or ethnic origin, health data, financial data, sexual orientation, genetic data, biometric data, and so on. To process personal data that belong to these categories, you need consent. It may also trigger the data protection assessment requirements.

You also need to obtain explicit consent for processing the data of a known child. You need consent from the parent or guardian of the child or both the child and the parent - depending on the child's age.

In all other cases, you can collect data via cookies if the consumer does not opt-out. Controllers must be careful and respect the data minimization and purpose specification principles, which means processing only the minimum necessary amount of data for the purposes stated in the privacy notices.

This leads us to the key CPA cookie consent requirement - providing consumers with a privacy notice. Controllers must provide data subjects with clear privacy notices, informing them about the types of personal data being collected, processed, and shared.

If cookies are used, this should include information about cookies and similar technologies on their websites.

Users also have the right to opt out of certain data processing activities. This includes targeted advertising, personal data sales, and profiling. If a website uses cookies for these purposes, it triggers the requirement to provide consumers with clear and conspicuous notice of their right to opt out and an easy-to-use opt-out mechanism. Still, no user consent is needed.

What Are the CPA Opt-Out Requirements?

Under the CPA, businesses (controllers) must provide consumers with the option to opt out of certain data processing activities, including:

1. Targeted advertising. Consumers have the right to opt out of processing their personal data for targeted advertising. If they do so, you must not use social media cookies and pixels to track them all over the internet.
2. Sales of personal data. If you sell personal information, consumers can opt out of that. Data sales include transferring personal data to third parties for monetary or other valuable consideration.
3. Profiling. Profiling is any automated processing of personal data to evaluate, analyze, or predict personal aspects of an individual's performance at work, economic situation, health, personal preferences, interests, behavior, location, or movements. Consumers have the right to opt out of profiling that has legal or other significant effects on them. This often means opting out of automated profiling on social media, insurance software, HR software, etc.

To comply with these opt-out requirements, businesses should:

1. Provide a clear and conspicuous notice informing consumers that they can opt out of targeted advertising and sales of their personal data.
2. Make the opt-out mechanism easy to access and use. Controllers must establish the technical specifications of a user-selected universal opt-out mechanism by July 1, 2024. It is a good practice to place a link to the opt-out mechanism on the footer of your website.
3. Respond to consumer opt-out requests within 45 days. If necessary, this period can be extended by an additional 45 days as long as the consumer is notified of the extension within the first 45-day period.
4. Adjust your privacy policy to explain how consumers can exercise their opt-out rights and appeal any adverse controller decisions. The privacy policy shall inform data subjects about the methods for submitting requests.
   

What Are the CPA Consumer Rights?

The CPA grants several rights to consumers, which are Colorado residents acting in their individual or household contexts. These rights aim to give consumers control over their personal data and protect their privacy. In this regard, the CPA follows the privacy legislation trends set out by California and Virginia laws.

Under the CPA, consumers have the right to:

• Opt out of processing their personal data for targeted advertising, personal data sales, or profiling that has legal or other significant effects on them.
• Know whether a controller processes their personal data.
• Access to their personal data that a controller collects, uses, or discloses.
• Correct inaccuracies to their personal data.
• Deletion of their personal data held by a controller.
• Data portability means obtaining a copy of their personal data in a commonly used and machine-readable format up to two times per year.

Parents or guardians of children under 13 can exercise these rights on behalf of the children.

You need to establish processes and mechanisms to allow consumers to exercise these rights, provide clear privacy notices, and respond to consumer requests within 45 days (with the possibility of a 45-day extension if necessary).

In most cases, having an email address to receive requests and knowing where to look for the data would suffice.

What Are the CPA Penalties?

The Colorado Attorney General and district attorneys enforce the CPA. They have exclusive authority to ensure compliance with the CPA's requirements. Consumers have no private right of action for violations, meaning that individual consumers cannot sue businesses directly for non-compliance. They can rely only on the Attorney General and district attorneys.

If you ever get in trouble with the CPA, the enforcement procedure would look like this:

1. The Attorney General or district attorneys issue a notice of violation to the business (controller) that allegedly violates the CPA.

2. The business has a 60-day cure period to rectify the alleged violation. This right to cure will sunset on January 1, 2025. After that, there will be no cure period, and fines will be issued immediately.

3. If the business fails to rectify the violation within the cure period, the Attorney General or district attorneys may initiate legal action against the business.

That can lead to penalties of $20,000 per violation.

How Does CPA Compare with Other Data Protection Laws Such as the GDPR, CCPA, VCDPA, and Others?

The CPA shares many similarities with the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), and other privacy protection laws on a state level in the US.

However, it is quite different compared to the EU’s General Data Protection Regulation (GDPR). The most notable difference is in the opt-in v. opt-out principles; the cure period is given to businesses to comply with violations.

In addition, GDPR does not require “Do Not Sell” buttons, considering that the sale of personal data is forbidden.

CPA Cookie Compliance with Secure Privacy

Secure Privacy is a consent management platform (CMP) that could easily make your business CPA-compliant, although cookie consent is not always required in Colorado.

Secure Privacy software provides a privacy notice functionality that allows you to serve the required privacy notices to consumers easily. Should you use cookies, you can easily honor consumers’ requests related to the right to know, the right of access, the right to deletion, and so on.