Understanding the Colorado Privacy Act (CPA): What You Need to Know About Cookies and Compliance
In this article, we will explore these requirements in detail, including how the CPA compares to other data protection laws such as the GDPR, CCPA, and VCDPA. By the end of this article, you will have a better understanding of the CPA's impact on your business, the cookie consent and opt-out requirements, consumer rights, and potential penalties for non-compliance.
However, using cookies and online trackers triggers many CPA requirements, and this article will delve deep into these requirements.
You’ll learn the following:
- Does the CPA affect your business?
- What are the CPA cookie consent requirements?
- What are the CPA opt-out requirements?
- The CPA penalties if you do not comply with the law
- How does CPA compare with other data protection laws such as the GDPR, CCPA, VCDPA, and others?
Does the CPA Affect Your Business?
The Colorado Privacy Act (CPA) applies to businesses (referred to as "controllers") that meet the following criteria:
They conduct business in Colorado or produce/deliver commercial products or services intentionally targeted to Colorado residents.
They meet either of the following thresholds during a calendar year:
- Control the processing of personal data of 100,000 consumers or more.
- Control the processing of personal data of 25,000 consumers or more and derive revenue from the sale of personal data (including by receiving a discount on the price of goods or services).
Unlike the California CCPA and CPRA, Virginia VCDPA, and other US states’ data privacy laws, the CPA has no applicable revenue threshold.
What Are the CPA Cookie Consent Requirements?
The CPA does not specifically mention cookies or set explicit requirements for cookie consent.
However, the CPA requires obtaining consumers’ consent for sensitive personal information processing, which means an opt-in is required.
Sensitive data includes data related to national or ethnic origin, health data, financial data, sexual orientation, genetic data, biometric data, and so on. To process personal data that belong to these categories, you need consent. It may also trigger the data protection assessment requirements.
You also need to obtain explicit consent for processing the data of a known child. You need consent from the parent or guardian of the child or both the child and the parent - depending on the child's age.
In all other cases, you can collect data via cookies if the consumer does not opt-out. Controllers must be careful and respect the data minimization and purpose specification principles, which means processing only the minimum necessary amount of data for the purposes stated in the privacy notices.
This leads us to the key CPA cookie consent requirement - providing consumers with a privacy notice. Controllers must provide data subjects with clear privacy notices, informing them about the types of personal data being collected, processed, and shared.
If cookies are used, this should include information about cookies and similar technologies on their websites.
What Are the CPA Opt-Out Requirements?
Under the CPA, businesses (controllers) must provide consumers with the option to opt out of certain data processing activities, including:
- Targeted advertising. Consumers have the right to opt out of processing their personal data for targeted advertising. If they do so, you must not use social media cookies and pixels to track them all over the internet.
- Sales of personal data. If you sell personal information, consumers can opt out of that. Data sales include transferring personal data to third parties for monetary or other valuable consideration.
- Profiling. Profiling is any automated processing of personal data to evaluate, analyze, or predict personal aspects of an individual's performance at work, economic situation, health, personal preferences, interests, behavior, location, or movements. Consumers have the right to opt out of profiling that has legal or other significant effects on them. This often means opting out of automated profiling on social media, insurance software, HR software, etc.
To comply with these opt-out requirements, businesses should:
- Provide a clear and conspicuous notice informing consumers that they can opt out of targeted advertising and sales of their personal data.
- Make the opt-out mechanism easy to access and use. Controllers must establish the technical specifications of a user-selected universal opt-out mechanism by July 1, 2024. It is a good practice to place a link to the opt-out mechanism on the footer of your website.
- Respond to consumer opt-out requests within 45 days. If necessary, this period can be extended by an additional 45 days as long as the consumer is notified of the extension within the first 45-day period.
What Are the CPA Consumer Rights?
The CPA grants several rights to consumers, which are Colorado residents acting in their individual or household contexts. These rights aim to give consumers control over their personal data and protect their privacy. In this regard, the CPA follows the privacy legislation trends set out by California and Virginia laws.
Under the CPA, consumers have the right to:
- Opt out of processing their personal data for targeted advertising, personal data sales, or profiling that has legal or other significant effects on them.
- Know whether a controller processes their personal data.
- Access to their personal data that a controller collects, uses, or discloses.
- Correct inaccuracies to their personal data.
- Deletion of their personal data held by a controller.
- Data portability means obtaining a copy of their personal data in a commonly used and machine-readable format up to two times per year.
Parents or guardians of children under 13 can exercise these rights on behalf of the children.
You need to establish processes and mechanisms to allow consumers to exercise these rights, provide clear privacy notices, and respond to consumer requests within 45 days (with the possibility of a 45-day extension if necessary).
In most cases, having an email address to receive requests and knowing where to look for the data would suffice.
What Are the CPA Penalties?
The Colorado Attorney General and district attorneys enforce the CPA. They have exclusive authority to ensure compliance with the CPA's requirements. Consumers have no private right of action for violations, meaning that individual consumers cannot sue businesses directly for non-compliance. They can rely only on the Attorney General and district attorneys.
If you ever get in trouble with the CPA, the enforcement procedure would look like this:
1. The Attorney General or district attorneys issue a notice of violation to the business (controller) that allegedly violates the CPA.
2. The business has a 60-day cure period to rectify the alleged violation. This right to cure will sunset on January 1, 2025. After that, there will be no cure period, and fines will be issued immediately.
3. If the business fails to rectify the violation within the cure period, the Attorney General or district attorneys may initiate legal action against the business.
That can lead to penalties of $20,000 per violation.
How Does CPA Compare with Other Data Protection Laws Such as the GDPR, CCPA, VCDPA, and Others?
The CPA shares many similarities with the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), and other privacy protection laws on a state level in the US.
However, it is quite different compared to the EU’s General Data Protection Regulation (GDPR). The most notable difference is in the opt-in v. opt-out principles; the cure period is given to businesses to comply with violations.
In addition, GDPR does not require “Do Not Sell” buttons, considering that the sale of personal data is forbidden.
CPA Cookie Compliance with Secure Privacy
Secure Privacy is a consent management platform (CMP) that could easily make your business CPA-compliant, although cookie consent is not always required in Colorado.
Top GDPR-Compliant Analytics Tools: Safeguarding User Privacy in 2023
Learn about the complexities of using Google Analytics 4 in accordance with the EU's General Data Protection Regulation (GDPR). Explore the compliance issues, and steps to make GA4 GDPR compliant, and discover privacy-friendly alternatives that provide powerful website analytics while respecting user privacy and data protection laws.
- Europe GDPR
Understanding Compliance: Navigating CCPA Regulations with Google Analytics 4
Discover the compatibility of Google Analytics 4 with the California Consumer Privacy Act (CCPA). This article explores the CCPA compliance of GA4, outlines the obligations it imposes on businesses, and provides insights on how to handle CCPA requirements while using Google Analytics 4 for data collection and analysis. Learn about opt-out mechanisms, data retention periods, and consumer request obligations to ensure compliance with CCPA regulations.
10 Principles of PIPEDA Explained: A Comprehensive Guide to Privacy Compliance
Learn about the 10 principles of PIPEDA, the federal privacy law of Canada, and understand how to ensure privacy compliance for your organization. Discover key concepts such as accountability, consent, limiting collection, safeguards, and more. Get insights into the applicability of PIPEDA and how it compares to other data protection laws worldwide. Stay informed and protect personal data in accordance with Canadian privacy regulations.
- Canada PIPEDA