The Colorado Privacy Act (CPA) is a recently passed data privacy bill in Colorado. The CPA is the latest data privacy act passed at the state level, following the California Consumer Privacy Act of 2018 (CCPA), the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA). Many insiders predicted the CCPA would kick off a wave of state-level privacy laws, particularly as data privacy has become an important issue for consumers, brands and legislators. The Colorado Privacy Act will take effect July 1, 2023.
What Are The Guidelines Of The Colorado Privacy Act (CPA)?
The CPA hews closely to the CCPA and VCDPA, but it does contain several important differences from prior state-level privacy laws.
A summary from the Colorado General Assembly explains that the CPA applies to:
Legal entities that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents and that control or process personal data of more than 100,000 consumers per calendar year; or derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.
The bill gives consumers the right to:
- Opt out of the processing of their personal data
- Access, correct or delete the data
- Obtain a portable copy of the data
Similar to other current state-level privacy laws, the CPA does not offer consumers “private right of action” which would have allowed consumers to bring suit in the event of personal data violations. The recently proposed, but not yet passed, New York Privacy Act does allow consumers to bring suit for violations.
Additionally, the Colorado General Assembly explained that the CPA:
Specifies how controllers* must fulfill duties regarding consumers’ assertion of their rights, transparency, purpose specification, data minimization, avoiding secondary use, care, avoiding unlawful discrimination and sensitive data;
Requires controllers to conduct a data protection assessment for each of their processing activities involving personal data that present a heightened risk of harm to consumers, such as processing for purposes of targeted advertising, profiling, selling personal data or processing sensitive data.
*A “controller” is defined as “a person that, alone or jointly with others, determines the purposes and means of processing personal data.” (This terminology is commonly used in Europe and outside of the U.S. and will likely be familiar to businesses that have undergone GDPR compliance.)
How Is The Colorado Privacy Act (CPA) Different From Other Data Privacy Laws?
There are some notable distinctions between the CPA and other state-level data privacy laws, including:
- Under the CPA guidelines, the cure period, when advertisers can remedy violations, is 60 days, instead of 30 like the CCPA and VCDPA.
- Unlike the CCPA and VCDPA, which have fine limits of $7,500 per violation, CPA violations are classified as deceptive trade practices and can incur a $20,000 fine per violation. Additionally, the CPA can be enforced by the “Colorado office of the Attorney General as well as local district attorney offices.” Other state-level privacy laws rely only on their states’ attorney generals.
- The data protection assessments are more rigorous, with Dan Clarke, a data privacy law expert, noting that a lack of exemptions in the CPA means “companies will have to do impact assessments for any project that collects personal data.”
- Most significantly, the CPA is the first data privacy law that will require companies to eventually offer a universal opt-out option. “It [universal opt out] can be programmed into your mobile phone as the default setting, and you have to abide by it. I think that will accelerate the industry's adoption and understanding of these universal opt-out signals,” said Clarke.
Do Advertisers Support The Colorado Privacy Act (CPA)?
During the amendment phase, several business advocacy groups expressed their hesitations to the Colorado Senate committee. The Colorado Retail Council asked for a change to the CPA implementation date, which was ultimately granted by the committee. Other groups, like TechNet, a bipartisan network of technology CEOs, raised concerns about the cost for companies to comply with the CPA, which was echoed by the Association of National Advertisers, American Association of Advertising Agencies, Interactive Advertising Bureau, Network Advertising Initiative and American Advertising Federation, who said in a letter to Colorado lawmakers that the bill: “has the potential to impose crushing compliance costs on Colorado businesses – particularly small businesses – that support the state’s economy and its residents.” These same organizations also took issue with the broad definition of sensitive data in the CPA.
Conversely, Microsoft’s Ryan Harkins, Senior Director of Public Policy, spoke in support of the CPA and the universal opt-out option. Harkins said, “We [at Microsoft ] support state [privacy law] efforts. New, robust laws are needed to address real and serious concerns about privacy and restore public trust in technology.”
What Does The Colorado Privacy Act (CPA) Mean For Advertisers?
Like other data privacy laws, the CPA could impact personalized advertising, an increasingly important issue for advertisers due to recent changes from Apple and Google. Looking ahead, advertisers should adapt to changes in data privacy laws, by testing contextual targeting and other digital advertising strategies that reach consumers throughout the funnel.
Businesses that comply with CCPA and VCDPA may be more prepared for the CPA to take effect, but advertisers should still be proactive, understanding the nuances of the CPA and how it differs from other privacy laws. In the case of the CPA, the ongoing data protection assessments and preparation for the universal opt-in are areas where businesses will need to stay alert and prepared. Additionally, advertisers and businesses should aim to reassure consumers their data isn’t being misused, preparing consumers to opt-in when the time comes.
Are You Looking For Safe Ways To Reach Opted-In Audiences?
Digital Media Solutions® (DMS) understands how important it is for brands to adhere to regulations like CCPA, TCPA and CAN-SPAM, so we have prioritized and operationalized compliance across everything we do to offer brand-safe digital consumer engagement opportunities. DMS de-risks ad spend while helping our advertiser clients connect with more consumers and expand their customer bases.
Related News From DMS Insights:
- Deleting Consumer Data Under CCPA Compliance Guidelines
- What Is California Privacy Rights Act (CPRA) & Why Should Businesses Care?
- Virginia Consumer Data Protection Act (VCDPA): Just The Facts
- What Is Contextual Targeting?
- Apple iOS 14 Operating System Targeting Changes: Just The Facts
Additional Digital Advertising Resources
- Ensuring Data Compliance In Email Campaigns: Best Practices
- Landing Page Optimization Drives Incremental Conversions
- The DMS Approach To Sustainable, Scalable & Reliable Customer Acquisition