In 2021, the Colorado Privacy Act (CPA) followed the Virginia Consumer Data Protection Act (CDPA) and the California Consumer Privacy Act (CCPA) to become the country’s third data privacy law. Though most of its requirements bear a strong resemblance to the Virginia law, there is at least one area where the CPA goes farther than its peers: its definition of which businesses must comply.
Most of the CPA’s obligations fall on “controllers,” i.e., persons or entities that determine “the purposes for and means of processing personal data.” For example, if your business collects email addresses in order to send out promotions, you are the controller of that personal data. A controller must comply with the CPA if it:
There’s a lot to unpack here. First, what does it mean to “conduct business” in Colorado? Obviously having a physical store location within the state would fit that definition, but what about online businesses? While there is not yet any explicit guidance on the issue, it is generally considered a low bar to meet; selling or offering your products to Colorado residents is probably enough.
As to the two threshold criteria, what does it mean to collect or process personal data? “Processing” basically means handling personal data in any way, from performing analytics to simply storing the data. “Personal data” is any information that is “linked or reasonably linkable to an identified or identifiable individual.” Clearly this includes data such as names and email addresses, but it also encompasses a wide range of online data such as IP addresses and unique identifiers. Essentially, each unique visitor to your business’s website should count toward these totals.
The second threshold (25,000 consumers + sale of data) is unique to the CPA and has the potential to apply to more businesses than either the CCPA or CDPA. “Sale” is defined as any exchange of personal data for monetary or other valuable consideration. The “or other valuable consideration” component is taken from the CCPA, and as with the CCPA, it is vague and open to interpretation. However, this section of the law strongly suggests that a discount on products or services is considered valuable consideration, possibly qualifying many disclosures of personal data as sales. For example, if a business uses a free cloud-based software and enters consumers personal data into that program, that could be considered a discount; unless the exchange of data falls under one of the exceptions to the definition of selling, it may be a sale of personal data. Because the annual 25,000-consumer total can be met by having just over 2000 unique website visitors per month, many businesses may be pulled into the CPA’s jurisdiction via this threshold.
The CPA contains a number of exemptions, so that even if a business meets the definition above, some or all of its data processing may not be covered by the law. These exemptions include:
One important and somewhat unusual feature of the CPA is that it does not have a blanket exemption for nonprofit organizations.
The Colorado Privacy Act is part of a growing trend of state privacy laws that can have a great impact on how businesses operate. Trying to navigate this web of rules will only get more complicated.
TrueVault Polaris makes privacy compliance simpler and more cost effective. By automating time-consuming tasks and providing a guided software experience, Polaris can help your business quickly get compliant and stay that way. Contact our team today to learn more or schedule a demo.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.