Colorado has joined the growing list of US states passing new comprehensive privacy laws by enacting the Colorado Privacy Act (the “CPA”).  Governor Jared Polis signed the CPA into law on July 7, 2021, making it the third comprehensive state privacy law enacted in the US.  With other states also considering proposals on comprehensive privacy legislation, CPA is another signal that companies must be prepared for more (not less) privacy regulatory risks.

Like the California Consumer Privacy Act (“CCPA”) and Virginia’s Consumer Data Privacy Act (“VCDPA”), the CPA borrows many of its terms and concepts from the European Union’s General Data Protection Regulation (GDPR), and is set to become effective on July 1, 2023.

The CPA bears some resemblance to the CCPA”, California Privacy Rights Act (“CPRA”), and the VCDPA, but differs in several important areas.  Like the VCPDA, however, CPA exempts data activities about employees, job applicants, or those acting in a commercial (B2B) context.  These distinctions continue to highlight the importance for companies to understand the type of data hosted by key systems, and how that information flows to and from external servers.

Key Provisions

  • Controller-Processor.  Adopts a data controller-processor model over the CCPA’s business-service provider version approach, requiring companies to protect consumers’ privacy, and act as responsible data custodians.
  • Consumer Rights.  Provides consumers with the right to:
    • Access, correct, and delete their personal data;
    • Data portability and receipt of their personal data in format that allows them to transfer it to another entity; and
    • Opt out of processing, sale, or profiling of personal data, or targeted advertising.
  • Transparency and protection.  Imposes an affirmative obligation on companies to:
    • Safeguard personal data;
    • Provide clear, understandable, and transparent information to consumers about how their personal data are used; and
    • Strengthen compliance and accountability by requiring data protection assessments in the collection and use of personal data.
  • No private right of action.  Only Colorado’s Attorney-General, and district attorneys, may impose penalties, audit company practices, or mandate measures to prevent future violations.  Violations of the CPA are considered violations of Colorado’s deceptive trade practices statute with penalties of up to $2,000 per violation with a maximum of $500,000 for related violations.

Scope & Exemptions.  The CPA applies to data controllers who conduct business in Colorado or provide commercial products or services that are intentionally targeted at Colorado residents, and either:

  • controls or processes the personal data of 100,000 consumers (i.e., Colorado residents) or more annually; or
  • profit from the sale of personal data and controls or processes the data of 25,000 consumers (i.e., Colorado residents) or more.

Several exemptions apply under the CPA.  These include exemptions for health information that is collected, stored, and processed by a covered entity or its business associates (as defined by HIPAA); patient identifying information collected as part of clinical trials or research; and data created by covered entities in the course of complying with HIPAA requirements.

Data maintained for employment records or by providers of utilities and higher education also fall under the CPA’s exemptions.

Finally, the CPA also exempts credit data collected by consumer reporting agencies and personal data which is collected, processed, sold or disclosed in compliance with certain existing regulations like those governing financial institutions (Gramm-Leach-Bliley Act), Departments of Motor Vehicles (Driver’s Privacy Protection Act), and children’s data (Children’s Online Privacy Protection Act and Family Educational Rights and Privacy Act).

Additionally, the CPA does not prevent data controllers or processors from:

  • complying with existing regulations;
  • co-operating with civil or criminal investigations;
  • conducting internal research into development or repair of products;
  • performing internal operations what are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship with the consumer or perform a consumer contract;
  • protecting the vital interests of the consumer or another individual; or
  • preventing, detecting, responding to or investigating security incidents.

Data processing is also permitted where such processing is in the public interest in the public health, where the processing is subject to suitable and specific measures to protect the rights of the consumer whose data is processed and is under the responsibility of a professional subject to confidentiality obligations.

However, any data processed under one of the exemptions are subject to specification and limitation requirements, and may not be processed for any purpose not expressly listed in the CPA or processed beyond what is necessary, reasonable and proportionate to the specific purpose. Additionally, the burden of proving that these requirements have been met falls to the data controller.

Data Controllers’ and Processors’ Obligations.  The CPA establishes a clear set of obligations for data controllers and processors, and sets out a means of determining whether a party is considered a controller or a processor.  This is a fact-based determination that depends upon the context of the processing.  A person that is not limited in its processing of personal data pursuant to a controller’s instructions, or that fails to adhere to the instructions, is considered a controller.  By contrast, a processor that continues to adhere to a controller’s instructions with respect to a specific processing of personal data remains a processor.  If a processor begins to independently determine the purposes and means of the processing of personal data, it then becomes a controller.

Duties of transparency, purpose specification, data minimization, and avoidance of secondary use.  The CPA requires data controllers to provide a clear, transparent privacy notice which explains what categories of personal data are collected and processed, and the purpose for collection.  Additionally, the data collection must be limited in scope to what is reasonably necessary for the stated purpose, and the data may not be reused for another purpose without prior consent of the consumer.

Duty of care and duty regarding sensitive data.  Data controllers and processors are subject to a duty of care which requires them to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of a data breach.

Similarly, data controllers are prohibited from processing “sensitive data,” without the consumer’s consent, or the consent of a guardian in the case of a child.  “Sensitive data” is defined as race or ethnicity, religion, mental or physical health condition, sexual orientation, citizenship, genetic or biometric data, and personal data of a child.

Data protection assessments.  A controller is prohibited from processing consumer data in a manner that poses a “heightened risk of harm to a consumer” without performing a Data Protection Assessment.  A “heightened risk of harm” includes profiling, among others, for purposes of targeted advertising, selling personal data and processing sensitive data.  The Data Protection Assessment must weigh the benefits and risks associated in the data processing and consider any safeguards the data controller may implement to mitigate the risk of harm. Upon completion, the data controller must make the data protection assessment available to the state Attorney General for review upon request.

Data processing contracts.  Notably, the CPA includes obligations for processors in the context of their relationship to the controller.  Processors must ensure that each person processing the personal data is subject to a duty of confidentiality and processors may only engage subcontractors after giving controllers the opportunity to object and subject to a written contract that sets out the same requirements that the processors themselves are bound to under CPA. Further, processors are required to adhere to the controller’s instructions, and assist them in meeting obligations in under CPA by:

  • taking appropriate technical and organizational measures where possible to allow the controller to respond to consumer requests to exercise their rights;
  • helping to meet the controller’s obligations in relation to the security of processing the personal data and in relation to the notification of a security breach; and
  • providing information to the controller which is needed to conduct and document data protection assessments.

Such processing must be governed by a contract between the controller and the processor that sets out:

  • The nature and purpose of the processing;
  • Type of data to be processed and duration of the processing; and
  • The above obligations.

Additionally, the contracts must require processors to delete or return all personal data to the controller at the end of the provision of services, unless retention is required by law, and provide all necessary information to the controller to demonstrate compliance. This includes participation of reasonable audits and inspections arranged by the controller.

Further Information.  To read the full text of the CPA, click here.  If you have any questions about this or any other privacy law, please do not hesitate to reach out to one of the Contact Partners listed below.


Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.


Michael advises clients across various industries, including global online businesses, pharmaceutical companies, healthcare providers, manufacturers, financial institutions, sourcing providers, retail companies, and other organizations regarding the legal aspects of global privacy and data protection, data security, information technology, and related restrictions on data collection and transfer.


Stephen Reynolds frequently advises clients on complex matters involving data privacy and security laws and serves on the board of directors of the International Association of Privacy Professionals (IAPP). Stephen’s expertise adds value to organizations by mitigating cyber threats through proactive preventative measures and navigating complex litigation on behalf of clients in data privacy and security. He is uniquely able to and routinely uses his computer background in cases involving data privacy and security, electronic discovery, social media discovery, and computer forensics.


Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.