In 2021, the Colorado Privacy Act (CPA) followed the Virginia Consumer Data Protection Act (CDPA) and the California Consumer Privacy Act (CCPA) to become the country’s third data privacy law. Though most of its requirements bear a strong resemblance to the Virginia law, there is at least one area where the CPA goes farther than its peers: its definition of which businesses must comply.

Who Must Comply With the Colorado Privacy Act?

Most of the CPA’s obligations fall on “controllers,” i.e., persons or entities that determine “the purposes for and means of processing personal data.” For example, if your business collects email addresses in order to send out promotions, you are the controller of that personal data. A controller must comply with the CPA if it:

1. Conducts business in Colorado or produces commercial products or services intentionally targeted to state residents AND
2. Meets one of the following threshold criteria:

• • Controls or processes the personal data of at least 100,000 Colorado consumers annually
  • Controls or processes the personal data of at least 25,000 Colorado consumers and derives any revenue or receives a discount on products or services from the sale of personal data

There’s a lot to unpack here. First, what does it mean to “conduct business” in Colorado? Obviously having a physical store location within the state would fit that definition, but what about online businesses? While there is not yet any explicit guidance on the issue, it is generally considered a low bar to meet; selling or offering your products to Colorado residents is probably enough.

As to the two threshold criteria, what does it mean to collect or process personal data? “Processing” basically means handling personal data in any way, from performing analytics to simply storing the data. “Personal data” is any information that is “linked or reasonably linkable to an identified or identifiable individual.” Clearly this includes data such as names and email addresses, but it also encompasses a wide range of online data such as IP addresses and unique identifiers. Essentially, each unique visitor to your business’s website should count toward these totals.

The second threshold (25,000 consumers + sale of data) is unique to the CPA and has the potential to apply to more businesses than either the CCPA or CDPA. “Sale” is defined as any exchange of personal data for monetary or other valuable consideration. The “or other valuable consideration” component is taken from the CCPA, and as with the CCPA, it is vague and open to interpretation. However, this section of the law strongly suggests that a discount on products or services is considered valuable consideration, possibly qualifying many disclosures of personal data as sales. For example, if a business uses a free cloud-based software and enters consumers personal data into that program, that could be considered a discount; unless the exchange of data falls under one of the exceptions to the definition of selling, it may be a sale of personal data. Because the annual 25,000-consumer total can be met by having just over 2000 unique website visitors per month, many businesses may be pulled into the CPA’s jurisdiction via this threshold.

Exemptions

The CPA contains a number of exemptions, so that even if a business meets the definition above, some or all of its data processing may not be covered by the law. These exemptions include:

• Data processed by covered entities and business associates in compliance with HIPAA
• Data related to a consumer’s creditworthiness, character, reputation, etc., that is regulated by the Fair Credit Reporting Act
• Financial institutions that are subject to the Gramm-Leach-Bliley Act
• Data that is regulated by the Children’s Online Privacy Protection Act
• Data maintained by a state institution of higher learning, provided it is used for noncommercial purposes

One important and somewhat unusual feature of the CPA is that it does not have a blanket exemption for nonprofit organizations.

‍

‍