What is CPA?

The Colorado Privacy Act (CPA), in effect since July 1, 2023, is a significant development for businesses managing personal data in Colorado. It gives individuals the power to opt out of targeted advertising and data trading.

Where does the CPA apply to?

The Colorado Privacy Act (CPA) applies to businesses operating in Colorado that target residents and process personal data of more than 100,000 individuals annually or generate revenue or discounts from selling the personal data of 25,000 or more individuals. However, businesses covered by HIPAA, the Gramm-Leach-Bliley Act, or FERPA are exempt from the CPA.

graphic of a white magnifying glass against a blue background

What Are the Possible Reasons for CPA Penalties?

Key violations of the Colorado Privacy Act include: not providing required transparency disclosures to consumers, processing personal data without consent for purposes such as targeted advertising or data sales, and lacking proper security measures to safeguard personal data.

Who is Liable for CPA Penalties?

Businesses must make it easy for consumers to contact them and respond promptly to requests, which can be challenging for smaller organizations without automation. Those involved in digital marketing or e-commerce should consider a consent management platform to securely collect and store consumer consents for compliance and audit purposes.

graphic of a building in white against a blue background
white sheet of paper graphic against a blue background with shield in front of it

What Are the CPA Penalties for
Non-Compliance?

The Colorado Attorney General and District Attorneys have enforcement authority under the CPA. Businesses violating the Colorado Privacy Act can face fines of up to $2,000 per violation, measured per consumer and transaction, with total penalties capped at $500,000.

Get the CPA checklist for Free

Improve the effectiveness of your compliance strategy now.

Download checklist
graphic of a white notepad page against a black background

Frequently Asked Questions

What is considered personal data under Colorado Privacy Act (CPA)?

Personal data under the Colorado Privacy Act (CPA) refers to any information that is linked, or could reasonably be linked, to an identified or identifiable individual. This includes details like names, email addresses, physical addresses, ID numbers, IP addresses, and credit card information. However, the CPA excludes de-identified data, publicly available information, and certain exemptions such as employee data, job applicant information, and data collected for commercial or B2B purposes.

Who is exempt from the Colorado Privacy Act (CPA)?

The Colorado Privacy Act exempts a variety of organizations, including:
- Colorado government bodies
- Airlines
- Public utility organizations
- Higher education institutions
- Consumer reporting agencies
- Entities processing de-identified personal data
- Entities handling data for Colorado health insurance law or employment records

Personal data regulated by other state and federal laws is also exempt, such as organizations covered by:
- Children’s Online Privacy Protection Act (COPPA)
- Fair Credit Reporting Act (FCRA)
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)

However, non-profits and charitable organizations are not exempt from the CPA.

Who is the regulatory authority for Colorado Privacy Act (CPA)?

The Colorado Attorney General (AG) and District Attorneys have exclusive enforcement authority over the CPA. If a potential violation occurs, the AG's office will issue a notice to the business, allowing 60 days from the notice to address and correct the violation.4o

How to make my business compliant with the CPA?

To assure CPA compliance for your business, start by implementing clear data protection policies and procedures. One of the easiest ways to simplify compliance is by using a Consent Management Platform (CMP) like Consentmo, which is designed specifically for Shopify stores. Our app helps you manage cookie consent, data requests, and user rights, verifying your store meets CPA requirements without hassle.

Is your site compliant?