In June 2021, the Colorado lawmakers enacted SB21-190, the Colorado Privacy Act (CPA).  

The CPA is expected to be signed into law within 30 days, making Colorado the third state to adopt comprehensive privacy legislation. (Other states with new consumer privacy laws include Virginia and California.) 

Companies that conduct business in Colorado, or provide products or services intentionally targeted to residents of Colorado, will need to comply with the CPA by July 2023.

Although the CPA was modeled after Virginia’s Consumer Data Protection Act (CDPA) and the California Consumer Privacy Act (CCPA), it contains notable differences. The variation among these laws and the fast-changing nature of regulatory standards will make it tough for organizations to keep up. 

Unlike the European Union, the U.S. lacks a federal law for consumer privacy. Without a unified approach to data security, the U.S. is advancing toward a fractured, state-by-state regulatory landscape that has already created challenges for enterprises. 

To prepare for CPA compliance, you’ll need a readiness program to meet its unique provisions and to integrate with your existing business operations. Read on to learn more about how the CPA might affect your business, and how you can become CPA-compliant. 

The Colorado Privacy Act (CPA)

The Colorado Privacy Act (CPA) is a new law that organizations must comply with or face hefty fines and erosion of consumer trust. 

The CPA applies to organizations that conduct business in Colorado; or provide products or services targeted to residents of Colorado that either:

  1. Control or process the personal data of 100,000 or more Colorado residents annually. 
  2. Derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more Colorado residents

Personal data” is broadly defined as information that is linked or reasonably linkable to an identified or identifiable individual. It does not include de-identified data or publicly available information. 

The CPA provides the following rights to Colorado consumers:

  • The right to receive a copy of the personal data the business is processing. 
  • The right to know what data is collected, and the processing and sharing activities.
  • The right to correct any inaccurate personal data.
  • The right to delete personal data.
  • The right to opt out of processing of personal data (for targeted advertising, profiling, and sale).
  • An appeals process for refusal of any rights. 

Organizations must also assure they operate from common privacy principles including purpose specification, data minimization, purpose limitation and duty of care. 

Exemptions from the CPA include:

  • Data collected by healthcare entities as well as health data, such as protected health information (PHI) under the Healthcare Insurance Portability and Accountability Act (HIPAA), patient-identifying information maintained by certain substance abuse treatment facilities, and identifiable private information collected in connection with human subject research.  
  • Personal data collected for the purposes of the Gramm-Leach-Bliley Act (GLBA), Driver’s Privacy Protection Act (DPPA), Children’s Online Privacy Protection Act (COPPA), and Family Educational Rights and Privacy Act (FERPA).
  • Data maintained for employment records and purposes. 

Non-exempt organizations’ legal obligations will depend on their role as either a “controller” or a “processor.” A controller determines (alone or jointly with others) the purposes for and means of processing personal data. Processors, in contrast, process personal data on behalf of a controller. 

While controllers bear most of the responsibilities for CPA compliance, processors are obligated to assist controllers with their compliance effort, including:  

  • Helping controllers respond to consumers’ requests to exercise their rights;
  • Providing assistance relating to the security of processing personal data and breach notifications; 
  • Providing information to allow controllers to conduct and document data protection assessments (DPA), and allow for audits by the controller.

For the processor to process the controller’s personal data, the law requires controllers and processors to enter into a written contract with certain provisions that emulate the requirements under Article 28 of the GDPR

The Colorado attorney general’s office and state district attorneys will enforce the CPA. The act provides for civil penalties of up to $2,000 per violation, not to exceed $500,000 in total for any related series of violations. 

A right to “cure” within the CPA requires the attorney general or district attorneys to notify a business of an alleged violation and to give the business 60 days to rectify it. This provision  expires on Jan. 1, 2025. After that, controllers will no longer be entitled to fix the violation prior to attorney general action. 

The Other Colorado Law: HB 18-1128

The Colorado Protections for Consumer Data Privacy law, also known as HB 18-1128, has been in effect since 2018. It is part of the Colorado Consumer Protection Act (CCPA) in a continued effort to protect personal data

HB 18-1128 specifies what kind of personal data companies must track regarding Colorado residents. It defines Personal Identifiable Information (PII) for Colorado residents as a first and last name, with any one or more of these other PII:

  • Social Security Number
  • Student, Military, or Passport ID number
  • Driver’s License Number
  • Medical information
  • Health insurance ID number
  • Biometric data
  • Username or email address with password and/or security questions and answers
  • Credit card number with PIN/access code/password

This law requires organizations to implement reasonable controls and safeguards to protect PII. Organizations must also notify Colorado residents within 30 days of the discovery of a data breach where their PII was involved. 

Together, HB 18-1128 and the CPA illustrate the importance to Colorado of data privacy and security.

Other Privacy Laws to Consider


The California Consumer Privacy Act (CCPA) is the U.S.’s strictest and most comprehensive data privacy law. It has the broadest definition of “personal information” of any law in effect, including the EU’s General Data Protection Regulation

Under the CCPA, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer (resident) or household.”

The CCPA aims to prevent the sharing or sale of California residents’ personal information without their permission, including conventional types of personal data like name, telephone number, and Social Security number. The law also considers a person’s browsing and search history, geolocation data, biometrics, and other types of information that has not been de-identified. 


The EU’s General Data Protection Regulation (GDPR) aims to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. 

The CCPA and GDPR were the first laws of their kind in the United States and EU, respectively. Both require organizations that collect data to disclose to the owners of that information what data they have and what the organizations intend to do with that data. 


Effective in January 2023, the Virginia Consumer Data Protection Act (CDPA) applies to businesses that control or process personal information of at least 100,000 consumers (Virginia residents) or businesses that control or process the data of at least 25,000 consumers and make 50 percent or more of their gross revenue from the sale of personal data

How ZenGRC can help 

Organizations that are already subject to the California Consumer Privacy Act (CCPA), Virginia’s Consumer Data Protection Act (CDPA), and the EU’s General Data Protection Regulation (GDPR) will have an advantage in preparing for the CPA

That said, the environment will only get more challenging for businesses that operate in multiple jurisdictions, as more states pass consumer data protection legislation and businesses must navigate more regulation. 

But preparing your organization to meet the oncoming compliance challenges doesn’t have to be difficult. 

To prepare for CPA compliance, organizations doing business in Colorado should start evaluating what procedures to put in place over the next two years to be CPA compliant by 2023.

The first step is finding a GRC software that can help. 

ZenGRC from Reciprocity can help you streamline your compliance efforts across frameworks, shrinking your workload to fit on color-coded, user-friendly dashboards with checklists designed to make compliance simple. 

ZenGRC cross-checks your compliance efforts against the requirements of more than a dozen other regulatory frameworks including the CCPA, GDPR, CDPA, HIPAA, FedRAMP, and NIST so you can avoid time-wasting overlap of efforts. 

It even allows you to self-audit in a few clicks and gathers and stores compliance documentation in a single source of truth repositories. And should any changes to the laws occur, ZenGRC will update its algorithms and checklists automatically so you don’t have to. 

The result is simple, streamlined, and automated GRC management that’s worry-free for CPA, CCPA, CDPA, and GDPR — and many other regulatory and compliance frameworks. 

To learn more, sign up for a demo today and prepare your organization to be CPA compliant by 2023.