top of page

The Colorado Privacy Act: Everything You Need to Know

Updated: Jun 7, 2023

Sean Hansen | HR Compliance Coordinator


The Colorado Privacy Act: Everything you need to know as an employer.

Colorado Privacy Act - Vida HR

With technology rapidly evolving, a key concern of the 21st century has been privacy. Never before has personal information been collected on such a mass scale, and Colorado is putting its foot down. Effective July 1st, 2023, The Colorado Privacy Act (CPA) goes into effect, putting new restrictions on the collection, protection, and sale of personal data. With more states starting to pass privacy legislation, The CPA provides a precedent on what laws may be passed in the near future.

The Fundamental Right to Privacy

The Colorado Privacy Act attempts to address three key components related to privacy, as laid out in the act:

  • It provides consumers the right to access, correct, and delete personal data, as well as the right to opt out of both the sale and collection of personal data.

  • It sets out to impose an obligation on companies to safeguard personal data, to provide clear information about how that data is used, and to require data protection assessments.

  • The act empowers the attorney general and district attorneys to access and evaluate said protection assessments, as well as bring penalties to companies that violate the act.

The Applicability Test

But who does this apply to? As laid out in the CPA, a ‘controller’ is defined as a person or business, whether alone or jointly with others, that determines the purposes for and means of processing personal data. An example of a business that would be considered a controller of data would be retailers, such as Walmart or Target, because they collect consumer data when they make purchases and determine how it is used.


A controller is held responsible under the CPA if they meet two requirements.

They have to conduct business in Colorado, or at least produce or deliver commercial products and/or services that are intentionally targeted to residents of Colorado.


​They control or process the personal data of 100,000 consumers or more during the calendar year.
They derive revenue (or receive a discount on the price of goods and services) from the sale of personal data, and they also process/control the personal data of 25,000 consumers or more.

However, as always, there are multiple exceptions to these requirements including protected health information that is collected, stored, and processed by a covered entity or its business associates. An important exception is that any employee records that are related to the hiring, firing, or promotion of employees is not controlled by the CPA. Similarly, information and documents created by a covered entity for the purposes of complying with HIPPA is also not under the control of the CPA. There is also an exception of activity involving personal data in regard to a consumer’s credit standing.

Permission Granted

No Dark Patterns*

A dark pattern refers to a user interface tactic that intentionally confuses or tricks consumers into giving consent by manipulating design elements and language, compromising their ability to make informed decisions or opt in or out freely, such as automatically checking consent boxes by default.

1. Clear and Deliberate Action

Consent should be given in a way that is obvious and intentional, either through clear actions or a statement that clearly shows agreement. It should not be assumed or automatically given through pre-selected options or terms and conditions that require the consumer to opt out.

2. Freely Given

Consumers can say no to giving consent without any negative effects, and they can change their mind and withdraw consent at any time. However, consent cannot be forced as a requirement for accessing basic goods or services, and it should not be hidden within general terms and conditions that don't give the option to refuse consent.

3. Consent Must Be Specific

If personal data is used for multiple purposes or shared with different parties, consumers have the right to give separate consent for each individual purpose or recipient, and consent to one purpose or party does not automatically imply consent to others.

4. Consent Must Be Informed

The controller must give clear and straightforward information to the consumer, including who they are, why consent is needed, what the data will be used for, who else might receive the data, how the consumer can withdraw consent, and any other required disclosures under the Colorado Privacy Act.

5. Unambiguous Agreement

Children: In the case of children, who are defined as those under thirteen, the controller must make reasonable efforts to get approval from a parent or legal guardian, and any personal information collected for verifying the parent's identity cannot be used for any other purpose. Non-Children: Controllers can ask for consent directly from fourteen-year-olds without parental permission.

What does this mean for consumers in the state of Colorado? The years of companies taking your personal data without your knowledge is over! Controllers under the CPA will now be required to obtain consumer consent in order to process your sensitive data, or any data if the consumer is under thirteen, in which a parent must consent. They also cannot sell your data, or process it for targeted advertising or profiling, without your permission. Note however, if they obtained valid consent before July 1st, 2023 (the date this law goes into effect), they can continue to use it so long as it complies with the CPA rules.

Before we get to the definition of valid consent, we need to define another term: ‘Dark Pattern’.

*A dark pattern is a user interface designed or manipulated with the effect of subverting or imparting user autonomy or decision-making. In other words, the consent is designed to confuse the consumer into giving consent or to trick them into giving consent by using language that doesn’t clearly allow the consumer to opt in or out. An example of a dark pattern is when the consent is automatically checked as the default which requires consumer action to opt out.

Even if the consent meets every other requirement in the book, if it was obtained through a dark pattern, it is not valid. So what exactly do these lawmakers mean when they say ‘valid consent’? We’ll have to break it down, since multiple points make up valid consent.

As a general overview, consent requires five things to be considered valid:

  1. obtained through clear, deliberate action (yes, I am choosing my own destiny);

  2. freely given by the consumer (yes, I give consent – no arm twisting);

  3. the consent is specific (what you’re giving consent for);

  4. the consent is informed (why is consent needed); and,

  5. it must reflect the consumer’s unambiguous agreement (no hidden text or dark patterns).

1. That’s a lot to unpack so let’s dive deeper, starting with ‘clear, deliberate action.’ This means the consent is communicated through deliberate and clear conduct, or a statement that clearly indicated their acceptance. A blanket acceptance, such as a terms and conditions agreement, pre-ticked boxes, or other constructions that require the consumer to prevent the agreement are NOT clear deliberate actions.

2. Next, ‘freely given’ means a consumer has the option to refuse consent without detriment, as well as being able to withdraw consent at any time. This means it is not valid consent if whatever good or service they are purchasing is hampered by not consenting, or if some goods or services are denied to those who choose to not consent. The only exception to this rule is if for some reason those goods and services require said data in order to be provided to the consumer. Doubling down on the affirmative action section, consent is not considered freely given if the agreement is rolled into a general acceptance of terms and conditions or other construction that do not allow the user to also withhold consent.

3. Moving on to ‘consent must be specific’. If the data being processed is used for more than one processing purpose, and those processes are not reasonably necessary or compatible with one another, consumers have to the ability to consent to each process separately. Similarly, consent to selling data to one party does not constitute selling to any other party. If there are different processes, or different parties the data is being sold to, the consumer needs to be able to consent to each separately.

4. Next on the list is ‘consent must be informed’, which might sound familiar to those in the science world, or at least anyone who took one semester of a psychology course. The controller has to provide their identity, the reason the consent is required (plain language- no jargon!), the processing purposes for which the consent is sought, the categories of personal data the controller will process, the third parties that will receive data through sale (if applicable), a description of the consumer’s right to withdraw consent, and any other disclosures required through the CPA.

5. Finally, ‘unambiguous agreement’, we already covered. Consent cannot be obtained through malicious means (aka Dark Patterns). There’s another layer to all this: children. Parents and legal guardians, be warned, the CPA defines a child as anyone under thirteen. While those newly turned fourteen year olds may like the sound of being treated as an adult, parents should know that means controllers can get consent from them without your permission. When a controller is seeking consent from a child, they must make reasonable efforts to obtain verifiable parental consent. Any personal data they collect in order to verify a parent/legal guardian cannot be used by a controller for any other reason other than verifying identity. Consent doesn’t last forever. If the consumer has not interacted with a controller in the past two years, the controller must refresh consent. This is not applicable if the consumer has easy access and the ability to update their opt-out preferences at any time.

Big Brother is Watching You, With Your Permission

The CPA empowers consumers with Data Rights that they can exercise at any time:

Opt-out of your data being processed.
Make any changes or corrections to the data being processed.
Access their own personal data.
Have your data deleted.
Receive access to their data in a portable and easily readable form.

When exercising these rights, the controller is legally obligated to respond to them within 45 days. For any data right request, controllers are required to use authentication methods to confirm the identity of the consumer. They need to avoid requesting more personal data from the consumer in order to authenticate their identity (unless they do not have sufficient personal data to do so already).

It’s important to note that whenever a controller sends out any sort of privacy notice or agreement, they have to inform you of these rights, as well as specific methods for you to exercise these rights if you so choose.

Although these rights are pretty simple, there is another layer intertwined with the right to opt-out: profiling. Controllers are required to provide transparent information about how consumer’s data is used for profiling. Consumers are allowed to opt out to profiling when it is done to further a decision that affects the provision of financial/lending services, housing, insurance, education, criminal justice, employment, health-care services, or access to goods and services.

Controllers have to be clear about what decisions are subject to profiling, as well as what categories of personal data are used in the part of profiling. This also must include plain language on the logic used in the process, and how profiling is used in the decision making process. They also need to inform the consumer if the system has been evaluated for accuracy, fairness, or bias, and if so, the results of that evaluation. Finally, they also need to provide the benefits and potential consequences of decisions based on profiling, and provide the consumer information on how they may opt-out.

Under Lock and Key

Under their obligation to implement security measures for personal data, controllers are also required to conduct data protection assessments (DPAs). A DPA has to be a genuine, thoughtful analysis of each data processing activity that presents a heightened risk of harm to a consumer. DPAs must identify and describe the risks to the rights of the consumers, document measures considered and taken to address the risks, contemplates the benefits gained by processing, and demonstrably shows the benefits outweigh the risks. This requirement is not retroactive, meaning it only must be conducted for activities created or generated after July 1st, 2023.


The Colorado Privacy Act is bold legislation that puts a lot of much needed control over the controllers. However, because of that, as well as the very complicated nature of personal data, it can be difficult to understand. This article can’t cover every requirement and exemption listed, but we hope it provided a grand scale overview of what this act entails. If you feel your company may fall under the CPA, please consult your Vida HR Business Partner, or an HR professional, about how the CPA will affect you. Stick around for next month’s newsletter, where we’ll dive more into what obligations controllers have under the CPA.


bottom of page