Skip to content

Colorado is the third state, after California and Virginia, to get a comprehensive data privacy statute through its legislature. While the Colorado Privacy Act (CPA) awaits signature by Governor Polis, businesses are assessing to what extent the CPA will impact their privacy programs.

The following provides a high-level cross-reference to help companies that are currently compliant with the European GDPR understand how the CPA compares and contrasts with that regulation:

Issue  Compliance Obligation GDPR Colorado Privacy Act
Ability to Process Data Permissible Purpose

(Must obtain consent to process sensitive data)

Data Minimization

(May only collect minimum data necessary)

Individual Rights Right to be Informed (aka Notice to Data Subjects)
Right to Access
Right to Correction (aka Right to Rectification)
Right to Deletion (aka Right to Be Forgotten)
Right to Opt-Out of Behavioral Advertising

(as part of larger right to object to legitimate interest or withdraw consent)

Right to Opt-Out of Sale

(as part of larger right to object to legitimate interest or withdraw consent)

Right to Object to Use of Sensitive Information

 

(While consent is required for special category processing, no express right to withdraw consent).

Right to Nondiscrimination

(as part of larger right to withdraw consent)

Financial Incentive Disclosure
Accountability & Governance Documentation and Recordkeeping
Privacy Risk Assessment
Security Appropriate Data Security to Safeguard Information
Breach Notification

(Via related statute)

Transfers to Third Parties Contractual Requirements in Service Provider Agreements