Request a Demo

How Your Business Can Prepare for Colorado’s CPA

The next article in this series is about the Colorado Privacy Act (CPA). This law will go into effect on July 1, 2023. Although your business may have already been preparing for CPRA and CDPA compliance, here are the unique provisions of CPA you need to be aware of.


This is the third article in Ethyca’s blog post series for businesses that need to comply with the new privacy laws in 2023. The next law we’ll discuss is the Colorado Privacy Act (CPA). CPA will go into effect on July 1, 2023. Although this act will be enacted half a year after California’s CPRA and Virginia’s CDPA, it’s important for businesses to start preparing in the coming months. 

This article will go over the provisions of CPA, briefly compare it with California’s and Virginia’s state privacy laws, and show how your business can use Ethyca to get ready for compliance next year.

Does CPA Apply to Your Business?

According to this the Colorado Privacy Act, business entities will need to comply with CPA if their products or services target Colorado residents and:

  • Control or process the personal data of 100,000 or more customers in a year
  • Control or process the personal data of 25,000 or more customers in a year and generate revenue or receive discounts from selling personal data. 

Like Virginia’s CDPA privacy law, CPA does not use a revenue threshold to determine which businesses are subject to the law. A unique aspect of the CPA is that it does not exempt nonprofits from privacy obligations. Thus, nonprofits operating nationwide in the US will find that the CPA is the first state data privacy law that they’ll need to prepare for.

If your business falls under either of these categories, it must provide specific guardrails to protect Coloradans’ data privacy. We’ll go over important provisions your company needs to consider now.

What’s Included in the Colorado Privacy Act?

Online Privacy Policies

Like with CPRA and CDPA, CPA states that businesses must provide consumers with privacy policies online. These policies must be a “reasonably accessible, clear and meaningful privacy notice.” They should include information about what data is collected or processed, if the business is selling or sharing personal data, and how.

Required Explicit Consent for Sensitive Data

CPA is primarily based on an opt-out model, meaning companies don’t need to obtain user consent before processing most personal information from consumers. However, data that is considered “sensitive data” does require consent from consumers to collect and process. 

“Sensitive data” is defined as the “personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data.” These restrictions are similar to what’s found in CPRA. 

CPA states that user consent must be “affirmative, freely given, informed, and unambiguous.” Under this law, obtaining consent does not include “accepting general or broad terms of use, using dark patterns, hovering over, pausing, or closing consent.” CPA requires businesses to create opt-in mechanisms that align with these restrictions.

As a whole, Colorado requires specific data categories to be opt-in and others to be opt-out. These hybrid consent models can yield some confusion for businesses in both frontend design consideration and backend technical implementation. Fortunately, an Ethyca Privacy Center is a suitable way for businesses to have granular control over managing Coloradans’ consent preferences. 

Universal Opt-Out Mechanism

Like with CPRA and CDPA, Coloradans will have the right to access, delete, correct, and data portability. Similarly, consumers will also have the right to opt out of businesses processing their personal data for selling, targeting advertising, and certain types of profiling. 

California’s and Virginia’s privacy law also allows consumers to opt out of data processing. What’s unique to Colorado, however, is the universal opt-out mechanism. Businesses will need to implement the universal opt-out mechanism on their websites in 2024.

CPA defines a universal opt-out mechanism as a way for consumers to manage their consent preferences on a website. Although specific requirements over the mechanism’s design have not been decided on yet, they must be user-friendly and let users easily select their preferences.

Colorado residents are still submitting ideas for the universal opt-out mechanism. By July 1, 2023, the Colorado Attorney General must adopt these standards. All businesses must honor the universal opt-out mechanism on their websites by July 1, 2024.

Data Protection Impact Assessments

The Colorado Protection Act requires businesses to submit Data Protection Impact Assessments (DPIAs) for any data processing that could pose a heightened risk of harm to consumers. Details on what constitutes “risk of harm” are still being decided upon in the law’s rulemaking process.

How Ethyca Can Help Your Business Comply With CPA

It can be challenging to keep track of so many different state privacy laws. Luckily, Ethyca can enhance your company’s privacy practices to stay compliant no matter where you do business.

To prepare for the new regulations coming in 2023, Ethyca will make updates to the Consent Management experience for your users. Your business will be able to classify the data you collect under different data categories. Ethyca’s Consent Management Platform will also allow consumers to take control over their opt in or opt out preferences. Additionally, your business will be able to store users’ consent preferences for reporting and auditing. 

Your company also has the option of using the Fides privacy engineering platform. Fides will help your business orchestrate users’ privacy requests. You’ll be able to create a dynamic data map of where all of the PII lives across your business systems in real time. No more dealing with out-of-date data maps! Instead, your business will be able to seamlessly access, delete, and correct user requests on their personal data.


Since the Colorado Privacy Act will be enacted on July 1, 2023, your business will have a bit more time to prepare for this state law. If you’re also preparing for CPRA and CDPR, which will go into effect on January 1, 2023, your business already has a head start getting ready for CPA. To comply with CPA, your business simply needs to build on what it has already prepared for California’s and Virginia’s privacy laws.

Although there are different nuances to be mindful of between state privacy laws, Ethyca can help your company stay compliant throughout the U.S. no matter where you do business.

Ready to get started?

Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!

Request a Demo