Data-Centric Digital Media & Email Marketing

What the Colorado Privacy Act Means for Your Brand


With the passing of the Colorado Privacy Act, or CPA, Colorado becomes the third state in the country to enact digital privacy legislation following the sweeping European data privacy reforms of the GDPR. Additionally, more than 20 states have introduced data privacy bills for debate. It’s important to understand the Colorado law in context of the others to ensure your brand is compliant and avoids any legal trouble. 


For Context 

Following Virginia and California, Colorado enacted similar legislation with a few key differences. Taken from the law itself, the three primary components of the data security laws are: 

1. Colorado requires certain persons and entities that maintain personal identifying information (PII) in paper or electronic form to establish written policies governing the disposal of PII.

2. Colorado law requires certain persons and entities to take reasonable steps to protect PII.

3. The law requires notification of security breaches affecting personal information (PI), which includes detailed notice to Colorado residents and, in certain circumstances, notice to the Attorney General.

What this means specifically for your brand requires a closer look, of course. This law covers “any company that either collects personal data from 100,000 Colorado residents or collects data from 25,000 Colorado residents and derives some portion of their revenue from sales,” according to the Colorado Attorney General. Essentially, larger nonprofits and any company doing business with 25k+ Coloradans are affected. 

The fines levied against any organization that violates the CPA range from $2,000 for a single violation to up to $500,000, so staying within the parameters is definitely within your best interest. 


How to Comply 

If your business already follows the regulations set forth in the European GDPR and California’s CCPA, there’s not much you need to change, though the CPA adds cookie, browser, and device data to the list of personal information. Alvin Glay, our VP of Growth & Strategy, says, “Regardless of what privacy law you’re following, you must have the knowledge and ability to inform the user how and where their data is being used, and the ability to delete their data if they ask you to.”  

Europe’s privacy law, as well as the three U.S.-based laws, require a data protection assessment to understand where your data is being held and what, if any, security risks it may pose to harm users, your company, or your clients. A template for the assessment can be obtained from the GDPR site. 

Glay states, “If you aren’t set up for the various privacy laws, do it. It’s always best to get ahead of any potential security or privacy issues. Ensure your privacy policy is up to date, your users’ personally identifiable information is stored securely, and make a plan to act on delete requests when you receive them.” 


Protecting Users, Protecting Your Brand 

Though the patchwork privacy legislation in the United States may seem difficult to follow and harder to comply with, there are resources to help. Until there’s federal privacy legislation, it will be up to individual companies to navigate the legality of doing business online, though a quick Google search can lead you to a checklist of CPA compliance to ensure you’re within the law. Additionally, companies well-versed in first-party data like Response Media can shoulder some of the burden of compliance in gathering, storing, and protecting user data.

The full text of the CPA can be found at the office of the Colorado Attorney General