Colorado Privacy Act (CPA) Incident Response Guidelines

What you need to know to prepare your organization for Colorado’s new privacy regulation

Colorado’s comprehensive privacy legislation, known as the Colorado Privacy Act (CPA), passed into law on July 8, 2021 and will go into effect July 1, 2023. CPA will give Colorado residents the rights to access, correct, and delete any personal data businesses have collected on them, to obtain a readily usable copy of that data, and to opt out of having their personal data processed.

Compliance with Colorado’s new legislation will be critical, as organizations that fail to comply can be fined up to $20,000 per violation.

Automate CPA obligations with the BreachRx platform

Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response

Request Demo

Who Must Comply with CPA

CPA applies to any organization that conducts business in Colorado or intentionally targets Colorado residents with commercial products or services, and does one of the following:

Controls or processes personal data of at least 100,000 consumers during a calendar year
Drives revenue or receives a discount on goods or services from selling personal data and processes or controls personal data of at least 25,000 consumers

How does CPA get enforced?

The Colorado Attorney General and state district attorneys are responsible for enforcing CPA. Starting in 2023, either can issue a notice to any companies they find in violation of the law.

Why comply with CPA?

Organizations will have 60 days to cure a violation from 2023-2025. A failure to cure the violation (or if any violation occurs after the right to cure goes away in 2025) can result in a fine of up to $20,000.

What data protection does CPA require?

CPA requires organizations to properly secure any data they collect about consumers, noting that security protocols should be “appropriate to the volume, scope, and nature of the personal data processed.”

What types of data are covered under CPA?

Social security numbers
Student, military, or passport ID numbers
Driver’s license or identification card numbers
Health insurance identification numbers

Medical information
Biometric data
Username or email address in combination with a password or security question and answer
Account numbers or credit card numbers in combination with any required security code

What Incident Response Measures are Required in Colorado?

Organizations must investigate any potential data breach and issue a notice about the incident within 30 days if they find that any personal information was exposed.

The notice should go to all affected Colorado residents in either written, telephone, or electronic form and must include the following information:

Date, estimated date, or estimated date range of the breach
Description of the personal information compromised in the breach
Information to contact the organization with any questions about the breach
A note that customers can get information from the Federal Trade Commission (FTC) and credit reporting agencies about fraud alerts and security freezes, plus toll-free numbers, addresses, and websites to contact those agencies

A handful of special circumstances with additional requirements also exist:

If the incident compromised username or email in combination with a password or security question and answer	Direct users to protect their accounts, for example by changing passwords
If the incident affected more than 500 Colorado residents	Notify the state attorney general, sharing contact information; dates of the breach, investigation, and notice to residents; number of Colorado residents affected; total number of individuals affected; and a copy of the notice to consumers
If the incident affected more than 1,000 Colorado residents	Notify national consumer reporting agencies, sharing the date on which consumers will be notified and the approximate number of people who will receive the notification

Finally, Colorado allows for a substitute notice if the cost of providing a notice will exceed $250,000, if the number of Colorado residents affected is more than 250,000, or if the organization doesn’t have sufficient contact information to provide notice. In these cases, organizations can:

Notify affected individuals via email, if they have the appropriate contact information
Post a notice conspicuously on their website
Share a notification with major statewide media outlets

Examples of Privacy Incidents Under CPA

Various situations can create a privacy incident that requires notification under CPA, from a cyberattack to improper usage or accidental data loss by organizations. Examples of commonly encountered incidents that will trigger a response include:

Watering Hole Attack

Watering hole attacks are a type of social engineering that profiles a target victim, identifies websites they are likely to visit, and infects those websites to gain access to the victims’ computers or network. These cyber attacks are difficult to detect and typically target highly secure organizations by preying on the behavior of individual employees.

Mistakenly Exposed Data

Common examples of mistakenly exposed data are sharing private information over an unencrypted channel like email or accidentally responding to a consumer’s request for information with details about someone else instead. Even if these are innocent mistakes, they still expose private data and can lead to serious risks.

Improperly Processed or Sold Data

Continuing to process or sell data after consumers have opted out (a right granted to them under CPA) creates a privacy incident that requires notification. This is true regardless of whether the activities happened by accident or on purpose since it’s a failure to comply with consumers exercising their right to opt out of data-related activities.

Proactively Preparing for Incident Response Under CPA

Colorado is among the most recent states to enact comprehensive privacy legislation, and it won’t be the last. As privacy legislation continues to evolve, understanding the nuances of each law will be critical for maintaining compliance and reducing the costs associated with a breach.

Achieving this goal requires proactive incident and breach response that allows organizations to jump into recovery mode quickly and confidently by keeping track of regulations, putting response plans in place, assigning responsibility, and regularly revisiting all of those measures as regulations and organizational policies change.