Colorado’s final CPA rules are here.

There aren’t too many changes from the track changes version that was published a month ago, but here some key points:

Disclosure and Purpose Specification:

  • Need to notify only for material (not substantial) change in the privacy notice. No longer need to notify 15 days in advance of the change.
  • If the material change rises to the level of a secondary use, you also need consent.
  • Notices are processing and not purpose based.
  • The express purpose must be described in a level of detail that gives consumers a meaningful understanding of how each category of their personal data is used when provided for that processing purpose.
  • When providing disclosures on profiling, you are not required to disclose your trade secrets.


The sale of sensitive data to one specific party is not necessarily compatible with the sale of sensitive data to a different party.


When a consumer has not interacted with a Controller that has obtained consent from a consumer in the prior twenty-four (24) months, the Controller must refresh consent in order to continue processing sensitive data or to process personal data for a secondary use.

Data Protection Assessments

Biggish change regarding the minimum required content for data protection assessments. It has been culled to include only the following:

  1. A short summary of the processing activity.
  2. The categories of personal data to be processed and whether they include sensitive data.
  3. The context of the processing activity, including the relationship between the controller and the consumers whose personal data will be processed and the reasonable expectations of those consumers;
  4. The nature and operational elements of the processing activity. (Consider the type, amount and sensitivity of personal data processed, the impacts that operational elements will have on the level of risk presented by the processing activity and any relevant, unique relationships. Relevant operational elements may include:
    • Sources of personal data
    • Technology or processors to be used
    • Names or categories of personal data recipients, the processing purpose and categorical compliance processes that the controller uses to evaluate that type of recipient
    • Operational details about the processing, including planned processes for personal data collection, use, storage, retention and sharing
    • Specific types of personal data to be processed
  5. The core purposes of the processing activity, as well as other benefits of the processing that may flow, directly and indirectly to the controller, consumer, other expected stakeholders and the public
  6. The sources and nature of risks to the rights of consumers associated with the processing activity posed by the processing activity. A sample list of harms is provided.
  7. Measures and safeguards the controller will employ to reduce the risks identified by the controller. Measures shall include the following, as applicable:
    • The use of de-identified data
    • Measures taken pursuant to the controller duties, including an overview of data security practices the controller has implemented, any data security assessments that have been completed and any measures taken to comply with the consent requirements
    • Measures taken to ensure that consumers have access to rights
  8. A description of how the benefits of the processing outweigh the risks identified, as mitigated by the safeguards identified:
    • Contractual agreements in place to ensure that personal data in the possession of a processor or other third party remains secure
    • Any other practices, policies or trainings intended to mitigate processing risks
  9. If a controller is processing personal data for profiling it needs to meet with additional requirements
  10. If a controller is processing sensitive data pursuant to the exception, the details of the process implemented to ensure that personal data and sensitive data inferences are not transferred and are deleted within twenty-four (24) hours of the personal data processing activity
  11. Relevant internal actors and external parties contributing to the data protection assessment
  12. Any internal or external audit conducted in relation to the data protection assessment, including, the name of the auditor, the names and positions of individuals involved in the review process, and the details of the audit process
  13. Dates the data protection assessment was reviewed and approved, and names, positions and signatures of the individuals responsible for the review and approval