By: Roz Maiorino, MD, JD

Edited by: Reza Ghafoorian, MD, JD

November 1, 2019

Colorado Consumer Privacy Act (CO CPA) (Colorado Revised Statutes ,“C.RS §6-1), which went into effect on September 1, 2018, was considered among the most demanding in the nation.  However, California Consumer Privacy Act (CaliCPA), which will go into effect on January 1, 2020, seems to surpass the CO CPA and is considered one of the strictest data privacy and digital consumer rights laws within the US borders.  CaliCPA practically brings the European Union’s General Data Protection Regulation (GDPR) laws into U.S. legislation, setting the stage for a new era in digital regulation.

In the age of technology and cross boarder commerce, California Privacy law, similar to Colorado Privacy law extends beyond the state boarders. This article will review each of the Colorado and the new California Privacy laws. It is important to note that the official language of the CaliCPA may change up until the first of the year, because, measures signed by the California Governor are subject to edits before the effective date of January 1, 2020.


To whom does the law apply:

  • Any person, commercial entity, or governmental entity that maintains, owns, or licenses personal identifying information (“PII”) of Colorado residents in the course of its business, vocation, or occupation.[ii] ;
  • Whether it’s a small company of one person or a Fortune 500 company, as long as the customer is located in Colorado, the company must comply with CO CPA.  There are no exemptions in CO CPA for non-profit organizations.  The key application of CO CPA is whether you have customers located within the state of Colorado.[iii] ; and,
  • Although covered entities under Health Insurance Portability and Accountability Act of 1996 (“HIPAA Covered Entities”) are to a large extent exempt from the data disposal and security procedures requirements[iv], HIPAA Covered Entities are not exempt from the notification requirements under CO CPA.[v]

Definition of Personal Identity Information (“PII”):

In Colorado, PII is defined under part 3 of article 90 of title 7 of the C.R.S.[vi] .  Accordingly, under CO CPA, PII includes the first name or first initial and last name of a Colorado resident in combination with any one or more of the following data elements:

  • Social security number;
  • Student, military, or passport identification number;
  • Driver’s license number or identification card number;
  • Medical information;
  • Health insurance identification number;
  • Biometric data;
  • Colorado resident’s username or e-mail address in combination with a password or security questions and answers that would permit access to an online account; or,
  • Colorado resident’s account number or credit/debit card number in combination with any required security code, access code or password that would permit access to the account.

CO CPA requires notification to affected Colorado residents in case of breach of PII. 

What does the law require?

  • The law requires that covered entities or persons must have written policies governing the disposal of both paper and electronic records containing PII.[vii] .
  • The law requires covered entities and persons to take reasonable steps to protect PII.[viii]  
  • In the event of a breach of unsecured/secured PII, the law requires detailed notice to consumers and, in certain circumstances, notice to the Attorney General.[ix]

What is the effective date of the law?

Colorado Privacy law went into effect September 1, 2018.


To whom does the law apply:

  • CaliCPA applies to all entities that collect personal information about California residents, do business in the state[x], and meet certain size thresholds.[xi]  
  • CaliCPA threshold requirements: The law applies to for-profit companies that do business in California and meet one or more of the following criteria:  (1) have more than $25 million in annual gross revenue, adjusted for inflation;  (2) annually buy, receive for commercial purpose, sell or share the personal information of 50,000 or more consumers, households or devices; or, (3) derive 50% or more of their annual revenue from selling consumers’ personal information.[xii]
  • CaliCPA only applies to “businesses,” which are defined by the CaliCPA to include legal entities, like corporations, limited liability companies, and partnerships, that are “organized or operated for the profit or financial benefit of their shareholders or other owners.” The Act exempts nonprofit health care entities (e.g., nonprofit hospitals).[xiii]
  • CaliCPA further provides an exemption for Health Data.[xiv]  For Health Data to be exempted under the CaliCPA the following two factors must apply: (1) the organization collecting the Health Data must be a “covered entity” or “business associate” as defined in Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); and, (2) the information collected must be PHI as defined by HIPAA.
  • Information that does not meet the definition of PHI as described by HIPAA, or PHI which is collected by non-covered entity or business organization will need to comply with CCPA. It is less clear if the HIPAA exemption covers a health care provider’s marketing data, data from mobile apps, or, customer service or call center data that is not also PHI.

Definition of Personal Information:

Personal information defined as “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”[xv]  

The definition of “personal information” in CaliCPA includes, but it not limited to:

  • Personal identifiers, such as a real name, alias, postal address, unique personal identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
  • Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a California resident’s interaction with an internet web site, application, or advertisement;
  • Geolocation data;
  • Biometric information;
  • Audio, electronic, visual, thermal, olfactory, or similar information;
  • Professional or employment-related information; and,
  • Education information.

What does the law require?

(1) Opt-out. The right to opt out[xvi]  gives consumers the ability to direct a business not to sell their personal information to a third party. The election to opt-out by a consumer must last a period of at least 12 months, after which period the company can request the customer to reconsider their choice. Companies will be expected to have a “clear and conspicuous” link on their web sites titled “Do Not Sell My Personal Information.”[xvii]

(2) Access.  Users have the right to request that businesses disclose to them the following: (a) What information has been collected; (b) The sources from which that data was collected; (c) The business purposes for collection; (d) Whether that information is sold, and for what business purpose; and, (e) The third-party recipients of the data.  Companies are required to provide information in a readily useable format.[xviii] 

(3) Notice. Companies must include in their privacy policy customers’ rights under the statute, and the categories of personal information collected, disclosed, or sold to third parties.  This notice must be updated annually.[xix] 

(4) Deletion. Unless an exception applies, if a customer requests deletion of their data, the company must comply.  In addition, the company must direct third parties to delete the customer’s data.[xx] 

(5) Nondiscrimination. CaliCPA requires that “[a] business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under the title.”[xxi] ( According to the statute, discriminatory actions include, but are not limited to: (a) Denying goods or services; (b) Charging differential prices (including through the use of discounts, penalties, or price benefits); (c) Offering a different quality of goods or services to those who exercise their rights than those who do not; and, (e) Suggesting that the consumer will receive differential prices or qualities in the event that they exercise their rights.

What is the effective date of the law?

The changes are effective as of January 1, 2020.


[i] Amendments to the CaliCPA, in the form of Senate Bill 1121, were passed on September 13, 2018. The CCPA becomes effective on January 1, 2020.

[ii] Colo. Rev. Stat. §6-1-102(6)

[iii] Colo. Rev. Stat. §6-1-105

[iv] Colo. Rev. Stat. §6-1-715

[v] C.R.S. §6-1-716

[vi] Specifically, see §7-90-306(5)

[vii] C.R.S. §6-1-713, and C.R.S. §24-73-101

[viii] See C.R.S. §6-1-713.5, for a person or commercial entity; or see C.R.S. §24-73-102, for governmental entities

[ix] See C.R.S. §6-1-716. The law also imposes security breach notification requirements for governmental entities. See C.R.S. §24-73- 103

[x] CA follows the Model Business Corporation Act which defines “Conducting Business” in California and exceptions to the definition 

[xi] TITLE 1.81.5. California Consumer Privacy Act of 2018. Cal.Civ.Code §1798.100 – 1798.199

[xii] Cal.Civ.Code §1798.140

[xiii] Cali.Civ.Code. § 1798.140

[xiv] Cal. Civ. Code §1798.145(c)(1)(A)

[xv] Cal.Civ.Code§1798.140(o)

[xvi] Cal.Civ.Code§1798.120

[xvii] Cal.Civ.Code§1798.135

[xviii] Cal.Civ.Code §1798.100

[xix] Cal.Civ.Code §1798.110

[xx] Cal.Civ.Code§1798.105

[xxi] Cal.Civ Code § 1798.125