What is CPA?

The Consumer Data Protection Act (VCDPA), Consumer Privacy Act (CCPA), and Privacy Rights Act of California serve as models for the Colorado Privacy Act (CPRA). Additionally, the General Data Protection Regulation (GDPR) of the EU, which imposes "mandated data protection assessments" on data processors, served as inspiration.

The CPA does have a few significant differences, though.

Non-profit organizations are free from data privacy rules in Virginia and California, but not in Colorado. The CPA generally applies to all organizations, including for-profit and nonprofit, that process or have control over enough customer data to meet specific standards. Contrary to Virginia's data privacy statute, Colorado's regulation does not call for a certain level of revenue.


The CPA's scope is similar to that of the CDPA and CCPA, but there are several important distinctions. Any controller is subject to the CPA if they:

  • Conducts business in Colorado, or creates, delivers, or targets Colorado people with commercial goods or services
  • Over a single year, controls or processes the personal information of at least 100,000 customers.
  • Handles or controls the personal data of at least 25,000 consumers and derives income from the sale of personal data or receives a discount on the cost of products or services.


In contrast to the CPA's equivalents, district attorneys, as well as the attorney general, are responsible for enforcement. Almost every other proposed bill that was presented to state legislatures this session would have restricted enforcement jurisdiction to the state's attorney general, even though California now has a separate enforcement authority as a result of the CPRA.

Currently, the office must notify the controller after the attorney general or district attorney decides to start a case. After then, the controller has 60 days to correct the infraction. The cure period, which is restricted to 30 days in Virginia and California, has been significantly extended by this.