In July 2021, the Colorado Privacy Act (CPA) emerged as a landmark in U.S. Data privacy legislation, and was the first conferring specific rights upon Colorado residents regarding their personal data and imposing stringent obligations on data controllers and processors. It was only the third state to grant comprehensive privacy laws to it's citizens, following California and Virginia.
Yet again, this law made waves as its recent amendments make it the first to include biometric data in its scope.
The Colorado Privacy Act
The Colorado Privacy Act mandates that businesses disclose to consumers the nature and purpose of data collection and processing, alongside mechanisms for individuals to safeguard their privacy.
Initial Provisions
The CPA initially afforded consumers the right to access, correct, and/or delete data held by organizations. It also provided the right to opt-out or opt-in to targeted ads, the sale of sensitive data, and consumer profiling.
The laws initial definition of sensitive data encompassed:
Recent Amendment and its Implications
On April 17th, 2024, Colorado enacted H.B. 1058 which amends the CPA and makes Colorado the first state to extend a privacy law to neural data. More specifically, this bill expanded the scope of sensitive data to include biological and neural data. It defines neural data as generated from the measurement or analysis of an individual’s biological, physiological properties, body or bodily functions.
How does this apply to the advertising industry?
The bill has widespread implications for the use, and accuracy, of AI and technological advancement. There are two ways in which it bears impact upon both media owners and buyers, and the ad industry at large:
It also bears larger implications within the privacy legislation talk tracks. This may include:
Case Studies: CPA In Practice
Innovative Technologies
Apple’s new AirPods aim to measure electrical activity in the brain, transforming them into advanced healthcare devices. These devices could monitor users' physical and mental states, similar to the Apple Watch. Under the CPA, Apple must obtain explicit user consent for collecting and processing neural data, ensure transparency about data usage, and adhere to data minimization principles, collecting only necessary information for specified health monitoring purposes.
Pharmaceutical Applications
A pharmaceutical company might collect neural data to monitor how patients' brains respond to medications, improving treatment efficacy and safety. Under the CPA, these companies must obtain explicit user consent for collecting and processing neural data, ensure transparency about data usage, and adhere to data minimization principles, collecting only necessary information for specified purposes.
Impacts of the CPA
The CPA's influence has already extended to major brands like Google, which has introduced Restricted Data Processing (RDP) and will honor user opt-outs via Global Privacy Controls.
With RDP, Google limits data usage to show only non-personalized ads for these new state laws. This allows Google to act as a data processor instead of a controller for partner data with RDP. Furthermore, it ensures compliance with the CPA and other state data privacy laws, such as in Florida, Texas, Oregon, and Montana, impacting ad targeting efficiency and personalization capabilities.
To comply with the CPA’s universal opt-out mechanism, Google will respect Global Privacy Control signals sent directly from users. This will disable personalized ad targeting, and remarket lists for opted-out users. These changes could impact ad targeting efficiency and personalization capabilities in the future. The key takeaway: Google is taking steps to help its partners comply with increasing data privacy rules, even if it means limiting its own ad targeting.
The Colorado AI Act: Building on the CPA, Colorado introduced the Colorado AI Act, again, the first of its kind in the United States. It is set to take effect in February 2026. This legislation imposes new regulations on developers and deployers of high-risk AI systems, mandating transparency, consumer rights, and measures to prevent algorithmic discrimination. Businesses must inform consumers when AI systems are used and allow complaints regarding inappropriate use.
The Colorado AI Act is similar to the EU AI Act in applying a risk-based approach to regulating AI. However, there also are notable differences, such as the Colorado AI Act’s more limited territorial scope and more extensive requirements for deployers of high-risk AI systems.
CPA Enforcement
The Colorado Attorney General's office enforces the CPA, imposing penalties of $20,000 per offense, up to a maximum of $500,000. Unlike California, Colorado does not provide a private right of action (individuals can’t sue), but treats violations as deceptive trade practices under the Colorado Consumer Protection Act.
Looking Forward: Next Steps
Businesses adhering to California or Virginia privacy laws will find themselves better prepared for CPA compliance, and perhaps legislation of the future. To ensure adherence, businesses must clearly define the data they collect, its sources, and ownership to assess their obligations under the CPA, California Privacy Rights Act, and Virginia's Consumer Data Protection Act.
For brands looking to gain an edge, a sound privacy approach must act as a business conduit rather than an expensive infrastructure addition. With this in mind, platforms and solutions that go to the edge, and democratize access to data with schemaless ingestion and no-code queries, provide a significant advantage. These privacy-enhancing technologies provide in-the-moment insights for measurement and activation, while truly prioritizing privacy.
SCUBA Analytics is one of these solutions. Learn more today.