Colorado Privacy Act Nonprofits [Steps to Comply]

Table of Contents

Are you a nonprofit in Colorado? It’s time to learn about the Colorado Privacy Act nonprofits. This new rule is important for how you handle Colorado resident data. We’re here to help you understand what this law is all about.

We’ll show you the steps to follow so you can take care of your nonprofit’s personal data the right way. From knowing what info you have to make sure people say it’s okay to use it, we’ve got you covered.

Let’s dive in and learn how to ensure your nonprofit stays compliant.

Key Takeaways

The Colorado Privacy Act matters to nonprofits, too, not just the big businesses. If you’re handling personal data from over 100,000 residents in Colorado or receiving revenue from over 25,000 residents, it’s time to get in line with the law.

Some of you smaller nonprofits or those already playing by specific laws (like HIPAA or FERPA) might not have to worry about the CPA, thanks to the Colorado Privacy Act exemptions. But it’s best to check if you’re one of the lucky ones.

Messing up with the CPA can hit your nonprofit with big Colorado Privacy Act penalties. It’s like forgetting to return a library book and then owing more than the book’s worth. So, it’s better to be safe than sorry.

Overview of the Colorado Privacy Act

The new Colorado Privacy Act, which became effective on July 1, 2023, is meant to let people control their personal data more. It’s like a promise between businesses and consumers that says businesses need to be upfront about what they do with your data and keep them safe.

One big thing is that under the CPA, people can request to see their information or have it deleted – this is called exercising their data subject rights, and if a consumer asks an organization, they have to respond.

Businesses also need to do data protection assessments – basically, check-ups to make sure they’re protecting information properly, which is a crucial part of corporate compliance.

Another key part is consent – before an organization can gather or share private data like race or location details or track you with cookies, the consumer needs to give them the okay clearly.

The Colorado Privacy Act has a wide scope of organizations that it applies to as well. Let’s learn more about that now.

Do Nonprofits Need to Follow the Colorado Privacy Act?

Do Nonprofits Need to Follow the Colorado Privacy Act.jpg

Do Nonprofits Need to Follow the Colorado Privacy Act.jpg

Yes, nonprofits in Colorado need to follow the Colorado Privacy Act just like other businesses do if they process over 100,000 residents’ personal data or collect revenue from over 25,000 residents.

Nonprofits might think this new privacy act doesn’t apply to them, but it does. This law isn’t only for big businesses trying to make banks. It’s for any group that gathers a large amount of personal data on Colorado residents.

So, if your nonprofit is collecting personal data like names, emails, addresses, and anything else that can be linked to the consumer, you must pay attention to what the CPA says.

Why should nonprofits care about this law? Well, the CPA is all about protecting people’s privacy – no matter who has their data. The goal is to make sure everyone’s personal details are handled carefully and kept safe, whether it’s a huge business or a tiny charity that has them.

Here’s the deal – the CPA says if you process personal data on more than 100,000 consumers or make money off at least 25,000 Colorado residents’ personal data, you must follow the CPA, which means outsourced compliance services for some nonprofits.

So, even if your nonprofit isn’t profit-focused, you should still think about the CPA. It’s all about building trust with the people you help. When they know their data is secure with you, they’ll be more likely to continue supporting your mission.

Nonprofits That Are Exempt From the Colorado Privacy Act

Nonprofits That Are Exempt From the Colorado Privacy Act.png

Nonprofits That Are Exempt From the Colorado Privacy Act.png

For the small nonprofits out there, this means you can focus on what you do best – helping others – without the extra layer of paperwork and policies that come with the CPA.

Think of it like this: if your nonprofit is like a cozy neighborhood library that doesn’t keep track of every visitor, the CPA is like a big-city regulation that doesn’t need to keep an eye on you. You’re free to serve your community without the worry of checking off another regulatory box.

Here’s a list of the types of nonprofits exempt from the CPA:

Nonprofits with Limited Consumer Data

Small nonprofits don’t need to worry about the Colorado Privacy Act and all its rules.

The law lets little guys off, and if your nonprofit works with less than 100,000 Colorado residents’ personal data every year or you’re making revenue off of less than 25,000 residents’ personal data, you’re good.

This is great for local groups that help out around town. You probably don’t gather data on that many people outside your community.

So just keep making your neighborhood better, and don’t sweat the new law. Big nonprofits in Colorado generally have to abide by the CPA, but not the smaller ones.

Nonprofits Compliant with the HIPAA

Nonprofits in the broad niche of healthcare (including those that **follow HIPAA rules are exempt from the CPA. Since HIPAA is a strict federal privacy law, the CPA doesn’t pile on extra rules for HIPAA-compliant businesses dealing with protected health information.

It’s like having a passport that lets you into a bunch of countries – with HIPAA, you’re already cleared for takeoff when it comes to data privacy in Colorado.

HIPAA shields a wide range of health information. If your nonprofit works in healthcare and handles any kind of protected health information, you’re probably already protecting that data under HIPAA.

This could be patient medical records, insurance details, or anything health-related – all covered by HIPAA, so if you’re already following HIPAA, the CPA won’t add much extra work to comply.

Educational Nonprofits Compliant with FERPA

Educational nonprofits dealing with student records that follow FERPA don’t need to worry about the CPA. FERPA keeps student records private, and if your nonprofit follows FERPA, you don’t have to do anything extra for the CPA.

This exemption takes a load off of education nonprofits. It lets them concentrate on teaching and helping students without figuring out more rules. Your programs, services, and staff can keep going without messing with the CPA as long as you stick to FERPA’s guidelines.

Specialized Data and Other Laws

Nonprofits working under specific laws for certain kinds of data, like financial or driving records, are off the hook with the CPA.

These other laws, like GLBA for financial institutions or DPPA for licenses, already lock secure personal data, and it’s as if they’ve got a special work permit just for their data; the permit handles privacy, so the CPA doesn’t need to.

For these exempt nonprofits generally still follow many of CPA’s guidelines, so that is why they’re exempt.

Steps for Nonprofits to Comply with the Colorado Privacy Act

Navigating the Colorado Privacy Act (CPA) can seem like a daunting task for nonprofits. But with the right steps, it’s like following a recipe to bake a cake – each step is important to get the desired outcome.

For nonprofits that fall under the CPA’s umbrella, it’s time to roll up your sleeves and get to work on compliance. Here’s a straightforward guide to help you along the path to CPA compliance:

Creating a Clear and Transparent Privacy Notice

Your nonprofit’s gotta make a privacy notice that Colorado residents can find and get without any trouble.

It’s generally always a good idea to have a clear and transparent privacy notice regardless of whether you have to follow the CPA or not because it helps with trust.

In this notice, you’ll need to cover what kinds of personal data you take, why you’re taking it, who you’re giving it to, who the data controller is, contact details, and how the people who the data is about can use their rights over their info.

Fulfilling Data Subject Access Requests

When someone asks to see their data, or they request to correct or delete it, your nonprofit has to abide by their request – it’s like setting up customer service for all their data questions. The CPA law says people have a right to ask for this stuff.

Data subject access requests generally require that you verify who the data subject is before fulfilling the request. This could involve asking for a form of identification or requiring them to provide additional information that only they would know.

Once you have verified their identity, you can begin processing their request in accordance with the CPA. It may be helpful to create a process or procedure for handling these requests within your nonprofit so that all employees know how to respond.

The specific steps will depend on the request type (e.g., access, correction, deletion) and what kind of personal data is involved.

Conducting Data Protection Assessments

For any activity that might be risky for Colorado residents’ privacy, like targeted advertising or selling data, you’ll need to do an assessment called a Data Protection Assessment. Conducting this assessment helps to mitigate the risks of a Colorado Privacy Act breach.

This involves evaluating the potential risks to individuals’ privacy and determining ways to mitigate those risks.

When conducting a data protection assessment, you should:

Clearly define the project or activity that is being assessed.

Identify all personal information involved in the project/activity and where it comes from.

Assess any potential risks associated with collecting, storing, using, or sharing this personal information.

Determine what security measures are currently in place to protect this data.

Consider whether there are alternative methods of achieving your goals without putting individuals’ privacy at risk,

If risks cannot be mitigated, evaluate if it is necessary to collect and use this personal information at all.

Document the assessment and any mitigating actions taken.

Regularly review and update the assessment as needed.

It’s important to involve all relevant stakeholders in this process, including data privacy experts or legal counsel, if necessary. This will help ensure that your nonprofit is taking all necessary steps to protect individuals’ privacy and comply with the CPA.

Partner with Captain Compliance

Getting your nonprofit up to speed with that whole CPA compliance thing can totally feel like you’re adrift on the open seas with no map or compass. That’s where getting Captain Compliance on your crew comes in handy.

We’re superheroes who know how to navigate these tricky legal waters without capsizing. With our compliance services, we’ll steer your nonprofit through meeting the CPA requirements without it feeling like you’re walking the plank.

We get that every nonprofit is different- you guys are like snowflakes, and no two are alike- so we put together custom compliance plans tailored to each organization’s needs.

This way, through our comprehensive compliance training, you not only check the legal boxes but also keep your community’s trust locked in.

Penalties Nonprofits Can Face from Non-Compliance with the CPA

Penalties Nonprofits Can Face from Non-Compliance with the CPA.jpg

Penalties Nonprofits Can Face from Non-Compliance with the CPA.jpg

Nonprofits need to be really careful about following Colorado’s new privacy law. Messing up can lead to some very large fines. It’s kind of like when you forget to return a library book and owe crazy late fees. The penalties add up fast if you don’t play by the rules.

Here’s the deal: if a nonprofit doesn’t do what the law says, the Attorney General or local prosecutors can call them out. Breaking the privacy rules is seen as being deceptive. Fines could be up to $20,000 per person impacted, capped at $500,000 total.

But here’s a bit of good news. If a nonprofit violates the CPA, they get a chance to fix it before getting fined, which is known as the right to cure. It’s like a warning that says nonprofits have 60 days to get their act together until they get fined. However, that’s only until January 2025.


The Colorado Privacy Act, much like the CCPA, is dropping a whole suitcase on your doorstep. It feels like you’re packing for a trip to Mars or something. What to bring? What to leave? Don’t wanna end up lost in space! That’s why Captain Compliance is your trusted partner.

We’ve made this trip a ton of times before. We’ll help you with every little bit of compliance work you have to do to ensure your compliance.

So, what’s next? Get in touch with us. We’ll sit down with you, figure out what you need for your nonprofit, and help you every step of the way. With Captain Compliance, you can move forward, knowing you’re doing everything right.


Who is Covered by the Colorado Privacy Act?

The Colorado Privacy Act covers any organization that handles the personal data of over 100,000 Colorado residents or organizations that make revenue from over 25,000 residents.

This includes many nonprofits, not just big businesses. If you collect or use personal info, you need to abide by the CPA if you’re not exempt.

Need to know if your nonprofit is covered? Read more about the CPA’s reach and exemptions here.

What Happens if My Nonprofit Ignores the CPA?

Ignoring the CPA can lead to hefty fines. Think of it like ignoring a stop sign and getting a ticket, but the ticket is up to $20,000 per person affected.

Concerned about fines? Learn how to avoid them with our guide on CPA penalties here.

How Can My Nonprofit Prepare for the CPA?

Start by understanding what personal data you have and how you’re using it. Then, make sure you have clear consent from people to use their data. It’s like asking permission before borrowing something.

Need a plan? Check out our step-by-step guide to CPA compliance here.

Are There Any Nonprofits That Don’t Need to Worry About the CPA?

Yes, some nonprofits are exempt from the CPA, like those already governed by laws like HIPAA or FERPA or those that handle data under certain thresholds.

Are you exempt? Find out more about exemptions for nonprofits under the CPA here.

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo with a compliance SuperHero or get started today.