Colorado Privacy Act Sensitive Data: Ultimate Guide

Table of Contents

Sensitive data (otherwise known as sensitive personal information) is one of the most important concepts in data privacy today.

As the name implies, sensitive data is a term used to describe a more intimate type of personal data. To illustrate, a person’s name and email address would be considered ‘personal’ whereas their medical record and sexual orientation would be ‘sensitive.’

Now, is sensitive data addressed under the Colorado Privacy Act? How does Colorado’s law treat these data types? And what steps must you take to comply?

We’ll answer all these and more in the article below. Let’s get into it.

Key Takeaways

The Colorado Privacy Act (CPA) is a robust US data privacy law that protects the digital rights and personal data of Coloradans.

Under Colorado’s law, sensitive data is a more delicate type of personal data that reveals a person’s racial or ethnic origin, religious beliefs, sexual orientation, and biometric information, to mention a few.

When it comes to sensitive data, Colorado’s law requires businesses to minimize their data collection, get proper consent before handling SPI, and conduct data protection assessments (among other requirements).

Colorado Privacy Act Overview

What is the Colorado Privacy Act (2).jpg

What is the Colorado Privacy Act (2).jpg

The CPA is a consumer privacy law that gives Colorado residents more control over their personal data and imposes new responsibilities on applicable businesses.

Enacted on July 1, 2023, the CPA is one of several US privacy laws introduced in recent years alongside California’s CCPA, Virginia’s CDPA, and Connecticut’s CTDPA.

The CPA applies to businesses (i.e., data controllers and processors) that operate in Colorado, target its residents to sell commercial goods or services, and either:

Handles the personal data of at least 100,000 consumers during a year

Gets some sort of revenue from selling personal data and manages the data of at least 25,000 consumers

As mentioned, the CPA gives consumers several rights over their data, including the right to:

Access their personal data

Correct errors in their personal data

Request deletion of their personal data

Opt out of the sale of their data, targeted advertising, and profiling

Obtain a copy of their data in a commonly-used and machine-readable format

On the other hand, businesses must meet several key requirements, including performing data protection assessments, responding to data subject access requests (DSARs), and maintaining adequate cybersecurity safeguards (to mention a few).

Failure to comply with the CPA is considered a deceptive trade practice and is regulated under the Colorado Consumer Protection Act. As such, CPA penalties range from $2,000 to $20,000 per violation, with extreme cases resulting in criminal liability.

Is Sensitive Data Covered Under the Colorado Privacy Act

Yes, sensitive data (aka sensitive personal information or SPI) is covered by the Colorado Privacy Act.

Like most privacy laws, the CPA holds businesses that handle sensitive data to stricter standards. After all, sensitive data triggers more severe consequences if misused or abused compared to standard personal data.

Sensitive Data Types Under the Colorado Privacy Act

Sensitive Data Types Under the Colorado Privacy Act.png

Sensitive Data Types Under the Colorado Privacy Act.png

Colorado’s law defines sensitive data as any class of personal data that reveals:

Racial or ethnic origin: Information about a person’s ancestry, national origin, or ethnicity.

Religious beliefs: Information about religious affiliations and practices, such as Christianity, Islam, Judaism, Hinduism, Buddhism, etc.

Mental or physical health condition or diagnosis: Information about physical or mental health. Examples include medical history, diagnoses, disabilities, etc.

Sex life or sexual orientation: Information about a person’s sex life and activities, such as their gender identity, sexual orientation, and sexual partners.

Citizenship or citizenship status: Information about a person’s citizenship and immigration status, such as residency and visa status.

Genetic or biometric data processed to uniquely identify an individual: information about a person’s genetic and biometric attributes, such as their fingerprints, facial scans, DNA profiles, etc.

Data from a known child: Under the CPA, personal data (e.g., names, identification details, etc.) obtained from a child under the age of 13 is considered sensitive data.

Sensitive Data Requirements Under the Colorado Privacy Act

Sensitive Data Requirements Under the Colorado Privacy Act.png

Sensitive Data Requirements Under the Colorado Privacy Act.png

As mentioned, Colorado’s law imposes strict requirements on businesses that collect, use, or disclose sensitive data. These requirements help protect consumers from the considerable repercussions of sensitive data misuse and exposure.

Briefly, the CPA’s requirements for sensitive data are as follows:

Perform data protection assessments

Another important CPA requirement is to perform data protection assessments before activities that may pose a heightened risk to consumers. These assessments help identify and reduce the risks associated with data processing.

Under Colorado’s law, high-risk activities include the sale of personal data, target advertising, and, of course, collecting or processing sensitive data.

When conducting a data protection assessment for sensitive data, consider the following:

The nature of the sensitive data

The purposes for which you process data

The third parties you may share sensitive data with

The security measures in place to protect sensitive data

The most important CPA requirement for sensitive data is to obtain valid consent from consumers. Remember, sensitive data requires more effective protection and safety measures.

One of the ways this is achieved under the CPA is to obtain express, “opt-in” consent before collecting and processing sensitive data.

For your consent request to be valid under the CPA, it must:

Be specific

Be informed

Be freely given

Reflect the consumer’s explicit agreement

Be collected through clear, affirmative action

In other words, broad acceptance of terms, silence, inactivity, pre-ticked boxes, and consent obtained through dark patterns are all invalid forms of consent under the CPA.

It’s worth noting that this standard of consent is also required for processing the personal data of minors under 13 since their information is considered sensitive under the CPA.

Maintain a transparent privacy policy

Transparency is key in building trust with your consumers. For this reason, the CPA requires you to be completely honest with consumers about how you collect, use, and disclose their personal and sensitive data. A well-detailed privacy policy fulfills this requirement.

Importantly, your privacy policy must be up-to-date, clear, and easy to understand. It must also be accessible to consumers at key points where you collect sensitive data.

Minimize data collection

Data minimization is a principle that involves only collecting the bare minimum amount of sensitive data necessary for your business purposes.

Though data minimization isn’t a new concept in data privacy, the CPA introduces its own unique standards.

Specifically, the law requires you to review (at least once a year) whether you absolutely need to retain sensitive data for established purposes. If you don’t, then you must immediately take steps to delete sensitive data.

Implement robust security measures

Protecting sensitive data requires more than just compliance – it demands a proactive approach to data security. After all, sensitive data requires a higher level of security due to its delicate nature.

Adequate security safeguards you should consider include but aren’t limited to:


Data encryption

Access controls

Multi-factor authentication

Intrusion detection systems

Keep detailed records

It’s a best practice to keep detailed records of all your data operations involving sensitive data.

These records should, at minimum, include the following:

The type of sensitive data you process

Your purposes for processing sensitive data

The third parties you may share sensitive data with

The security measures you have to protect sensitive data

In the event of an audit, having comprehensive records not only shows your dedication to compliance but guarantees a smoother review process.

Partner with Captain Compliance

You can probably now tell that navigating this complex system of laws and regulations is challenging. To take the burden off your hands, consider outsourcing compliance to a reputable provider like Captain Compliance.

When it comes to the CPA’s sensitive data requirements, our team of professionals helps you:

Develop cybersecurity policies and strategies

Conduct data protection assessments

Draft a compliant privacy policy

Ongoing support

And much more!

With our expert guidance, compliance worries become a thing of the past.

Final Thoughts

Having understood how Colorado’s law treats sensitive data, you’re one step closer to achieving compliance. All you need now is a specialized compliance service to seal the deal.

Not sure where to start? We’re with you every step of the way!

At Captain Compliance, we understand that complying with the CPA’s sensitive data requirements can be complex and time-consuming.

That’s why our suite of compliance services ensures you understand the law and can effortlessly translate it into actionable steps.

From crafting transparent privacy policies to conducting data protection assessments, we tailor our expertise to your specific business needs.

Ready to achieve compliance seamlessly with Colorado’s law? Get in touch today!


What qualifies as sensitive data under the Colorado Privacy Act?

Sensitive data includes data that reveals racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship or immigration status, genetic or biometric data, and data of a known child.

Check out how Virginia’s CDPA treats sensitive data

To obtain valid consent under Colorado’s law, take note of the following:

Be specific about why you need sensitive data

Give consumers clear and concise information about how you will use their sensitive data

Allow consumers to give or withhold their consent freely

Make it easy for consumers to revoke their consent at any time

Avoid using dark patterns or other manipulative techniques to obtain consent

Check out our ultimate guide on Compliance Risk Management

How often should data protection assessments be performed for sensitive data?

Data protection assessments should be performed at least annually or more often if there are significant changes to how you collect, use, or disclose sensitive data. You should also perform these assessments before starting any new data operations involving sensitive data.

Learn more about how to conduct privacy audits here

How can I minimize sensitive data collection under the CPA?

Adopt a lean approach by only collecting sensitive data that is strictly necessary for your business operations. This helps you align your practices with the CPA’s data minimization principle and reduce the risks of sensitive data falling into the wrong hands.

See also: How to handle data breaches under the CPA

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo with a compliance SuperHero or get started today.