DATA PROTECTION IMPACT ASSESSMENT (DPIA)

(State overlay: CO)

1. Project Overview

• Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
• Purpose and objectives: [describe].
• Timeline and launch date: [dates].

2. Scope of Processing

• Data subjects: [customers/employees/vendors/end users].
• Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
• Sensitive data (CPA definition per C.R.S. § 6-1-1303(26)): Check all that apply: (1) Personal data revealing racial or ethnic origin; (2) Religious beliefs; (3) Mental or physical health diagnosis, condition, or treatment; (4) Sex life or sexual orientation; (5) Citizenship or immigration status; (6) Genetic or biometric data processed for purpose of uniquely identifying an individual; (7) Personal data collected from a known child (under 13 years of age). Affirmative consent required before processing sensitive data.
• Volume and retention: [records/year], [retention schedule and deletion triggers per business purpose].
• Processing activities: [collection, storage, analysis, sharing/sale/sharing status]. CPA definitions: "Sale" = exchange of personal data for monetary or other valuable consideration; "Targeted advertising" = displaying to consumer advertisement selected based on personal data obtained from consumer's activities over time and across nonaffiliated websites or applications; "Profiling" = automated processing of personal data to evaluate, analyze, or predict personal aspects concerning consumer.

3. Legal Basis, Notices, and Rights

• Primary state privacy law(s): Colorado Privacy Act (CPA), C.R.S. § 6-1-1301 et seq., effective July 1, 2023; CPA Rules 4 CCR 904-3, finalized March 15, 2023.
• Applicability thresholds: Controller conducting business in Colorado or targeting Colorado residents that: (1) Controls or processes personal data of 100,000+ consumers annually; OR (2) Derives revenue or receives discounts from sale of personal data AND processes or controls personal data of 25,000+ consumers. No minimum revenue threshold. Note: Biometric data amendments (HB 24-1130, effective July 1, 2025) and minors' online activity amendments (SB 24-041, effective October 1, 2025) apply regardless of whether entity meets standard CPA thresholds if processing biometric data or minors' personal data.
• Entity type exemptions: GLBA-covered financial institutions, HIPAA-covered entities/business associates for protected health information, nonprofit organizations, higher education institutions, certain state/tribal entities.
• Consumer rights covered: (1) Right to access personal data; (2) Right to delete personal data; (3) Right to correct inaccuracies in personal data; (4) Right to data portability (portable and readily usable format); (5) Right to opt out of sale of personal data, targeted advertising, and certain profiling. Response timeline: 45 days (with one 45-day extension if reasonably necessary; notice to consumer required). Authentication: Reasonable efforts to verify consumer identity and request.
• Consent/opt-out mechanics required for sensitive data, minors, targeted ads, sale/sharing: (1) Affirmative consent required before processing sensitive data (consent must be clear affirmative action, freely given, specific, informed, unambiguous; no blanket T&Cs, silence, inactivity, pre-ticked boxes, or dark patterns); (2) Effective October 1, 2025: Consent required before processing minors under 18 for targeted advertising, sale, or profiling in furtherance of decisions producing legal/similarly significant effects; (3) Universal opt-out mechanisms must be honored for sale and targeted advertising; (4) Opt-out required for profiling in furtherance of decisions producing legal or similarly significant effects concerning consumer.
• Notice/labeling requirements: Privacy notice must be reasonably accessible, clear, and meaningful, disclosing: categories of personal data processed, purposes, how consumers may exercise rights, categories of personal data shared with third parties, categories of third parties, and how to opt out of sale/targeted advertising/profiling. Clear and conspicuous link to opt-out or description of one or more designated methods for submitting opt-out requests.
• Contracts with processors/service providers: Data processing agreement required with instructions, nature/purpose of processing, type of data, duration, controller and processor obligations, confidentiality, requirement that processor deletes or returns data at controller's direction, assistance with consumer rights requests, and requirement that processor makes available information necessary to demonstrate compliance.

4. Data Flow and Transfers

• Source systems: [list]; storage/hosting locations: [cloud region/data centers].
• Cross-border transfers: [EU/UK/other]; transfer tool: [SCCs/IDTA/CBPR if applicable].
• Recipients/vendors: [processors/subprocessors/controllers]; due diligence status and DPAs in place.
• Access controls: RBAC groups, least privilege, joiner/mover/leaver process.

5. Security and Controls

• Technical controls: encryption in transit/at rest [specify], key management, network segmentation, endpoint protections, logging/monitoring, DLP, backups, vulnerability management.
• Organizational controls: policies, training cadence, vendor due diligence, incident response playbook, change management.
• Authentication/authorization: [MFA/SAML/SSO]; session timeouts; privileged access reviews cadence.

6. Risks and Impact Assessment

• Risks/threats: [unauthorized access, data minimization failure, purpose creep, profiling risk, transfer risk, children/minors risk].
• Likelihood: [low/medium/high]; Impact: [low/medium/high]; Risk rating matrix: [insert].
• POWR/State-specific equal employment or anti-discrimination considerations (if applicable): [insert].

7. Mitigations and Residual Risk

• Planned mitigations: [controls, timelines, owners].
• Testing/validation: [pen test, DPIA/ROPA updates, privacy-by-design checklist].
• Residual risk after mitigations: [rating]; decision: [accept/mitigate further/block].

8. Incident Response and Breach Notification

• Breach notification statute: Colorado Consumer Protection Act, C.R.S. § 6-1-716 (Notification of Security Breach).
• Timeline: When entity becomes aware security breach may have occurred, conduct prompt good faith investigation to determine likelihood of misuse. Notice to affected Colorado residents required in most expedient time possible without unreasonable delay, but not later than 30 days after date of determination that security breach occurred. Exception: Notification may be delayed if law enforcement determines it will impede criminal investigation; notice required within 30 days after law enforcement determines notification will no longer impede investigation.
• Notification triggers: Security breach = unauthorized acquisition of unencrypted computerized data compromising security, confidentiality, or integrity of personal information. Personal information = Colorado resident's first name or first initial and last name in combination with one or more of: (a) SSN; (b) Driver's license/ID number; (c) Student, military, or passport ID number; (d) Medical information; (e) Health insurance ID number; (f) Biometric data. "Determination that security breach occurred" = point in time when sufficient evidence exists to conclude breach has taken place.
• Encryption safe harbor: Notice not required if personal information was encrypted and encryption key was not acquired and is not reasonably believed to have been acquired.
• Regulator/AG notice: If breach affects 500 or more Colorado residents, must notify Colorado Attorney General within 30-day timeframe.
• Content requirements: Notice must include: (1) To the extent possible, description of categories of information reasonably believed to have been acquired; (2) Contact information for consumer reporting agencies if breach includes SSN; (3) Covered entity's contact information.
• Consumer reporting agency notice: If required to notify more than 1,000 Colorado residents, must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis (per 15 U.S.C. § 1681a(p)) of anticipated notification date and approximate number of residents to be notified.
• Coordination with other states/GLBA/HIPAA requirements if multi-state: [Coordinate breach notification obligations; GLBA and HIPAA have separate timelines and requirements].

9. State Overlay Checklist (CO)

• Applicability thresholds and exemptions: 100,000+ consumers annually OR 25,000+ consumers if deriving revenue/discounts from sale. No revenue threshold. Biometric data (July 1, 2025) and minors' data (October 1, 2025) provisions apply regardless of thresholds. Exemptions: GLBA financial institutions, HIPAA covered entities (for PHI), nonprofits, higher education institutions, state/tribal entities, air carriers under 49 U.S.C., certain employment/commercial data contexts.
• Sensitive data definition and consent/opt-out requirements: 7 categories of sensitive data (see Section 2 above). Affirmative consent required before processing (clear affirmative action, freely given, specific, informed, unambiguous). No dark patterns, pre-ticked boxes, silence, or blanket T&Cs. Effective October 1, 2025: consent required for processing minors under 18 for targeted ads, sale, or profiling for decisions with legal/significant effects.
• Consumer rights and response timelines/appeals: Access, delete, correct, portability, opt-out of sale/targeted advertising/profiling. Response: 45 days + one 45-day extension (with notice). Appeals: If request denied in whole or in part, consumer may appeal within reasonable period specified in controller's notice; controller must respond to appeal within 45 days. Controller must provide mechanism for appeal and provide information about how to contact Attorney General to submit complaint.
• Opt-out of sale/targeted advertising/profiling requirements: Clear and conspicuous link or designated method for opt-out. Must honor universal opt-out mechanisms. Profiling opt-out required for profiling in furtherance of decisions producing legal or similarly significant effects. Controllers must respond to opt-out within 15 days or provide notice of extension (up to 60 days total).
• Processor/service provider contract requirements (flow-downs, audit rights, deletion/return): Written data processing agreement required. Must include: processing instructions, nature/purpose, data type, duration, controller/processor obligations, confidentiality, deletion/return at controller direction, assistance with consumer rights, processor's obligation to make available information demonstrating compliance. 4 CCR 904-3-7.
• Data Protection Assessment / Risk Assessment triggers: Required for processing activities that present heightened risk of harm to consumers: (1) Processing sensitive data; (2) Sale of personal data; (3) Targeted advertising; (4) Profiling if reasonably foreseeable risk of: (a) unfair/deceptive treatment or unlawful disparate impact, (b) financial/physical/reputational injury, (c) intrusion upon solitude or private affairs offensive to reasonable person, or (d) other substantial injury. Also required for processing minors' data (effective October 1, 2025) for services posing heightened risk of harm. DPA must weigh benefits vs. risks to consumers. Update at least annually or when material changes occur. Retain for 3 years after processing ceases or after ceasing to offer service/product/feature to minors. Attorney General may request DPA within 30 days.
• Security measures expectations (reasonable security; specific mandates if any): C.R.S. § 6-1-713 (Security of personal information) requires reasonable security procedures and practices appropriate to nature of personal information. Controllers must implement reasonable administrative, technical, and physical data security practices. Assessments should document security controls.
• Breach notice timeline and content requirements: 30 days from determination of breach to notify consumers; 30 days to notify AG if 500+ residents affected. Content: categories of information acquired, contact info for credit agencies (if SSN involved), covered entity contact info. Notify consumer reporting agencies if 1,000+ residents affected.
• Children/minors rules (e.g., COPPA; state-specific if any): Personal data of known children under 13 is sensitive data requiring affirmative consent. Effective October 1, 2025 (SB 24-041): Consent required before processing minors under 18 for targeted advertising, sale of personal data, or profiling in furtherance of decisions producing legal/similarly significant effects. Controllers offering online services/products/features to known minors must conduct DPAs for activities posing heightened risk of harm. Must honor universal opt-out mechanisms for minors.
• Non-discrimination/retaliation prohibitions under state law: C.R.S. § 6-1-1306. Controller may not process personal data in violation of state/federal laws prohibiting unlawful discrimination. Controller shall not discriminate against consumer for exercising CPA rights, including denying goods/services, charging different prices/rates, or providing different level/quality of goods/services. Bona fide loyalty/rewards programs permitted if material terms reasonably accessible.
• Recordkeeping: ROPA/DPIA retention and appeal tracking: Maintain DPAs for at least 3 years after processing activity ceases or after ceasing to offer online service/product/feature (for minors). Make DPAs available to Attorney General upon request within 30 days. Maintain documentation of consumer request responses and appeal determinations. Document universal opt-out signal compliance.

10. Approvals and Accountability

• Privacy lead/DPO review: [name/date].
• Security review: [name/date].
• Legal review (state law overlay): [name/date].
• Business owner certification: [name/date].
• Executive approver: [name/title/date].

11. Attachments

• Data flow diagrams/architecture.
• Records of processing activities entry.
• Vendor list and DPAs/SCCs.
• Legitimate interests assessment or risk assessment (if applicable).
• Testing summaries and pen test reports (if applicable).
• State-specific notices/links and breach templates.