Colorado CPA Compliance

The Colorado Privacy Act became effective July 1, 2023. Colorado was the third US state after California and Virginia to enact a comprehensive privacy law. CPA is enforced by the Colorado Attorney General and Colorado district attorneys. The CPA includes a distinctive Universal Opt-Out Mechanism requirement that has shaped subsequent state privacy laws.

This page covers what CPA requires, who is in scope, and how to build compliance.

Does CPA apply to you

CPA applies to controllers that conduct business in Colorado or produce or deliver commercial products or services intentionally targeted to Colorado residents, and that during a calendar year:

  • Control or process the personal data of 100,000 or more Colorado consumers; or

  • Derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data of 25,000 or more Colorado consumers.

  • CPA does not apply to certain entities including state agencies, employment-related data, and entities subject to specific federal privacy laws.

  • Many tech companies hit the 100,000 Colorado consumer threshold as they scale.

What CPA requires

A compliant privacy notice. The notice must describe categories of personal data collected and processed, purposes for processing, how consumers can exercise their rights, third parties with whom personal data is shared, and categories of personal data sold or processed for targeted advertising.

Consumer rights operational capability. Colorado consumers have rights including:

Right to access Right to correction Right to deletion Right to data portability Right to opt out of the sale of personal data, targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects

Controllers must respond to consumer requests within 45 days, extendable by 45 days for complex requests.

Universal Opt-Out Mechanism. Colorado requires controllers to recognize universal opt-out signals. The Colorado Attorney General has approved specific mechanisms including Global Privacy Control as universal opt-out signals. Controllers must process valid universal opt-out signals as a valid opt-out request.

The UOOM requirement is operationally significant. Companies must implement detection of universal opt-out signals from browsers and other sources, link those signals to consumer accounts where possible, and apply opt-out preferences across processing.

Consent for sensitive data. Processing of sensitive personal data requires opt-in consent. Sensitive data definitions are similar to other state laws and include race, ethnic origin, religious beliefs, mental or physical health condition, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data used for identification, children's data, and precise geolocation data.

Data protection assessments. Controllers must conduct and document data protection assessments for processing activities involving targeted advertising, sale of personal data, profiling with high-risk effects, sensitive data, or other heightened-risk processing.

Processor contracts. Contracts between controllers and processors must include specific terms addressing processing instructions, confidentiality, security measures, sub-processor management, audit cooperation, and data return or deletion.

Enforcement

The Colorado Attorney General and district attorneys have enforcement authority. No private right of action.

Penalties up to 20,000 USD per violation.

The CPA included a cure period that expired January 1, 2025. After that date, the Attorney General is not required to provide an opportunity to cure violations before initiating enforcement.

Colorado has issued substantial implementing regulations through the Colorado Attorney General's office covering data protection assessments, universal opt-out mechanism technical specifications, and consumer rights operational requirements.

How CPA compares to other state laws

CPA shares conceptual structure with VCDPA and other state laws. The main distinctive elements:

  • Universal Opt-Out Mechanism. The first US state law to require recognition of universal opt-out signals. Subsequent state laws including Connecticut, Texas, Oregon, Delaware, and others have similar requirements.

  • Detailed implementing regulations. Colorado has issued more detailed implementing regulations than most other state laws, providing clearer operational guidance.

  • Cure period expiration. The expired cure period creates more enforcement urgency than some other state laws.

  • Sale and sharing definitions. CPA's definition of "sale" includes exchange for monetary or other valuable consideration, similar to CCPA but with some Colorado-specific interpretation.

How Engage Compliance helps

CPA compliance is included in our DPO services for clients serving Colorado residents. Specific work includes:

  • Privacy notice with Colorado-specific sections.

  • Universal Opt-Out Mechanism implementation including detection and processing of Global Privacy Control signals.

  • Consumer rights process design and implementation.

  • Data protection assessment documentation.

  • Sensitive data inventory and consent management.

  • Multi-state harmonization across CPA and other US state laws.

Get started

If you have Colorado consumers and need CPA compliance support, book a consultation.