Colorado Data Privacy Laws: CPA Consumer Rights Guide (2026)
Colorado is one of a handful of states with a comprehensive consumer data privacy law on the books. The Colorado Privacy Act (CPA), codified at C.R.S. § 6-1-1301 through § 6-1-1313, took effect on July 1, 2023. It gives Colorado residents meaningful control over how businesses collect, use, and share their personal information.
This guide covers every part of Colorado's data privacy framework: the CPA's consumer rights and business obligations, the data breach notification law, sensitive data protections, children's privacy rules, biometric data requirements, and enforcement penalties.
What Is the Colorado Privacy Act?
Governor Jared Polis signed Senate Bill 21-190 on July 7, 2021. The bill passed with strong bipartisan support (35-0 in the Senate and 57-7 in the House). The law took effect on July 1, 2023, making Colorado one of the first states to enact comprehensive data privacy legislation alongside California and Virginia.
The CPA is enforced by the Colorado Attorney General and district attorneys. There is no private right of action, meaning individual consumers cannot file lawsuits under the CPA. Enforcement authority rests entirely with state officials.
The Colorado Department of Law published final implementing rules (4 CCR 904-3) in March 2023, with additional amendments proposed in 2025 to address children's data and geolocation protections.
Who Must Comply With the CPA?
The Colorado Privacy Act applies to entities that conduct business in Colorado or intentionally target products or services to Colorado residents. To fall under the law, an entity must also meet one of two thresholds.
Business Thresholds
| Threshold | Requirement |
|---|---|
| Threshold 1 | Controls or processes personal data of 100,000 or more Colorado consumers per calendar year |
| Threshold 2 | Derives revenue (or receives a discount on goods or services) from selling personal data and controls or processes data of 25,000 or more Colorado consumers |
The CPA distinguishes between two types of entities. Controllers determine the purposes and means of processing personal data (for example, a retailer deciding what customer data to collect). Processors handle data on behalf of controllers under written agreements (for example, a cloud storage provider).
Key Exemptions
The CPA does not apply to the following, as outlined in C.R.S. § 6-1-1304:
- State and local government entities
- State institutions of higher education
- Financial institutions and affiliates subject to the Gramm-Leach-Bliley Act
- Air carriers regulated by the Federal Aviation Administration
- National securities associations registered under the Securities Exchange Act
- Data governed by HIPAA (Health Insurance Portability and Accountability Act)
- Data covered by the Fair Credit Reporting Act
- Employment records and job applicant data
Consumer Rights Under the CPA
The Colorado Privacy Act grants six core rights to Colorado residents. These rights apply to personal data, which the law defines as information that is reasonably linked or linkable to an identified or identifiable individual. It does not include publicly available information, de-identified data, or aggregate data.
Right to Access
Colorado consumers can request that a controller confirm whether it is processing their personal data and provide a copy of that data. Controllers must fulfill the first request within a 12-month period at no cost. For additional requests within the same period, controllers may charge a reasonable fee of up to $0.25 per page.
Right to Correct
Consumers can request that a controller fix inaccurate personal data. The controller must take into account the nature of the data and the purpose for processing it when making corrections.
Right to Delete
Consumers can request that a controller delete personal data it has collected about them. This includes data obtained directly from the consumer and data acquired from other sources.
Right to Data Portability
Consumers can request their personal data in a readily usable, portable format that allows transfer to another entity. Controllers must provide the data in a commonly used electronic format. Trade secrets are excluded from this requirement.
Right to Opt Out of Data Sales
Consumers can direct a controller to stop selling their personal data. The CPA defines "sale" broadly to include exchanges of data for monetary or other valuable consideration.
Right to Opt Out of Targeted Advertising and Profiling
Consumers can opt out of processing for targeted advertising purposes and profiling that produces legal or similarly significant effects. This right extends to automated decision-making that could affect access to employment, financial services, housing, insurance, or education.
How to Exercise These Rights
Controllers must respond to consumer requests within 45 days. If additional time is reasonably necessary, they may extend the deadline by another 45 days (90 days total) but must notify the consumer of the extension and the reason for it.
If a controller denies a request, it must provide instructions for appealing the decision. If the appeal is also denied, the controller must inform the consumer of how to file a complaint with the Colorado Attorney General.
Universal Opt-Out Mechanism
One of the CPA's most distinctive features is the universal opt-out mechanism (UOOM) requirement. Since July 1, 2024, businesses subject to the CPA must honor opt-out signals sent through recognized universal mechanisms.
The Attorney General maintains a public list of recognized mechanisms. As of 2026, Global Privacy Control (GPC) is the primary recognized UOOM. GPC is a browser-level signal that automatically communicates a consumer's opt-out preference to every website they visit.
UOOM Requirements for Businesses
- Honor GPC signals for opting out of personal data sales and targeted advertising
- Explain UOOM request processing procedures in their privacy policy
- Follow the Privacy CG technical specification for implementation
- A UOOM cannot be the default setting on a pre-installed browser or operating system
- A UOOM must not unfairly disadvantage any specific controller
How Consumers Use It
Colorado residents can activate GPC in their web browser or through a browser extension. The signal must be enabled on each device and browser individually. Consumers can download and activate GPC at globalprivacycontrol.org.
Sensitive Data Protections
The CPA places heightened protections on sensitive data. Controllers must obtain affirmative, opt-in consent from consumers before collecting or processing any sensitive data category. Broad terms of service acceptance, hovering, pausing, or interacting with content generally does not qualify as consent.
Categories of Sensitive Data
| Category | Description |
|---|---|
| Racial or ethnic origin | Data revealing a consumer's race or ethnicity |
| Religious beliefs | Data revealing religious affiliation or beliefs |
| Mental or physical health | Health conditions, diagnoses, or treatment information |
| Sexual orientation or activity | Data about sexual preferences or activity |
| Citizenship or immigration status | Data about citizenship or immigration standing |
| Biometric data | Biometric identifiers used for identification purposes |
| Children's data | Any personal data concerning a child under age 13 |
| Precise geolocation data | Location data derived from a device used to locate a consumer within a geographic area (added by SB 25-276, effective 2025) |
Children's Data Protections
Governor Polis signed Senate Bill 24-041 on May 31, 2024, adding substantial privacy protections for minors. These provisions took effect on October 1, 2025.
Key Requirements for Businesses
Controllers that offer online services, products, or features to consumers they know or willfully disregard to be minors must:
- Use reasonable care to avoid any heightened risk of harm to minors
- Conduct data protection assessments when there is a heightened risk of harm
- Maintain assessment documentation for specified periods
- Refrain from targeted advertising or data selling involving minors without consent
- Avoid profiling that produces legal or similarly significant consequences for minors
- Limit data retention to what is necessary to provide the service
- Refrain from using system design features that significantly increase, sustain, or extend a minor's use of the platform
- Avoid collecting precise geolocation data from minors (with narrow exceptions)
Age Verification
Businesses are not required to implement age verification systems. The law provides a safe harbor: "commercially reasonable age estimation" protects companies from liability for errors in identifying whether a user is a minor.
Biometric Data Protections
Colorado enacted HB 24-1130 on May 31, 2024, establishing dedicated protections for biometric identifiers and data. The law took effect on July 1, 2025.
What Counts as Biometric Data
Biometric identifiers include fingerprints, voiceprints, retina or iris scans, facial geometry, and other unique biological characteristics used for identification. The CPA defines biometric data as one or more biometric identifiers that are used or intended to be used, singly or in combination, for identification purposes.
Controller Obligations
Organizations that process biometric data must:
- Adopt written policies that establish a retention schedule for biometric identifiers and data
- Create a protocol for responding to data security incidents involving biometric information
- Establish guidelines requiring deletion of biometric identifiers by certain dates
- Make these policies publicly available (with limited exceptions)
- Obtain consent before collecting biometric identifiers
- Disclose to consumers the specific purpose and duration of biometric data collection
Employer Restrictions
HB 24-1130 limits the permissible reasons an employer may obtain an employee's consent for biometric identifier collection. Employers cannot collect biometric data for purposes beyond those disclosed at the time of consent.
Data Protection Assessments
The CPA requires controllers to conduct and document data protection assessments before engaging in processing activities that present a heightened risk of harm to consumers. This requirement is codified in C.R.S. § 6-1-1309.
When Assessments Are Required
A data protection assessment is mandatory before:
- Processing personal data for targeted advertising
- Selling personal data
- Processing sensitive data (including all categories listed above)
- Profiling consumers when there is a reasonably foreseeable risk of unfair treatment, financial or physical injury, offensive intrusion of privacy, or other substantial injury
- Processing minors' data where there is a heightened risk of harm (added by SB 24-041)
What the Assessment Must Include
The assessment must weigh the benefits of the processing activity against potential risks to consumers. Controllers must factor in:
- The use of de-identified data as an alternative
- The reasonable expectations of consumers
- The context of the processing activity
- The relationship between the controller and the consumer
Confidentiality
Data protection assessments are confidential and exempt from public disclosure under the Colorado Open Records Act. However, the Attorney General may request and review any assessment to evaluate compliance with the CPA.
Business Obligations
Controllers subject to the CPA must meet several ongoing compliance requirements beyond responding to consumer rights requests.
Transparency
Controllers must provide a clear, accessible privacy notice that describes in plain language what personal data they collect, why they collect it, how consumers can exercise their rights, the categories of data shared with third parties, and the categories of third parties receiving data.
Data Minimization
Controllers may only collect personal data that is adequate, relevant, and reasonably necessary for the disclosed purposes. They must avoid collecting data beyond what is needed and must not use data for secondary purposes without additional consent.
Security
Controllers must implement reasonable administrative, technical, and physical security practices to protect the confidentiality and integrity of personal data. These measures must be appropriate to the volume and sensitivity of the data processed.
Processor Agreements
Controllers must execute written contracts with processors that specify the nature and purpose of processing, the type of data involved, the duration of processing, and the rights and obligations of both parties. Processors must assist controllers in meeting their CPA obligations, including fulfilling consumer rights requests.
Colorado Data Breach Notification Law
Separate from the CPA, Colorado's data breach notification law (C.R.S. § 6-1-716) establishes requirements for when a security breach occurs. The legislature strengthened this law through HB 18-1128 in 2018.
What Triggers a Notification
A security breach is the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information. Examples include malware infections, credential theft, ransomware attacks, and loss of physical devices containing unencrypted data.
Covered Personal Information
The law protects several categories of data when combined with a consumer's name:
- Social Security numbers
- Driver's license or state ID numbers
- Student, military, or passport ID numbers
- Medical information
- Health insurance identification numbers
- Biometric data
- Username or email address combined with a password or security question that would permit account access
- Account or credit card numbers combined with required security codes
Notification Requirements and Timeline
| Requirement | Timeline |
|---|---|
| Notice to affected consumers | Within 30 days of determining a breach occurred |
| Notice to Colorado AG | Within 30 days (when 500+ Colorado residents are affected) |
| Notice to credit reporting agencies | Required when 1,000+ residents are affected |
Notice must be provided in the most expedient time possible and without unreasonable delay. If an entity becomes aware that a breach may have occurred, it must conduct a prompt, good-faith investigation to determine whether personal information has been or will be misused.
Content of Breach Notices
Notice to consumers must include the dates of the breach, a description of the personal information involved, contact information for the entity, contact information for the Federal Trade Commission and credit reporting agencies, and instructions for protecting accounts (if credentials were compromised).
Governmental entities must comply with a parallel statute, C.R.S. § 24-73-103, which imposes similar requirements.
Data Disposal Requirements
Colorado law (C.R.S. § 6-1-713 and § 6-1-713.5) also requires entities to develop written policies for the disposal of paper and electronic documents containing personal identifying information and to implement reasonable security procedures.
Penalties for Violations
Violations of the Colorado Privacy Act are treated as deceptive trade practices under the Colorado Consumer Protection Act. The Attorney General or district attorneys may seek civil penalties through court proceedings.
CPA and Consumer Protection Penalty Schedule
| Violation Type | Maximum Penalty |
|---|---|
| Standard CPA violation | Up to $20,000 per violation |
| Violation against older adults | Up to $50,000 per violation |
| Breach notification violation | Penalties under CCPA plus injunctive relief |
| Children's data violation (negligent) | Up to $2,500 per affected minor |
| Children's data violation (intentional) | Up to $7,500 per affected minor |
The $500,000 cap for a related series of violations was removed in 2019 through HB 19-1289, meaning there is no ceiling on total penalties for widespread violations.
Cure Period
From July 1, 2023, through January 1, 2025, the CPA included a 60-day cure period. If the Attorney General or a district attorney determined a violation could be remedied, they were required to send a letter giving the violator 60 days to fix the issue before taking enforcement action.
As of January 1, 2025, this mandatory cure period has expired. The Attorney General now has discretion to pursue enforcement action without first offering an opportunity to cure.
Enforcement Record
Attorney General Phil Weiser launched CPA enforcement on July 12, 2023, initially focusing on educational outreach. The Department of Law sent letters to businesses explaining their obligations.
In September 2023, the AG reached a settlement with Broomfield Skilled Nursing and Rehabilitation Center for a 2021 data breach involving compromised employee email accounts that exposed patient and employee data. The facility paid a fine and agreed to overhaul its security practices, implement annual security reviews, and submit compliance reports to the AG.
Recent Amendments and Updates
Colorado's data privacy framework continues to expand. Here is a timeline of key developments.
2024 Amendments
- SB 24-041 (signed May 31, 2024): Added comprehensive privacy protections for children's online data, effective October 1, 2025
- HB 24-1130 (signed May 31, 2024): Established dedicated biometric data protections, effective July 1, 2025
2025 Amendments
- SB 25-276 (signed May 23, 2025): Added precise geolocation data as a category of sensitive data requiring opt-in consent
- 2025 Rulemaking: The Department of Law filed proposed amendments to CPA rules on July 29, 2025, clarifying requirements from SB 24-041 and SB 25-276
- January 1, 2025: The 60-day mandatory cure period expired, giving the AG direct enforcement discretion
Key Compliance Dates
| Date | Milestone |
|---|---|
| July 1, 2023 | CPA took effect |
| January 1, 2024 | AG published recognized UOOM list |
| July 1, 2024 | Businesses required to honor universal opt-out mechanisms |
| January 1, 2025 | 60-day cure period expired |
| July 1, 2025 | HB 24-1130 biometric protections effective |
| October 1, 2025 | SB 24-041 children's data protections effective |
How Colorado Compares to Other State Privacy Laws
Colorado is among a growing number of states with comprehensive data privacy laws. Key distinctions of the CPA include:
- Universal opt-out requirement: Colorado was one of the first states to mandate recognition of browser-level opt-out signals like GPC
- Broad sensitive data definition: The CPA covers more categories of sensitive data than many state laws, especially after adding geolocation data in 2025
- No private right of action: Unlike California's CCPA (which allows limited private lawsuits for data breaches), the CPA relies entirely on AG and DA enforcement
- Bipartisan passage: The CPA passed with near-unanimous support, reflecting broad political consensus on data privacy in Colorado
For data privacy laws in other states, visit our Data Privacy Laws hub.
More Colorado Laws
Explore other Colorado legal topics covered on Recording Law:
This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney licensed in Colorado for guidance on your specific situation. Laws and regulations may change; verify all information with official state sources.
Sources and References
- Colorado Privacy Act (CPA) Overview(coag.gov).gov
- SB 21-190: Protect Personal Data Privacy(leg.colorado.gov).gov
- Universal Opt-Out Mechanism - Colorado AG(coag.gov).gov
- Data Protection Laws FAQs - Colorado AG(coag.gov).gov
- HB 18-1128: Data Breach Notification(leg.colorado.gov).gov
- SB 24-041: Children's Online Data Privacy(leg.colorado.gov).gov
- HB 24-1130: Biometric Identifiers and Data(leg.colorado.gov).gov
- SB 25-276: Precise Geolocation as Sensitive Data(leg.colorado.gov).gov
- CPA Enforcement Launch Press Release(coag.gov).gov
- HB 19-1289: Consumer Protection Penalty Updates(coag.gov).gov
- 2025 CPA Rulemaking(coag.gov).gov
- Data Breach Report Form - Colorado AG(coag.gov).gov
- Global Privacy Control(globalprivacycontrol.org)
- Broomfield Nursing Facility Settlement(coag.gov).gov