Colorado Data Privacy Laws: CPA Consumer Rights Guide (2026)

The Colorado Privacy Act (C.R.S. §§ 6-1-1301 to 6-1-1313), effective July 1, 2023, grants Colorado residents the right to access, correct, delete, and port their personal data and to opt out of its sale or targeted-advertising use; it covers businesses processing data of 100,000 or more Colorado consumers annually, enforced by the Attorney General.

Colorado has one of the most comprehensive and actively evolving state data privacy frameworks in the United States. The Colorado Privacy Act (CPA), codified at C.R.S. §§ 6-1-1301 to 6-1-1313, took effect on July 1, 2023. Since then, Colorado has added dedicated children's privacy rules, biometric data protections, a geolocation sensitive-data designation, and a landmark (if contested) artificial intelligence accountability law.

This guide covers the full Colorado data privacy landscape as of May 2026: the CPA's consumer rights and business obligations, the data breach notification law, sensitive data protections, children's online privacy rules, biometric data requirements, the Universal Opt-Out Mechanism, the Colorado AI Act's current status, enforcement penalties, and the federal laws that apply alongside Colorado's state framework. Colorado residents and businesses operating in the state will find the key statutes, compliance dates, and penalty structures they need to understand their rights and obligations.

What Is the Colorado Privacy Act?

Governor Jared Polis signed Senate Bill 21-190 on July 7, 2021. The bill passed with near-unanimous bipartisan support, 35-0 in the Senate and 57-7 in the House. Colorado became one of the first states to enact comprehensive data privacy legislation alongside California and Virginia. The law took effect July 1, 2023.

The CPA is enforced exclusively by the Colorado Attorney General and district attorneys. There is no private right of action. Individual consumers cannot file lawsuits under the CPA; enforcement authority rests entirely with state officials. Attorney General Phil Weiser launched CPA enforcement on July 12, 2023, initially through educational outreach and compliance letters.

The Colorado Department of Law promulgated implementing rules (4 CCR 904-3) in March 2023. Additional rulemaking rounds followed in December 2024 and October 2025, adding requirements for children's data, biometric identifiers, and precise geolocation data as those statutory amendments came into force.

Who Must Comply With the CPA?

The Colorado Privacy Act applies to for-profit entities that conduct business in Colorado or intentionally target products or services to Colorado residents and meet one of two processing thresholds.

Business Thresholds

The CPA distinguishes between two categories of covered entities. Controllers determine the purposes and means of processing personal data (for example, a retailer deciding what customer data to collect and why). Processors handle data on behalf of controllers under written data-processing agreements (for example, a cloud storage provider acting on a retailer's instructions).

Key Exemptions

The following entities and data types are exempt under C.R.S. § 6-1-1304:

• State and local government entities
• State institutions of higher education
• Financial institutions and their affiliates subject to the Gramm-Leach-Bliley Act
• Air carriers regulated by the Federal Aviation Administration
• National securities associations registered under the Securities Exchange Act
• Data governed by HIPAA (Health Insurance Portability and Accountability Act)
• Data covered by the Fair Credit Reporting Act
• Employment records and job applicant data
• De-identified data and publicly available information

Important exception to the threshold rule: Under HB 24-1130 (effective July 1, 2025), biometric data protections apply to any entity that processes biometric data of Colorado residents, regardless of whether it meets the 100,000- or 25,000-consumer thresholds.

Consumer Rights Under the CPA

The Colorado Privacy Act grants Colorado residents six core rights over their personal data. Personal data is defined as information reasonably linked or linkable to an identified or identifiable individual. It does not include publicly available information, de-identified data, or aggregate data.

Right to Access

Colorado consumers can request that a controller confirm whether it processes their personal data and provide a copy of that data. Controllers must fulfill the first request within any 12-month period at no charge. For additional requests within that same period, controllers may charge a reasonable fee of up to $0.25 per page.

Right to Correct

Consumers can request that a controller correct inaccurate personal data. The controller must account for the nature of the data and the purpose of the processing when deciding how to make the correction.

Right to Delete

Consumers can request that a controller delete their personal data, including data obtained directly from the consumer and data acquired from third-party sources.

Right to Data Portability

Consumers can request their personal data in a readily usable, portable electronic format that allows transfer to another entity. Trade secrets are excluded from this requirement.

Right to Opt Out of Data Sales

Consumers can direct a controller to stop selling their personal data. The CPA defines "sale" broadly to include exchanges of data for monetary or other valuable consideration.

Right to Opt Out of Targeted Advertising and Profiling

Consumers can opt out of processing for targeted advertising and out of profiling that produces legal or similarly significant effects. This covers automated decision-making that could affect access to employment, financial services, housing, insurance, or education.

How to Exercise These Rights

Controllers must respond to consumer requests within 45 days. If additional time is necessary, they may extend the deadline by another 45 days (90 days total) but must notify the consumer of the extension and the reason for it.

If a controller denies a request, it must provide instructions for appealing the decision. If the appeal is also denied, the controller must inform the consumer how to file a complaint with the Colorado Attorney General's office.

Universal Opt-Out Mechanism

One of the CPA's most distinctive features is the Universal Opt-Out Mechanism (UOOM) requirement. Since July 1, 2024, businesses subject to the CPA must honor opt-out signals sent through mechanisms recognized by the Colorado Attorney General.

The Attorney General maintains a public list of recognized mechanisms at coag.gov/opt-out/. As of 2026, Global Privacy Control (GPC) is the primary recognized UOOM. GPC is a browser-level signal that automatically communicates a consumer's opt-out preference to every website they visit. Colorado residents can enable GPC through a compatible browser (such as Firefox or Brave) or through a browser extension.

UOOM Obligations for Businesses

Businesses must:

• Honor GPC signals as an opt-out from personal data sales and targeted advertising
• Describe their UOOM request-processing procedures in their privacy policy
• Follow the Privacy CG technical specification for GPC implementation
• Ensure the UOOM is not set as a default signal on pre-installed browsers or operating systems
• Ensure the UOOM does not unfairly disadvantage any specific controller

Sensitive Data Protections

The CPA requires controllers to obtain affirmative, opt-in consent before collecting or processing any sensitive data category. Broad terms-of-service acceptance, hovering, pausing, or otherwise interacting with content does not constitute valid consent.

Categories of Sensitive Data Under the CPA

Children's Online Privacy Protections

Governor Polis signed Senate Bill 24-041 on May 31, 2024, adding substantial privacy protections for minors' online data. These provisions took effect October 1, 2025. The Department of Law finalized implementing rules in October 2025, addressing the "willfully disregard" standard for determining whether a controller knows a user is a minor, defining prohibited "system design features" that exploit minors, and updating the definition of "revealing" in the context of sensitive geolocation data collected from minors.

Who the Children's Protections Cover

The protections apply to controllers that offer online services, products, or features to consumers the controller knows or willfully disregards to be minors. Consent requirements apply to minors under 18 (not just under 13 as under the federal COPPA standard).

Key Requirements for Businesses

Controllers covered by these provisions must:

• Use reasonable care to avoid any heightened risk of harm to minors
• Conduct and document data protection assessments before processing minors' data when there is a heightened risk of harm
• Obtain consent before processing minors' data for targeted advertising, data sales, or profiling that produces legal or significant effects
• Avoid collecting precise geolocation data from minors (with narrow exceptions, including for ski area operators)
• Limit data retention to what is necessary to provide the service
• Refrain from using system design features that significantly increase, sustain, or extend a minor's use of the platform
• Refrain from profiling minors in ways that produce significant legal consequences without consent

Age Estimation Safe Harbor

Businesses are not required to implement age verification systems. The law provides a safe harbor for "commercially reasonable age estimation," protecting companies from liability for inadvertent errors in identifying whether a user is a minor.

Biometric Data Protections

Colorado enacted HB 24-1130 on May 31, 2024, establishing dedicated protections for biometric identifiers and data. The law took effect July 1, 2025.

What Counts as Biometric Data

Biometric identifiers include fingerprints, voiceprints, retina or iris scans, facial geometry, and other unique biological characteristics used for identification. The CPA defines biometric data as one or more biometric identifiers used or intended to be used, singly or in combination, for identification purposes.

Threshold Exemption Removed

HB 24-1130 removed the CPA's numerical processing threshold for biometric data. Any entity that processes biometric data of Colorado residents must comply with the biometric provisions, regardless of whether it processes data for 100,000 or 25,000 consumers. This is a significant expansion of scope compared to the base CPA.

Controller Obligations

Organizations processing biometric data must:

• Adopt a written policy establishing a retention schedule for biometric identifiers and data
• Include in that policy a protocol for responding to data security incidents involving biometric information
• Include guidelines requiring deletion of biometric identifiers at the earliest of: (a) when the initial collection purpose is satisfied; (b) 24 months after the individual's last interaction with the business; or (c) within 45 days of determining storage is no longer necessary, adequate, or relevant
• Make these policies publicly available, with limited exceptions
• Obtain consent before collecting or processing biometric data and disclose the specific purpose and duration of collection
• Refrain from purchasing biometric identifiers unless the consumer is compensated and consents, and the purchase is related to providing a product or service

Employer Restrictions

HB 24-1130 places specific limits on employers. Employers may require employees or prospective employees to provide biometric identifiers for limited purposes (physical access control, technology access, attendance monitoring, and workplace safety) without conditioning employment on consent. For all other purposes, employers may collect biometric identifiers from employees only with consent, but may not condition employment on the employee providing that consent.

Data Protection Assessments

The CPA requires controllers to conduct and document data protection assessments before engaging in processing activities that present a heightened risk of harm to consumers. This requirement is codified in C.R.S. § 6-1-1309.

When Assessments Are Required

A data protection assessment is mandatory before:

• Processing personal data for targeted advertising
• Selling personal data
• Processing any category of sensitive data (including all categories listed above)
• Profiling consumers when there is a reasonably foreseeable risk of unfair treatment, financial or physical injury, offensive intrusion of privacy, or other substantial injury
• Processing minors' data where there is a heightened risk of harm (added by SB 24-041)

What the Assessment Must Include

The assessment must weigh the benefits of the processing activity against potential risks to consumers. Controllers must factor in:

• Whether using de-identified data is a feasible alternative
• The reasonable expectations of consumers
• The context of the processing activity
• The relationship between the controller and the consumer

Confidentiality

Data protection assessments are confidential and exempt from public disclosure under the Colorado Open Records Act. The Attorney General may request and review any assessment to evaluate compliance with the CPA.

Business Obligations

Controllers subject to the CPA must meet ongoing compliance requirements beyond responding to individual consumer requests.

Transparency

Controllers must provide a clear, accessible privacy notice describing: what personal data they collect; why they collect it; how consumers can exercise their rights; the categories of data shared with third parties; and the categories of third parties receiving the data.

Data Minimization

Controllers may only collect personal data that is adequate, relevant, and reasonably necessary for the disclosed purposes. They may not collect data beyond those needs or use data for secondary purposes without additional consent.

Security

Controllers must implement reasonable administrative, technical, and physical security practices appropriate to the volume and sensitivity of the data they process.

Processor Agreements

Controllers must execute written data-processing contracts with processors specifying the nature and purpose of processing, the type of data involved, the duration of processing, and the rights and obligations of both parties. Processors must assist controllers in fulfilling their CPA obligations, including responding to consumer rights requests.

Colorado Data Breach Notification Law

Colorado's data breach notification law, C.R.S. § 6-1-716, was strengthened by HB 18-1128 in 2018. It operates independently from the CPA and applies more broadly than the CPA's threshold requirements.

What Triggers a Notification

A security breach is the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information. Covered events include malware infections, credential theft, ransomware attacks, and loss of physical devices containing unencrypted data.

Covered Personal Information

The law protects the following categories of data when combined with a Colorado resident's name:

• Social Security numbers
• Driver's license or state ID numbers
• Student, military, or passport ID numbers
• Medical information
• Health insurance identification numbers
• Biometric data
• Username or email address combined with a password or security question
• Account or credit card numbers combined with required access codes

Notification Timeline

Colorado's 30-day consumer notification deadline is one of the strictest in the country. The law requires notice "in the most expedient time possible and without unreasonable delay." If an entity learns that a breach may have occurred, it must conduct a prompt, good-faith investigation to determine whether personal information has been or is likely to be misused.

Content of Breach Notices

Consumer notices must include the dates of the breach, a description of the personal information involved, contact information for the entity, contact information for the FTC and credit reporting agencies, and instructions for protecting accounts if credentials were compromised.

Governmental entities must comply with a parallel statute, C.R.S. § 24-73-103, which imposes similar requirements.

Data Disposal Requirements

Colorado law (C.R.S. §§ 6-1-713 and 6-1-713.5) requires entities to develop written policies for the disposal of paper and electronic documents containing personal identifying information and to implement reasonable security procedures for destruction.

Penalties for Violations

Violations of the Colorado Privacy Act are treated as deceptive trade practices under the Colorado Consumer Protection Act. The Attorney General and district attorneys may seek civil penalties through court proceedings.

Penalty Schedule

The $500,000 aggregate cap for a related series of violations was removed in 2019 by HB 19-1289. There is now no ceiling on total penalties for widespread violations.

Cure Period Expired

From July 1, 2023, through January 1, 2025, the CPA included a mandatory 60-day cure period. During that window, before pursuing enforcement the AG or district attorney was required to send a notice letter giving the alleged violator 60 days to cure a remediable violation.

As of January 1, 2025, the mandatory cure period has expired. The Attorney General now has full discretion to pursue enforcement action without first offering an opportunity to cure. This represents a substantial increase in enforcement risk for noncompliant businesses.

Enforcement Record

Attorney General Phil Weiser launched CPA enforcement on July 12, 2023. Throughout 2024 and into 2025, the Attorney General's Technology and Privacy Protection (TAPP) Unit sent warning letters to businesses identified as potentially noncompliant, with particular focus on UOOM compliance, sensitive-data consent failures, and inadequate privacy notices. With the cure period now ended, those warning letters can transition directly to enforcement actions.

In September 2023, the AG settled with Broomfield Skilled Nursing and Rehabilitation Center over a 2021 data breach in which compromised employee email accounts exposed patient and employee data. The facility paid a fine, agreed to overhaul its security practices, implement annual security reviews, and submit compliance reports to the AG.

Colorado AI Act: From SB 24-205 to SB 26-189

Colorado's approach to artificial intelligence regulation has been the most dynamic and contested aspect of its privacy framework between 2024 and 2026.

Original Law: SB 24-205

Governor Polis signed Senate Bill 24-205 on May 17, 2024. The law required developers and deployers of high-risk AI systems to use reasonable care to protect consumers from "algorithmic discrimination." It was the first comprehensive state AI accountability law in the United States and was modeled in part on the EU AI Act. The original effective date was February 1, 2026.

First Postponement: SB 25B-004

On August 28, 2025, Governor Polis signed SB 25B-004, a bill that postponed SB 24-205's implementation. The new effective date was moved to June 30, 2026.

Federal Court Stay

On April 27, 2026, Magistrate Judge Cyrus Y. Chung of the U.S. District Court for the District of Colorado granted a joint motion from xAI and the Colorado Attorney General staying enforcement of SB 24-205. AG Weiser committed in the court filing that his office would not promulgate implementing rules and would not enforce the Act until after the current legislative session concluded and any resulting rulemaking was complete.

Replacement: SB 26-189

Governor Polis signed Senate Bill 26-189 on May 14, 2026. SB 26-189 effectively replaces SB 24-205's comprehensive risk-management framework with a narrower notice-and-transparency model. The key changes include:

• Drops the original law's requirements for annual impact assessments, risk management programs, and extensive algorithmic discrimination duties
• Replaces those requirements with notice-and-transparency obligations for high-risk AI deployments
• Sets a new effective date of January 1, 2027, contingent on the AG completing rulemaking
• Retains the core prohibition on algorithmic discrimination in certain consequential decisions

For businesses that were preparing to comply with SB 24-205's heavier framework, SB 26-189 significantly reduces the compliance burden while preserving the law's core notice obligations.

Recent Amendments and Rulemaking Timeline

Colorado's data privacy framework has expanded through multiple legislative and rulemaking cycles. Here is a consolidated timeline of all key developments through May 2026.

Legislative Amendments

CPA Rulemaking Rounds

How Colorado Compares to Other State Privacy Laws

Colorado is among a growing number of states with comprehensive data privacy laws. As of May 2026, more than 20 states have enacted comprehensive consumer data privacy legislation.

Key distinctions of the Colorado CPA include:

• Universal opt-out mandate: Colorado was among the first states to require recognition of browser-level opt-out signals. California and Connecticut have similar requirements; many other states do not.
• Broad sensitive data definition: The CPA covers racial and ethnic origin, health, sexual orientation, citizenship, biometric data, children's data, and (since 2025) precise geolocation. This is one of the broader sensitive-data lists among state laws.
• No private right of action: Unlike California's CCPA (which allows limited private lawsuits for data breaches), the CPA relies entirely on AG and DA enforcement.
• Biometric scope expansion: HB 24-1130 applies to any entity processing Colorado residents' biometric data, regardless of whether the entity meets the CPA's threshold requirements.
• AI accountability law: Colorado is one of the first states to legislate AI accountability for high-risk systems, though the framework has been substantially scaled back from its original form.

For data privacy laws in other states and countries, visit the Data Privacy Laws hub.

Federal Overlay: Laws That Apply Alongside the CPA

Several federal laws operate alongside Colorado's state privacy framework. Businesses operating in Colorado must comply with both.

TAKE IT DOWN Act (Pub. L. 119-12)

President Trump signed the TAKE IT DOWN Act on May 19, 2025. The law criminalizes the nonconsensual publication of intimate images, including AI-generated deepfakes. The criminal prohibition took effect immediately upon signing. The platform takedown obligations took effect May 19, 2026, requiring covered platforms to remove nonconsensual intimate images within 48 hours of a valid takedown request. The FTC enforces the platform obligations.

HIPAA

The Health Insurance Portability and Accountability Act governs covered entities (health plans, healthcare providers, and healthcare clearinghouses) and their business associates. Data covered by HIPAA is exempt from the CPA's requirements. Colorado hospitals, physician practices, and health insurers are subject to HIPAA's Privacy Rule and Security Rule rather than the CPA for patient health information.

Gramm-Leach-Bliley Act (GLBA)

Financial institutions subject to GLBA and their affiliates are exempt from the CPA. GLBA requires financial institutions to maintain written information security programs and to provide annual privacy notices to customers.

Fair Credit Reporting Act (FCRA)

Data covered by the FCRA is exempt from the CPA. Consumer reporting agencies and users of consumer reports must comply with FCRA's accuracy, dispute, and disclosure requirements.

Children's Online Privacy Protection Act (COPPA)

COPPA (15 U.S.C. §§ 6501-6506) applies to operators of websites and online services directed to children under 13 and to operators that have actual knowledge they are collecting personal information from children under 13. Colorado's SB 24-041 extends similar protections to minors under 18 at the state level, going further than COPPA's federal floor.

FTC Act Section 5

The Federal Trade Commission Act's prohibition on unfair or deceptive acts or practices (15 U.S.C. § 45) applies to businesses regardless of whether a state privacy law covers them. The FTC has used Section 5 to bring enforcement actions against companies that violated their own privacy policies or engaged in deceptive data practices.

American Privacy Rights Act (APRA)

Congress introduced the American Privacy Rights Act in 2024 as a bicameral comprehensive federal privacy bill. It did not pass in the 118th Congress. A revised version (APRA 2.0) was introduced in 2025. As of May 2026, no federal comprehensive privacy law has been enacted.

Practical Compliance Steps for Businesses

Colorado businesses subject to the CPA should take the following steps.

Immediate Priorities

1. Audit your data inventory. Map what personal data you collect, from whom, why, and who you share it with. This is the foundation for every other compliance obligation.
2. Publish a compliant privacy notice. The notice must cover data categories, processing purposes, consumer rights, third-party sharing, and your UOOM process.
3. Implement UOOM recognition. If your site is subject to the CPA, it must detect and honor GPC signals for opt-out of data sales and targeted advertising.
4. Build consumer request workflows. You need a mechanism for consumers to submit access, correction, deletion, portability, and opt-out requests, and a process for responding within 45 days.
5. Execute data-processing agreements with all processors. Written contracts must specify the nature, purpose, type of data, duration, and the rights and obligations of both parties.

For Biometric Data Processors (July 2025 onward)

• Publish a written biometric data policy with retention schedules, deletion timelines, and security incident protocols
• Obtain consent before any biometric collection
• Program automatic deletion at the earliest of the three deletion triggers (purpose satisfied, 24 months after last interaction, or 45 days after determining storage is no longer necessary)

For Operators Serving Minors (October 2025 onward)

• Audit whether your service is likely used by consumers under 18
• Obtain consent before targeted advertising, data sales, or significant-effect profiling involving minors
• Conduct data protection assessments for processing that creates heightened harm risk to minors
• Disable or redesign features that are designed to increase minor usage beyond what is necessary to provide the service

AI Systems (Effective January 1, 2027 Under SB 26-189)

• Identify whether your AI systems are "high-risk" under the replacement law's definitions
• Prepare for notice-and-transparency obligations when high-risk AI systems are deployed in consequential decision contexts
• Monitor rulemaking from the AG's office; implementing rules must be completed before the law takes effect

How Colorado Residents Can Exercise Their Privacy Rights

Colorado residents can exercise their CPA rights directly with any business subject to the law. The law does not require businesses to accept rights requests through any specific channel, but most covered companies maintain a designated web form or email address for privacy requests.

For complaints about CPA violations, Colorado residents can file a complaint with the Attorney General's office at coag.gov/file-a-complaint/data-privacy-data-breach/. The AG's TAPP Unit reviews complaints and can open investigations.

To use the Global Privacy Control opt-out mechanism, Colorado residents can enable GPC in a compatible browser or through a browser extension. Once activated, GPC automatically sends an opt-out signal to every website that is required to honor it. More information is available at globalprivacycontrol.org.

More Colorado Laws

Explore other Colorado legal topics covered on RecordingLaw:

• Colorado Sexting Laws
• Data Privacy Laws by State
• Colorado AI Meeting Recording Laws
• Colorado Alimony Laws
• Colorado At-Will Employment Laws
• Colorado Car Accident Laws
• Colorado Car Seat Laws
• Colorado Child Custody Laws
• Colorado Child Support Laws
• Colorado Common Law Marriage Laws
• Colorado Deepfake Laws
• Colorado Divorce Laws
• Colorado Dog Bite Laws
• Colorado Emancipation Laws
• Colorado Expungement Laws
• Colorado Hit and Run Laws
• Colorado Landlord-Tenant Laws
• Colorado Lemon Laws

In-depth guides

• What Is the Colorado Privacy Act (CPA)?
• Colorado Privacy Act Consumer Rights & How to Use Them
• Colorado Privacy Act Compliance Checklist (2026)

Related news

• Colorado signs device-level age-check law (SB26-051)