Colorado Privacy Act Compliance Checklist (2026)

Businesses that process the personal data of Colorado residents face one of the most detailed and enforcer-friendly controller-duty stacks in the country under the Colorado Privacy Act (CPA), C.R.S. sections 6-1-1301 through 6-1-1313, and the Attorney General's implementing rules at 4 CCR 904-3. Two features make the CPA genuinely different from most other state privacy laws: nonprofits are NOT broadly exempt, and since July 1, 2024, controllers must automatically honor Global Privacy Control browser signals as valid opt-outs. The 60-day cure period that once softened enforcement sunsetted on January 1, 2025. This nine-step checklist walks every required compliance obligation so you can identify gaps before an enforcement investigation begins.

For a plain-language overview of the Colorado Privacy Act and how it fits the national state-privacy landscape, see the Colorado data privacy law overview.

Step 1: Run the Applicability Self-Test

You are a covered controller under the CPA if you conduct business in Colorado or target products or services to Colorado residents AND you meet either of two data-volume thresholds. The first is processing the personal data of at least 100,000 Colorado consumers during a calendar year. The second is processing data of at least 25,000 consumers while also deriving revenue, or receiving any discount on goods or services, from the sale of personal data. C.R.S. section 6-1-1302(1).

The second threshold is significantly broader than Virginia's equivalent prong. Virginia requires that more than 50 percent of gross revenue come from data sales. Colorado requires only that the controller derives any revenue or receives any discount from data sales. A company that earns even a nominal amount from selling data and processes 25,000 or more consumer records is within scope.

"Consumer" under the CPA means a Colorado resident acting in an individual or household capacity. Business-to-business interactions and employer-employee data are not included in the consumer count. "Sale" means exchange of personal data for monetary consideration or other valuable consideration to a third party.

Key questions to ask

• How many unique Colorado residents appear in your systems across all products, services, and website traffic during the calendar year?
• Do you exchange personal data with any third party for money or other valuable consideration? If so, how many consumers does that data cover?
• Do you conduct business in Colorado or offer products or services directed at Colorado residents, even if headquartered elsewhere?

If you cross 100,000 consumer records, or if you sell data at all and cross 25,000 records, continue through this checklist. If neither threshold applies, document that conclusion and revisit it annually as your data footprint grows.

Step 2: Check Entity and Data Exemptions, Including the Nonprofit Trap

Even if you clear both thresholds, the CPA exempts certain entities entirely. Entity-level exemptions under C.R.S. section 6-1-1304 include: financial institutions and their affiliates subject to the Gramm-Leach-Bliley Act; air carriers subject to Federal Aviation Administration regulation; national securities associations registered under the Securities Exchange Act; and Colorado state and local governments and state institutions of higher education.

What the CPA does NOT include in its entity-level exemptions is nonprofits. This is one of the most consequential structural differences between the CPA and Virginia's VCDPA, Texas's TDPSA, and several other state privacy laws that blanket-exempt nonprofit organizations. A 501(c)(3), trade association, or advocacy nonprofit that conducts business in Colorado and meets either data threshold is a covered controller under the CPA. SB 24-129, passed in 2024, addressed narrow member-data questions for nonprofits but did not create a general entity-level exemption.

The CPA also carves out specific categories of data at the data level, regardless of what entity holds them. These data-category exemptions under C.R.S. section 6-1-1304 include: HIPAA-protected health information; consumer credit data regulated by the Fair Credit Reporting Act; FERPA-protected education records; personal data of children regulated under COPPA; personal data processed in the context of employment; and data covered by the Driver's Privacy Protection Act.

How to apply the dual-check

The entity and data exemptions operate independently. A GLBA-regulated bank is exempt as an entity across the board. A technology company that is not GLBA-covered may still hold some data streams that are exempt at the data level, such as HIPAA-regulated health records processed on behalf of covered entities. But that same company owes full CPA obligations for all non-exempt data it processes.

Work through each data category in your systems: (a) Is our entity exempt? (b) Even if not, is this specific data stream exempt? Apply both questions before treating any data type as CPA-regulated.

Step 3: Post a Compliant Privacy Notice

Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice on all interfaces through which consumers regularly interact, including mobile applications. C.R.S. section 6-1-1308(1) specifies five required disclosures:

1. The categories of personal data collected or processed by the controller or its processors
2. The purposes for which each category of personal data is processed
3. How and where consumers may exercise their five rights under the CPA, and how to appeal a denial
4. The categories of personal data shared with third parties
5. The categories of third parties with whom personal data is shared

If you sell personal data or process it for targeted advertising, the notice must also include a clear and conspicuous disclosure of that practice and the mechanism consumers can use to opt out.

Beyond the notice content, controllers are subject to six affirmative duties under C.R.S. section 6-1-1308(2): transparency, purpose specification, data minimization, care (reasonable security), avoiding secondary use incompatible with disclosed purposes, and avoiding processing that violates anti-discrimination laws. These duties apply regardless of whether a consumer submits a request.

Privacy notice checklist

Required element	Covered?
Categories of personal data collected or processed
Purposes of processing for each category
How to submit a consumer rights request
How to appeal a denied request, including AG contact
Categories of data shared with third parties
Categories of third parties receiving data
Sale or targeted-advertising disclosure (if applicable)
Opt-out mechanism for sale and targeted advertising (if applicable)
Explanation of how UOOM and GPC signals are handled (Rule 6.03(4)(e))

The AG's Rules at 4 CCR 904-3 require plain, straightforward language. A layered notice approach is acceptable for complex data practices, but core disclosures must be surfaced in the first layer.

Step 4: Honor the Universal Opt-Out Mechanism and Global Privacy Control

This is the compliance obligation most often overlooked by controllers who have otherwise implemented strong privacy programs. Since July 1, 2024, the CPA requires controllers to recognize and honor approved Universal Opt-Out Mechanisms (UOOMs). C.R.S. section 6-1-1306(1)(a)(III).

The Colorado Attorney General currently recognizes one UOOM: Global Privacy Control (GPC). GPC is a browser-level privacy signal built into certain browsers and extensions that allows users to express a persistent, site-independent opt-out of data sale and targeted advertising. When a consumer with GPC enabled visits your website or uses your application, you must treat that signal as a valid opt-out request automatically, without requiring the consumer to separately click a "Do Not Sell" link.

Colorado is the only state to impose this UOOM obligation through a formal, AG-maintained public registry. The current list of recognized UOOMs is published at coag.gov/opt-out/. Controllers must monitor the registry, because the AG may recognize additional mechanisms in the future.

Under 4 CCR 904-3, Rule 6.03(4)(e), your privacy policy must include an explanation of how UOOM requests, including GPC signals, will be processed. The AG has made clear that a privacy policy that does not address GPC is deficient even if the underlying technical implementation is in place.

Technical implementation steps

• Implement server-side or client-side detection of the Sec-GPC: 1 HTTP header and the navigator.globalPrivacyControl JavaScript property.
• Map detected GPC signals to your existing opt-out data pipeline for data sale and targeted advertising.
• Confirm that GPC opt-outs persist across sessions and devices where technically feasible.
• Add a paragraph to your privacy policy explaining that you recognize GPC as a valid UOOM and describing how the signal triggers an opt-out.

Step 5: Obtain Opt-In Consent for Sensitive Data

Before processing any sensitive data, the CPA requires affirmative opt-IN consent. "Consent" under C.R.S. section 6-1-1303(6) means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to the processing. Pre-ticked boxes, bundled consent buried in terms of service, and inferred agreement from continued use of a service do not satisfy this standard.

Sensitive data is defined in C.R.S. section 6-1-1303(24) to include eight categories:

1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or immigration status
2. Genetic data
3. Biometric data processed for the purpose of uniquely identifying a natural person
4. Precise geolocation data
5. Personal data collected from a known child
6. Financial account numbers combined with access credentials (added by rule)

The precise geolocation category covers data that identifies the specific location of a person within a radius that could reveal a home address or other sensitive location. Any application that collects GPS coordinates, or any analytics platform that processes precise device-location data, likely triggers this requirement.

For children under 13 on online platforms (effective October 1, 2025 under SB 24-041), you must obtain both the child's assent and verifiable parental consent before processing. SB 24-041 also requires controllers offering online services to known minors to use reasonable care to avoid heightened risk of harm and to conduct data protection assessments whenever that heightened risk is present.

Sensitive data consent design

A compliant opt-in for sensitive data must be: (a) presented before processing begins, not retroactively; (b) specific to the sensitive data category and its processing purpose; (c) not conditioned on access to the core service to the extent possible; and (d) easily revocable by the consumer. Review all onboarding flows, health questionnaires, account creation screens, and location permission requests against these requirements.

Note also the biometric-specific layer added by HB 24-1130, effective July 1, 2025. Controllers processing biometric identifiers must adopt and publish a written retention and deletion schedule, store biometric data using the industry standard of care, and cannot condition employment on biometric consent.

Step 6: Conduct Data Protection Assessments

Written data protection assessments (DPAs) are mandatory before initiating any processing activity that presents a heightened risk of harm to a consumer. C.R.S. section 6-1-1309(1) identifies four categories that always require an assessment:

1. Processing personal data for purposes of targeted advertising
2. Selling personal data
3. Processing personal data for profiling where there is a reasonably foreseeable risk of significant harm, unfair or deceptive treatment, disparate impact, financial or physical injury, reputational damage, or intrusion upon seclusion
4. Processing sensitive data as defined in C.R.S. section 6-1-1303(24)

Each DPA must: identify the processing activity; document the benefits that flow from the processing to the controller, consumers, and the public; identify the potential risks to consumer rights and freedoms; describe the safeguards and technical or organizational measures in place to offset those risks; and weigh benefits against residual risks after safeguards are applied. C.R.S. section 6-1-1309(2)-(3).

A single assessment may cover a set of comparable processing operations rather than requiring a separate document per campaign or vendor relationship. However, materially new or modified processing activities require a new or updated assessment.

The retroactivity rule

DPA requirements are expressly not retroactive. Under C.R.S. section 6-1-1309, they apply only to processing activities created or generated after July 1, 2023. Existing processing operations that predate that cutoff do not require a retroactive assessment, but any new or materially modified processing since that date does. "Materially modified" should be interpreted conservatively: a new data-sharing partner, a new processing purpose for existing data, or a new algorithmic profiling use case all likely require a fresh assessment.

AG demand authority

The Attorney General may request completed assessments through a civil investigative demand. C.R.S. section 6-1-1309(4). Assessments disclosed to the AG are confidential under the Colorado Open Records Act and retain applicable attorney-client privilege or work-product protections. Treat all DPAs as potentially discoverable enforcement documents from the moment they are drafted, and involve legal counsel in their preparation.

Step 7: Execute Processor Contracts

Every vendor, service provider, or other third party that processes personal data on your behalf must be governed by a binding written controller-processor contract before processing begins. C.R.S. section 6-1-1305(2)-(6).

The contract must specify: the instructions for processing personal data; the nature and purpose of processing; the type and categories of personal data subject to processing; and the duration of the processing engagement. Those scope elements define the outer boundary of the processor's authorized activities.

Mandatory contract provisions

Beyond the scope elements, the CPA's processor contract must require the processor to:

• Maintain confidentiality: All personnel who access or handle personal data must be bound by confidentiality obligations.
• Delete or return data: Upon termination or on the controller's request, the processor must delete or return all personal data to the controller.
• Demonstrate compliance: The processor must provide the controller with all information necessary to demonstrate compliance with CPA obligations.
• Cooperate with audits: The processor must submit to and cooperate with audits or independent assessments requested by the controller or the AG.
• Flow down to sub-processors: The processor must bind any sub-processors it engages in a written contract imposing equivalent obligations.

Vendor inventory

Build a complete data-flow inventory before auditing contracts. List every third party that touches personal data you control: cloud infrastructure providers, advertising platforms, analytics vendors, CRM and marketing automation tools, payment processors, HR platforms, and any SaaS application that receives data from your systems. Determine whether each relationship is a processor relationship (the third party acts under your instructions) or a separate controller relationship (the third party determines its own processing purposes). Processor relationships require a CPA-compliant contract. Third-party controller relationships require a different instrument, typically a data-sharing agreement with representations about independent compliance.

Step 8: Build Consumer Rights Response Workflows

Colorado consumers have five rights under the CPA: access, correction, deletion, portability, and opt-out (of data sale, targeted advertising, and certain profiling). C.R.S. section 6-1-1306.

Controllers must respond to authenticated consumer requests within 45 days of receipt. One extension of up to an additional 45 days is available if the consumer is notified within the original 45-day window of the need for more time and the reason for the extension. The first request within a 12-month period must be fulfilled at no charge to the consumer. C.R.S. section 6-1-1306(3).

The appeal requirement

If you deny a consumer request in whole or in part, you must: (a) provide the consumer with a written explanation of your basis for denial; (b) establish and offer an internal appeal process; and (c) decide the appeal within 45 days of receipt. If the appeal is also denied, you must provide the consumer with an online method to contact the Colorado Attorney General to submit a complaint. C.R.S. section 6-1-1306(4); 4 CCR 904-3, Rule 7.04.

Record retention

Maintain records of all consumer rights requests, the actions taken or basis for denial, and any appeal resolutions for at least 24 months. These records are the primary evidence that will be examined if the AG opens an investigation. A generic log saying "request received and denied" is insufficient. Document the specific claim raised, the legal basis for any refusal, and the date and substance of any communication sent to the consumer.

For a full overview of Colorado's privacy framework, including how consumer rights fit within the broader CPA structure, see the Colorado data privacy law overview.

Step 9: Understand Enforcement: No Cure Period, No Private Suit, $20,000 Per Violation

The CPA is enforced exclusively by the Colorado Attorney General and district attorneys. There is no private right of action for consumers. C.R.S. section 6-1-1310 states expressly that "THIS PART 13 DOES NOT AUTHORIZE A PRIVATE RIGHT OF ACTION FOR A VIOLATION OF THIS PART 13." No individual, plaintiff's firm, or class action can sue for a CPA violation. C.R.S. section 6-1-1311.

CPA violations are treated as deceptive trade practices under the Colorado Consumer Protection Act. Civil penalties under C.R.S. section 6-1-112 are up to $20,000 per violation. The AG may also seek injunctive relief and recover investigative costs including attorney fees.

The cure-period sunset

The original CPA included a 60-day cure period requiring the AG or a district attorney to give a controller written notice of an alleged violation before filing suit. That provision was effective only through January 1, 2025, and it sunsetted on that date. Beginning January 1, 2025, the AG and district attorneys may bring enforcement actions against noncompliant controllers without first issuing a cure notice. There is no grace period, no required warning letter, and no right to cure the violation before penalties accrue.

One limited exception: under SB 24-041's child-data provisions added in C.R.S. sections 6-1-1305.5, 6-1-1308.5, and 6-1-1309.5, a separate 60-day cure notice is still required before enforcement of those specific children's-data sections. That child-data cure provision is itself scheduled to expire on December 31, 2026.

UPCOMING: SB 25-276 Geolocation Change (August 12, 2026)

SB 25-276, signed in 2025 and effective August 12, 2026, amends the CPA's treatment of precise geolocation data. Controllers should review the updated statutory text before that date to confirm whether processing activities involving location data require revised consent mechanisms, DPA updates, or privacy-notice amendments. This date-flagged change is not yet in force.

Compliance program elements

• Designate a named internal owner for CPA compliance with documented authority and budget.
• Maintain a compliance calendar: annual applicability threshold review, privacy notice audit, DPA review for new processing activities, UOOM registry check, and processor contract audit.
• Train customer-service, engineering, and marketing staff on the consumer request workflow, the GPC detection requirement, and the sensitive-data consent rules.
• Keep all DPAs, processor contracts, consent records, and consumer request logs in a documented, retrievable system. The AG's civil investigative demand authority means you need to be able to produce these documents on a short timeline.

For the full Colorado data privacy law overview, including how the CPA fits into the broader national state-privacy-law landscape, see the parent page.

Related guides

• What Is the Colorado Privacy Act (CPA)?
• Colorado Privacy Act Consumer Rights & How to Use Them
• Colorado Data Privacy Laws: CPA Consumer Rights Guide (2026)
• Colorado Biometric Privacy Laws: Collection, Consent & Penalties (2026)
• US State Privacy Laws Comparison Chart (2026)

Sources

• C.R.S. sections 6-1-1301 through 6-1-1313 (Colorado Privacy Act), SB21-190. https://leg.colorado.gov/bills/sb21-190
• 4 CCR 904-3 (Colorado Privacy Act Rules, finalized March 15, 2023). https://coag.gov/press-releases/3-15-23/
• SB 24-041: Privacy Protections for Children's Online Data (signed May 31, 2024, effective October 1, 2025). https://leg.colorado.gov/bills/sb24-041
• HB 24-1130: Privacy of Biometric Identifiers and Data (effective July 1, 2025). https://leg.colorado.gov/bills/hb24-1130
• SB24-129: Nonprofit Member Data Privacy and Public Agencies. https://leg.colorado.gov/bills/sb24-129
• SB 25-276: Geolocation Data under the Colorado Privacy Act (effective August 12, 2026). https://leg.colorado.gov/bills/sb25-276
• Colorado AG Universal Opt-Out Mechanism Registry (GPC recognized July 1, 2024). https://coag.gov/opt-out/
• Colorado AG CPA Resource Page. https://coag.gov/resources/colorado-privacy-act/
• Colorado AG FAQ: Data Protection Laws for Businesses. https://coag.gov/resources/data-protection-laws/