Colorado Privacy Act Consumer Rights & How to Use Them

If you live in Colorado, the Colorado Privacy Act (C.R.S. sections 6-1-1301 through 6-1-1314, effective July 1, 2023) gives you seven specific rights over the personal data companies collect about you, and, uniquely, lets you exercise the most important ones automatically through a browser signal called the Global Privacy Control. Here is every right you have, how to use it, and what to do when a company says no.

Who Is Protected by the Colorado Privacy Act?

The CPA protects Colorado residents, defined as "consumers" under C.R.S. section 6-1-1303, acting in a personal or household capacity. The rights described in this article do not apply to data your employer holds about you in your capacity as an employee; the statute expressly excludes data processed in a commercial or employment context.

The law covers "controllers," meaning the businesses that decide how and why personal data is processed. A controller is subject to the CPA if it, during a calendar year, processes personal data of at least 100,000 Colorado consumers, or processes personal data of at least 25,000 Colorado consumers while deriving over 25 percent of gross revenue from selling personal data. Small businesses with limited Colorado user bases may fall below these thresholds.

Rights under the CPA do not extend to de-identified data or to data processed for certain exempt purposes such as fraud prevention, research under ethical board oversight, journalism, or compliance with a legal obligation. For most data collected by apps, retailers, data brokers, and online platforms, however, your rights apply in full.

For a broader explanation of how the law works and which businesses it covers, see What is the Colorado Privacy Act.

Right to Access: Get a Copy of Your Data

Under C.R.S. section 6-1-1306(1)(b), you can ask any covered company to confirm whether it is processing personal data about you and to give you a copy of that data. The right has two components: the confirmation right (does the company hold your data at all?) and the access right (show me the specific data you have).

4 CCR 904-3 Rule 4.04 requires that the response be delivered in a form that is "concise, transparent and easily intelligible," in a commonly used electronic format, and in your preferred language of interaction. A company may redact sensitive identifiers such as government ID numbers, financial account numbers, and biometric templates from an access response, but it must still inform you that it holds those categories of data.

How to exercise it: Look in the website's footer for links labeled "Privacy Rights," "Consumer Privacy Request," "Your Privacy Choices," or "Data Access Request." Under Rule 4.02, companies must provide at least two designated submission methods. You may be asked to verify your identity, but the company should authenticate you using information it already holds rather than requiring you to supply new personal data.

The company must respond within 45 days of receiving your authenticated request, per C.R.S. section 6-1-1306(2)(a). If the complexity or number of requests requires more time, it may extend by one additional 45-day period, but must notify you before the original window expires. Your first request within any 12-month period is free. A second or subsequent request within the same 12-month period may carry a fee calculated under C.R.S. section 6-1-1306(2)(c), which cross-references the Colorado Open Records Act rate of up to $0.25 per standard page for paper records. No per-page fee applies when records are delivered in a digital or electronic format, which covers the vast majority of CPA data responses.

Right to Correct Inaccurate Data

C.R.S. section 6-1-1306(1)(c) lets you require a company to fix inaccuracies in personal data it holds about you, taking into account the nature of the data and the purposes of processing. This right matters most for data that affects decisions made about you, such as credit-adjacent profiles, health records, contact information, or behavioral scores.

4 CCR 904-3 Rule 4.05 sets a notably consumer-friendly standard: if the company lacks original documentation and you assert the data is wrong, your assertion alone is sufficient. The only grounds on which a controller may deny a correction request is a determination that the contested data is "more likely than not accurate." That is the company's burden to establish, not yours.

How to exercise it: Submit a correction request through the company's privacy rights channel. Identify the specific field or data point you believe is inaccurate and, where possible, provide evidence of the correct value. The company has 45 days to respond, extendable by 45 more days with notice. It must tell you what action it took or provide a reason for declining.

If the company disputes your correction, the denial triggers your right to appeal, described in a later section.

Right to Delete Your Personal Data

Under C.R.S. section 6-1-1306(1)(d), you can request permanent deletion of personal data a company holds about you. This covers both data you supplied directly, such as account information and purchase history, and data the company obtained from third parties or derived through profiling.

4 CCR 904-3 Rule 4.06 specifies two permissible deletion methods: the company must either permanently and completely erase the data from its existing systems, or de-identify it such that it can no longer be linked to you. Critically, the company must also instruct each of its data processors, the vendors and contractors it shares your data with, to delete your data as well. For archived or backup copies, deletion may be delayed until the backup is restored or next accessed.

How to exercise it: Submit a deletion request through the company's privacy portal or designated email. Be as specific as you can about the categories of data you want erased. The 45-day response clock starts on receipt of your authenticated request.

Deletion is not absolute. The CPA permits controllers to retain data that is necessary to complete a transaction, to detect security incidents, to comply with a legal obligation, to exercise free speech rights, or to perform certain research functions. If a company declines a deletion request in part or in full, it must explain which exemption applies.

Right to Data Portability: Take Your Data With You

C.R.S. section 6-1-1306(1)(e) gives you the right to obtain a copy of your personal data in a portable format that lets you transmit it to another service or controller without obstruction. Portability differs from the access right because it is specifically designed for data transfer, not just review.

4 CCR 904-3 Rule 4.07 requires the data to be delivered "via a secure method in a commonly used electronic format" that "is readily usable" and allows you to move the data to another entity. Common formats include CSV and JSON. A company may withhold data that would reveal trade secrets, but must provide as much of your raw data as possible and may not use technical complexity as a blanket excuse.

How to exercise it: Request a data export through the company's privacy rights channel, specifying that you want a portable copy. Save confirmation of your submission. The company must respond within 45 days, extendable by 45 more days with notice. Your first export request within any 12-month period is free. Because CPA portability responses are delivered electronically, no per-page copy fee applies to subsequent requests delivered in digital format.

For data that contains inferences the company derived internally, the company may have more discretion to withhold trade-secret-derived conclusions, but underlying observable data about your behavior must be provided.

Right to Opt Out: Targeted Ads, Data Sales, and Profiling

C.R.S. section 6-1-1306(1)(a)(I) grants three distinct opt-out rights that you can exercise separately or together:

1. Targeted advertising. Stop the use of your personal data, gathered across different websites, apps, or offline sources, to select ads tailored to your inferred interests or characteristics. This covers cross-context behavioral advertising regardless of whether your data was sold.
2. Sale of personal data. Stop the transfer of your personal data to a third party in exchange for monetary consideration. Unlike California's broader CPRA definition, the CPA's "sale" means money actually changes hands.
3. Profiling in furtherance of significant decisions. Stop automated processing that produces legal or similarly significant effects concerning you. Under 4 CCR 904-3 Rule 9.04, this opt-out applies specifically when profiling drives decisions affecting financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment, healthcare, or access to other essential goods and services.

Under Rule 4.03, companies must cease processing for the opted-out purpose "as soon as feasibly possible without undue delay" after you exercise an opt-out right.

How to exercise it: Look for "Do Not Sell My Data," "Opt Out of Targeted Advertising," or "Colorado Privacy Rights" links, typically in the site footer. You can exercise all three opt-outs through the company's direct form, or, for the first two, through a single browser-level action using the Global Privacy Control as described in the next section.

Colorado's Signature Feature: The Universal Opt-Out Mechanism and Global Privacy Control

Colorado is the first state in the country to require covered companies to honor a browser-level opt-out signal. Beginning July 1, 2024, C.R.S. section 6-1-1313(2) requires every controller subject to the CPA to recognize any Universal Opt-Out Mechanism (UOOM) on the Colorado Attorney General's approved list. The AG publishes and maintains that list at coag.gov/opt-out/ and may update it periodically under 4 CCR 904-3 Rule 5.07.

As of 2024 through 2025, the Global Privacy Control (GPC) is the only mechanism on the AG's recognized list.

What GPC does: When GPC is active in your browser, it sends an HTTP header (Sec-GPC: 1) and a JavaScript property (navigator.globalPrivacyControl: true) to every website you visit. A Colorado-covered controller that receives this signal is legally required to treat it as an opt-out request for targeted advertising and data sales, automatically, without any additional steps on your part. You do not need to find each company's privacy portal or submit individual forms.

What GPC does not cover: Per 4 CCR 904-3 Rule 5.03, controllers are required to honor UOOM signals only for the two statutory opt-out purposes, targeted advertising and sale. The profiling opt-out under Rule 9.04 is not covered by GPC and must be exercised directly through the company's opt-out mechanism. Controllers may also verify Colorado residency before treating a GPC signal as mandatory, though they are not required to do so.

Comparison with other states: Connecticut also mandates recognition of GPC signals. Virginia's VCDPA does not; Virginia residents must submit individual opt-out requests directly to each company. California's CPRA created a similar universal opt-out path, but business compliance remains voluntary under California's framework, making Colorado and Connecticut the current leaders on mandatory automated opt-out.

How to Enable GPC: Step-by-Step

GPC requires either a supported browser or a browser extension. The setup takes under two minutes.

Firefox (desktop and Android): Open Settings and navigate to Privacy and Security. Scroll down to the "Website Privacy Preferences" section. Check the box labeled "Tell websites not to sell or share my data." Firefox will immediately begin sending the GPC signal to every site you visit.

Brave (desktop and iOS/Android): Open Settings and go to Privacy and Security, then select Global Privacy Control. Toggle the switch to on. Brave's GPC implementation is built into the browser and requires no extension.

Google Chrome: Chrome does not include a native GPC setting. Install the DuckDuckGo Privacy Essentials extension from the Chrome Web Store or EFF's Privacy Badger. Both extensions send the GPC signal on your behalf once activated. DuckDuckGo Privacy Essentials also provides tracker blocking as an additional benefit.

Apple Safari (macOS and iOS): Safari does not natively support GPC. Install DuckDuckGo Privacy Essentials from the Mac App Store or iOS App Store to enable the signal in Safari.

Once active, verify your GPC status by visiting globalprivacycontrol.org, which will confirm whether your browser is broadcasting the signal. If a Colorado-covered company ignores your GPC signal, that failure is a basis for a complaint to the Colorado AG.

Sensitive Data: When You Must Give Opt-In Consent

For certain categories of personal data, the CPA reverses the default entirely. Instead of processing first and allowing you to opt out, a company must obtain your affirmative opt-in consent before processing begins at all. This is a higher standard, and it means you are never in a position of having to "catch" a company after the fact.

Under C.R.S. section 6-1-1303 and 4 CCR 904-3 Rule 7.02, sensitive data under the CPA includes:

• Data revealing racial or ethnic origin
• Data revealing religious beliefs
• Data concerning mental or physical health conditions or diagnoses
• Data concerning sex life or sexual orientation
• Data concerning citizenship or immigration status
• Biometric data processed for the purpose of uniquely identifying a person
• Precise geolocation data (generally defined as identifying location within a radius of approximately 1,750 feet)
• Personal data concerning a known child

Consent under Rule 7.02 must be freely given, specific, informed, and unambiguous. Pre-checked boxes, silence, and inactivity do not qualify. If a company is processing your sensitive data without a clear consent record, that is a violation of C.R.S. section 6-1-1308 and a basis for a complaint to the Colorado AG.

Special Protections for Minors (Effective October 1, 2025)

SB 24-041, signed into law on May 31, 2024, and effective October 1, 2025, amends the Colorado Privacy Act to add heightened protections when a company knows or willfully disregards that a user is a minor.

Under SB 24-041, a controller that offers an online service, product, or feature to a consumer it knows or willfully disregards is a minor must: use reasonable care to avoid heightened risk of harm to the minor; obtain consent before engaging in targeted advertising directed at a minor; obtain consent before selling a minor's personal data to third parties; and obtain consent before profiling a minor in connection with decisions that produce legal or similarly significant consequences. Precise geolocation data of a minor may not be collected except under specified circumstances.

For consumers under 13 years of age, consent must come from a parent or legal guardian rather than the child. Controllers are not required to implement age-verification systems; a commercially reasonable age-estimation process insulates a company from liability. If a company has actual knowledge a user is a minor, however, it cannot rely on that shield.

These protections layer on top of the existing federal COPPA framework for children under 13. Colorado's SB 24-041 extends additional protections to minors aged 13 through 17 that go beyond COPPA's scope.

How to Submit a CPA Rights Request

Under 4 CCR 904-3 Rule 4.02, every covered controller must provide at least two designated methods for submitting rights requests, taking into account how consumers normally interact with the company. In practice, most companies offer:

• An online privacy portal or webform, typically linked as "Your Privacy Choices," "Colorado Opt-Out Rights," "Do Not Sell My Data," or "Consumer Privacy Request" in the website footer
• A dedicated email address such as privacy@company.com or datarights@company.com
• Some larger companies also provide a toll-free phone number

Step-by-step process:

1. Find the company's privacy policy or footer link for consumer rights requests.
2. Select the right you want to exercise: access, correction, deletion, portability, or opt-out of one or more purposes.
3. Provide identifying information so the company can authenticate you under Rule 4.08. Typically this means your name and the email address associated with your account.
4. Submit the request and save confirmation, whether a screenshot or a confirmation email with a reference number.
5. The 45-day response clock starts from the date the company receives your authenticated request.

You cannot be required to create a new account to submit a request, per Rule 4.02. If you already have a password-protected account with the company, it may require you to use it for authentication. The company should not ask for more personal data than is reasonably necessary to verify your identity; Rule 4.08 instructs controllers to avoid requesting additional personal data if they can authenticate using information they already hold.

If the company cannot authenticate your request using commercially reasonable means, it may ask for additional verification rather than outright denying you. Authentication data collected solely for a rights request must be deleted as soon as practicable after the request is processed.

What to Do If a Company Denies Your Request: The CPA Appeal Process

C.R.S. section 6-1-1306(3) establishes a two-stage escalation path with clear timelines and a mandatory AG referral if both stages fail.

Stage 1: Internal appeal to the controller.

If a company denies your initial request, C.R.S. section 6-1-1306(3)(a) requires the controller to have an internal appeal process that is "conspicuously available and as easy to use as the process for submitting a request." You do not need a lawyer to submit an appeal; use the same privacy portal you used for your original request, or a separate appeal email if the company provides one.

In your appeal, clearly state that you are appealing the denial, identify your original request and the date you submitted it, and explain why you believe the denial was improper. The company must respond to your appeal in writing, with reasons, within 45 days of receiving it, under C.R.S. section 6-1-1306(3)(b). For complex appeals, the company may extend by 60 additional days but must notify you before the original window expires.

Stage 2: Colorado Attorney General complaint.

If the company denies your appeal, C.R.S. section 6-1-1306(3)(c) requires it to inform you of the ability to contact the Colorado Attorney General. File a data privacy complaint at coag.gov/file-a-complaint/data-privacy-data-breach/ or call 800-222-4444.

When filing, include the company name, dates of your original request and denial, dates of your appeal and appeal denial, and copies of all correspondence. The AG and district attorneys share enforcement authority under C.R.S. section 6-1-1311. Civil penalties may reach $20,000 per violation under Colorado's Consumer Protection Act. While the AG cannot guarantee action on every individual complaint, documented patterns of violations are a primary trigger for investigations.

If the company ignored your initial request entirely without responding within 45 days, no appeal is possible; you can file directly with the AG because there is no response to appeal.

No Retaliation: Your Right Against Discrimination

A controller covered by the CPA cannot penalize you for exercising your privacy rights. Under C.R.S. section 6-1-1306 and 4 CCR 904-3, this means a company cannot raise its prices, downgrade your service tier, deny you access to a product, or otherwise treat you differently based solely on the fact that you submitted a rights request, exercised an opt-out, or enabled GPC in your browser.

The prohibition is direct: a controller "may not increase the cost of or decrease the availability of a product or service" based solely on a consumer's exercise of a data right.

One narrow exception exists: controllers may offer bona fide loyalty program benefits to consumers who voluntarily agree to share data or to participate in targeted advertising programs. A loyalty program discount that disappears when you opt out is not automatically discrimination under the CPA, provided that the program is genuinely voluntary and disclosed. Tying basic service availability or pricing to data sharing, however, crosses the line.

If you believe a company penalized you for exercising your CPA rights, document the treatment, including any pricing or service changes and their timing relative to your request, and include that documentation in an AG complaint.

Related guides

• What Is the Colorado Privacy Act (CPA)?
• Colorado Privacy Act Compliance Checklist (2026)
• Colorado Data Privacy Laws: CPA Consumer Rights Guide (2026)
• Colorado Biometric Privacy Laws: Collection, Consent & Penalties (2026)
• US State Privacy Laws Comparison Chart (2026)

Sources