What Is the Colorado Privacy Act (CPA)?

The Colorado Privacy Act (CPA), codified at C.R.S. §§ 6-1-1301 through 6-1-1313, took effect on July 1, 2023, making Colorado the third state in the nation to enact a comprehensive consumer data privacy law. What sets it apart is not just the statute itself but the detailed implementing rules (4 CCR 904-3) the Attorney General adopted alongside it, including a first-in-the-nation requirement that covered businesses honor the Global Privacy Control browser signal as a legally recognized opt-out.

As of 2026, the Colorado Attorney General actively enforces the CPA. The mandatory 60-day cure period that shielded businesses from immediate enforcement sunsetted on January 1, 2025, meaning the AG and district attorneys can now bring enforcement actions without first issuing a cure notice.

What the Colorado Privacy Act is: statute, enactment, and background

The Colorado Privacy Act is Colorado's comprehensive consumer data privacy statute, codified at C.R.S. §§ 6-1-1301 through 6-1-1313 as Part 13 of the Colorado Consumer Protection Act (Title 6, Article 1). Governor Jared Polis signed Senate Bill 21-190 on July 7, 2021, giving businesses nearly two years to prepare before the law took effect on July 1, 2023. That made Colorado the third state, after California and Virginia, to enact a broad consumer data privacy regime.

The CPA governs how covered businesses must collect, use, share, and safeguard the personal data of Colorado residents. Like Virginia's VCDPA, its architecture borrows significantly from the EU's General Data Protection Regulation (GDPR): it uses a controller-processor framework, mandates data protection assessments for high-risk processing activities, and requires affirmative opt-in consent for sensitive data rather than a mere opt-out mechanism. Unlike Virginia, however, Colorado went further by directing the Attorney General to promulgate detailed implementing rules and to maintain a public list of approved Universal Opt-Out Mechanisms (UOOMs) that businesses must honor.

The companion regulations, the Colorado Privacy Act Rules (4 CCR 904-3), took effect on July 1, 2023, concurrent with the statute. The AG filed those final rules on March 15, 2023, making Colorado one of a small number of states where implementing regulations and the privacy statute launched together. Those rules add specificity to consent standards, data protection assessment content requirements, and the UOOM framework that the statute alone does not provide.

For the full compliance framework covering controller obligations, processor contracts, privacy notice requirements, and enforcement history, see the Colorado data privacy laws parent page.

Who the Colorado Privacy Act covers: thresholds, exemptions, and the nonprofit distinction

The CPA reaches any person, including corporations, individuals, and nonprofit organizations, that conducts business in Colorado or produces or delivers commercial products or services intentionally targeted to Colorado residents, and that meets either of two thresholds set out in C.R.S. § 6-1-1304(1).

The first threshold: the business controls or processes personal data of 100,000 or more Colorado consumers per calendar year. The second threshold: the business derives revenue or receives a discount on the price of goods or services from selling personal data and controls or processes the personal data of 25,000 or more consumers. That second prong contains a critical distinction from Virginia's VCDPA: Colorado requires only that a business derive any revenue from selling personal data, not that data sales represent more than 50% of gross revenue. A company that earns a small fraction of its income from data sales while processing 25,000 Colorado consumers' data is covered in Colorado but may not be covered in Virginia.

The CPA also covers nonprofit organizations that meet those thresholds, which is another meaningful contrast to Virginia and Texas. Both the VCDPA and the Texas Data Privacy and Security Act (TDPSA) exempt nonprofits entirely. Colorado does not.

Several categories of entities and data are exempt under C.R.S. § 6-1-1304(2) through (4):

• State and local government bodies
• Personal data used for purely noncommercial purposes by state institutions of higher education
• HIPAA-covered entities and business associates, for HIPAA-regulated data
• Financial institutions and data governed by the Gramm-Leach-Bliley Act (GLBA)
• Air carriers under federal aviation law
• Data regulated by the Fair Credit Reporting Act (FCRA), the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), the Driver's Privacy Protection Act (DPPA), and the Farm Credit Act

These exemptions mean that health systems processing HIPAA-regulated data, banks and credit unions regulated by GLBA, and state universities operating for educational purposes are largely outside the CPA's reach even when they handle large volumes of resident data.

The five Colorado consumer rights under the CPA

The CPA grants Colorado residents five enumerated rights against covered controllers under C.R.S. § 6-1-1306(1):

1. Right to access. A consumer may confirm whether a controller is processing their personal data and request a copy of that data in a readily usable format.
2. Right to correct. A consumer may require a controller to correct inaccurate personal data, taking into account the nature and purposes of the processing.
3. Right to delete. A consumer may request deletion of personal data the controller holds about them, whether the consumer provided it or the controller collected it from other sources.
4. Right to portability. A consumer may obtain their personal data in a portable, readily usable format that allows transfer to another controller, provided the request is technically feasible.
5. Right to opt out. A consumer may opt out of processing for three specific purposes: targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects on the consumer.

Controllers must respond to authenticated rights requests within 45 days of receipt. Under C.R.S. § 6-1-1306(3), the response period may be extended once by an additional 45 days when reasonably necessary, but only if the controller notifies the consumer within the initial 45-day window and explains the reasons for the delay. The maximum response window is therefore 90 days with proper notice.

Controllers that deny a rights request must inform the consumer of the denial and explain how the consumer can appeal. The CPA's rules require controllers to maintain an internal appeals process. If the appeal is also denied, the controller must provide information about how the consumer can contact the Attorney General.

For a detailed walkthrough of how to submit requests and what businesses are required to do for each, see the Colorado consumer rights under the CPA spoke.

Sensitive data and the opt-in consent requirement

One of the CPA's defining features is its requirement that controllers obtain affirmative opt-in consent before processing any sensitive personal data. This is not a default-on setting with a way to opt out later: consent must be obtained before processing begins. Controllers that process sensitive data without prior consent are in violation of C.R.S. § 6-1-1308(7).

The CPA's current definition of sensitive data in C.R.S. § 6-1-1303 covers:

• Personal data revealing racial or ethnic origin
• Personal data revealing religious beliefs
• Mental or physical health condition or diagnosis
• Sex life or sexual orientation
• Citizenship or immigration status
• Biometric data processed to uniquely identify an individual
• Personal data collected from a known child

Beginning August 12, 2026, when SB 25-276 takes effect, precise geolocation data will also be classified as sensitive data under the CPA. SB 25-276, signed by Governor Polis on May 23, 2025, amends the definition of sensitive data in C.R.S. § 6-1-1303 to add precise location data, meaning that any controller who processes precise geolocation data will need opt-in consent from Colorado consumers before that date arrives. Businesses that rely on location-based services or track device locations should treat August 12, 2026 as a hard compliance deadline.

The opt-in standard for sensitive data aligns Colorado more closely with GDPR Article 9's explicit-consent requirement for special-category data than with California's approach. The CCPA/CPRA uses an opt-out model for sensitive personal information: businesses may process it unless the consumer requests a limitation. Colorado flips that default: no processing until the consumer says yes.

Colorado's AG Rules (4 CCR 904-3) and the Universal Opt-Out Mechanism

Colorado stands apart from most U.S. state privacy laws for the specificity of its implementing regulations. The Attorney General filed the final Colorado Privacy Act Rules (4 CCR 904-3) on March 15, 2023, and they took effect on July 1, 2023, alongside the statute. While many states have enacted data privacy laws without detailed agency rules, Colorado's rules cover consent standards (4 CCR 904-3-7.02), data protection assessment content requirements (4 CCR 904-3-8.02 through 8.05), controller obligations for processing transparency, and the entire Universal Opt-Out Mechanism framework (4 CCR 904-3-5.03).

The UOOM framework is Colorado's most distinctive operational requirement. C.R.S. § 6-1-1313(2) directs the Attorney General to maintain a public list of recognized Universal Opt-Out Mechanisms, which are technically specified browser or device signals that covered controllers must honor as a consumer's opt-out of targeted advertising and data sales. The AG was required to release the initial UOOM list by January 1, 2024, and to update it periodically.

The Global Privacy Control (GPC) is the first and currently the only mechanism the Colorado AG has recognized as a valid UOOM. The AG published the recognition of GPC on its Universal Opt-Out Mechanisms page. Beginning July 1, 2024, covered controllers have been required to honor GPC signals from Colorado consumers as valid opt-outs of targeted advertising and the sale of personal data. This is not aspirational: it is a current compliance obligation. A Colorado consumer who has GPC enabled in their browser does not need to navigate a website's privacy settings or submit a separate opt-out request. The signal is legally sufficient on its own.

The practical implication is significant. Businesses that run behavioral advertising programs or sell data to third-party data brokers must detect and honor GPC signals at the browser level, not just through a dedicated opt-out form on a privacy preference page. The 4 CCR 904-3 rules specify how a UOOM must be technically implemented, what disclosures controllers must provide when they recognize a UOOM, and what records must be kept.

Data protection assessments: when and why controllers must conduct them

The CPA requires covered controllers to complete a data protection assessment before beginning any processing activity that presents a heightened risk of harm to a consumer. C.R.S. § 6-1-1309 identifies four categories of processing that require an assessment:

1. Processing personal data for targeted advertising
2. Selling personal data
3. Processing personal data for profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, unlawful disparate impact, financial, physical, or reputational injury, intrusion on solitude, or other substantial injury to consumers
4. Processing sensitive data

Controllers must document each assessment. The 4 CCR 904-3 rules (specifically Rules 8.02 through 8.05) specify thirteen minimum components that assessments must include: the categories of personal data processed, the purpose of the processing, the controller's legitimate interest in the processing, the categories of third parties who may receive the data, the expected benefits to the controller and consumers, the risks to consumer rights and interests, and the safeguards the controller will implement to mitigate those risks, among others. Colorado's requirements are more detailed than most comparable state laws.

The Attorney General may request to review data protection assessments during an investigation. A thorough, well-maintained assessment is not just a compliance checkbox: it is a primary line of defense if the AG begins examining a controller's practices. A controller that cannot produce a credible assessment for a covered processing activity has no effective response to an enforcement inquiry.

CPA enforcement: AG and district attorneys, up to $20,000 per violation, cure period sunset

The CPA is enforced exclusively by the Colorado Attorney General and district attorneys. There is no private right of action for consumers: an individual Colorado resident cannot sue a covered business directly for CPA violations, no matter how clear the breach of their rights. All enforcement authority runs through the AG's office and the state's district attorneys.

Violations of the CPA are classified as deceptive trade practices under the Colorado Consumer Protection Act (C.R.S. § 6-1-105). That classification carries civil penalties of up to $20,000 per violation under C.R.S. § 6-1-112. That per-violation ceiling is notably higher than Virginia's VCDPA ($7,500 per violation) or Texas's TDPSA ($7,500 per violation, up to $25,000 per related series). A business that improperly denies thousands of consumer rights requests or fails to honor GPC signals at scale faces substantial exposure under Colorado law.

The CPA originally provided a safety valve: from the law's effective date of July 1, 2023 through January 1, 2025, the AG and district attorneys were required to provide covered businesses with a 60-day written cure notice before bringing an enforcement action, provided the violation was capable of being remedied. That mandatory cure period sunsetted on January 1, 2025, under C.R.S. § 6-1-1311. As of that date, the AG may bring an enforcement action immediately upon identifying a violation, without first giving the business an opportunity to fix the problem. Businesses that counted on receiving a cure notice before facing consequences no longer have that cushion.

The AG can also seek injunctive relief and, as part of any enforcement action, may recover reasonable investigative costs. The AG maintains a public CPA resource hub at coag.gov/resources/colorado-privacy-act/, which includes enforcement guidance and rulemaking updates.

For the full controller compliance checklist covering privacy notices, data processing agreements, consumer response workflows, and UOOM implementation steps, see the CPA compliance checklist.

Recent CPA amendments: biometrics, minors, and geolocation (2024 to 2026)

The CPA has been amended three times since its 2023 launch, each time adding new obligations in areas of heightened public concern.

HB 24-1130 (effective July 1, 2025): biometric identifier protections. Governor Polis signed this bill on May 31, 2024. The amendment adds specific obligations for controllers that process biometric identifiers (fingerprints, face geometry, iris scans, and similar data) beyond the general sensitive-data consent requirement already in the CPA. Under HB 24-1130, covered controllers must: adopt and make publicly available a written retention and destruction schedule for biometric identifiers; obtain a consumer disclosure and written consent before collecting, purchasing, or otherwise obtaining biometric data; develop response protocols for security breaches involving biometric data; and refrain from requiring employee consent to collect biometric identifiers as a condition of employment. This amendment is current law.

SB 24-041 (effective October 1, 2025): minors' online data protections. Also signed May 31, 2024, SB 24-041 added C.R.S. § 6-1-1309.5, imposing heightened obligations whenever a controller knows or willfully disregards that a user is a minor. When that knowledge threshold is met, the controller must: exercise reasonable care to avoid heightened harm to the minor; conduct data protection assessments of any processing that may affect minors; and obtain consent before engaging in targeted advertising to minors, selling minors' personal data, profiling minors, or using design features intended to significantly extend minors' use of the service. Importantly, controllers are not required to implement age-verification systems under SB 24-041. This amendment is current law as of October 1, 2025.

SB 25-276 (effective August 12, 2026): precise geolocation as sensitive data. Governor Polis signed SB 25-276 on May 23, 2025. When this amendment takes effect on August 12, 2026, precise geolocation data will be added to the CPA's definition of sensitive data in C.R.S. § 6-1-1303. Controllers who process precise location data for Colorado consumers will need to obtain opt-in consent before doing so. SB 25-276 also restricts the sale of sensitive data without consumer consent more broadly. As of the date of this article, SB 25-276 is not yet in force. Businesses that use precise geolocation data (including mapping apps, delivery platforms, fleet management systems, or any service that tracks device location) should begin preparing for this requirement now. August 12, 2026 is the compliance deadline.

Colorado Privacy Act vs. CCPA: three key differences

The CPA and California's CCPA are the two most-discussed U.S. state privacy laws, and they share a common framework, but they differ in three ways that matter practically. Our state data privacy law comparison page covers the full multi-state picture, but here are the sharpest distinctions:

Consent standard for sensitive data. The CPA requires affirmative opt-in consent before a controller may process sensitive personal data (C.R.S. § 6-1-1308(7)). The CCPA/CPRA uses an opt-out model: businesses may process sensitive personal information under California's law unless and until the consumer submits a "Limit the Use of My Sensitive Personal Information" request under Cal. Civ. Code § 1798.121. In practical terms, opt-in means no processing without a prior yes; opt-out means processing continues unless the consumer objects.

Universal Opt-Out Mechanism. Colorado mandates that covered controllers honor GPC browser signals as a valid consumer opt-out of targeted advertising and data sales, with compliance required since July 1, 2024. California has a similar requirement under CPRA regulations for "opt-out preference signals," but Colorado's requirement is codified in both statute and detailed AG rules, with a public registry of recognized mechanisms that provides more operational specificity.

Applicability threshold. The CPA's secondary coverage prong requires only that a business derives any revenue from selling personal data while processing data of 25,000 or more Colorado consumers. The CCPA applies to businesses meeting at least one of three separate thresholds, one of which is annual gross revenues exceeding $25 million. A small business with no significant revenue but large data-processing volume may be covered in Colorado but not California.

Related guides

• Colorado Privacy Act Consumer Rights & How to Use Them
• Colorado Privacy Act Compliance Checklist (2026)
• Colorado Data Privacy Laws: CPA Consumer Rights Guide (2026)
• Colorado Biometric Privacy Laws: Collection, Consent & Penalties (2026)
• US State Privacy Laws Comparison Chart (2026)

Sources