The Colorado Privacy Act (CPA) has positioned Colorado as one of the most consumer-focused states when it comes to data protection. Effective since July 1, 2023, the law continues to evolve with new regulations and legislative updates. Here’s what businesses need to know to stay compliant in 2025.
What Is the Colorado Privacy Act?
The CPA, also called the Colorado Consumer Privacy Act, governs how businesses collect, use, and share personal data. It applies to companies doing business in Colorado or targeting its residents if they:
- Process personal data of 100,000 or more consumers annually, or
- Handle 25,000 or more consumers’ data and profit from data sales.
Unlike California’s CCPA, Colorado’s law does not exempt nonprofits. However, data covered by HIPAA or GLBA, de-identified data, and public records are outside its scope.
For the full text of the law, visit the Colorado Attorney General’s CPA page.
Key Consumer Rights
Colorado residents now enjoy five main rights under the CPA:
- Access: Know what data is collected.
- Correction: Fix inaccuracies.
- Deletion: Request removal of personal data.
- Portability: Receive data in a usable format.
- Opt-Out: Prevent targeted advertising, data sales, and profiling for significant decisions.
A notable feature is the universal opt-out mechanism, requiring businesses to honor browser-based signals (such as Global Privacy Control) as of July 2024.
Sensitive Data and Consent
The CPA defines sensitive data as information about race, religion, health, sex life, citizenship, biometrics, and children under 13. Businesses must obtain explicit opt-in consent before processing this data. The rules also prohibit “dark patterns,” ensuring consent is clear and voluntary.
Compliance Requirements
Companies must:
- Update privacy notices explaining data use and consumer rights.
- Provide easy ways for consumers to submit requests and appeals.
- Implement opt-out tools for targeted ads and sales.
- Honor global opt-out signals starting July 2024.
- Conduct data protection assessments for high-risk processing.
- Secure contracts with processors handling consumer data.
For a detailed guide, see this legal analysis by Koley Jessen.
Enforcement and Penalties
The CPA is enforced by the Colorado Attorney General (no private lawsuits). The initial 60-day cure period expired on Dec 31, 2024. As of 2025, violations can lead to immediate enforcement:
- Fines: Up to $20,000 per violation, capped at $500,000 for related cases.
Given these stakes, compliance is critical.
Recent Updates and Amendments
Colorado continues to strengthen the CPA through amendments and rulemaking:
- Biometric Data Rules (2024): Businesses must provide notice and obtain consent before collecting biometric identifiers—even for employees.
- Children’s Online Protections: New restrictions for services targeting minors, including design practices that could increase usage without parental consent.
- Expanded Sensitive Data Definition: Adds precise geolocation and prohibits selling sensitive data without consent.
- AG Opinion Letters: Businesses can now request interpretive guidance from the Attorney General for compliance clarity.
Stay current by reviewing updates on the Colorado AG’s Data Privacy page.
How Colorado’s CPA Stands Out
While similar to California and Virginia laws, the CPA differs in key ways:
- Mandatory universal opt-out signals (first of its kind in the U.S.).
- Opt-in for sensitive data, stricter than California’s opt-out model.
- Nonprofits included under its scope.
- Frequent Colorado Privacy Act amendments keeping the law dynamic.
FAQ: Colorado Privacy Act
1. What are the new consumer rights in Colorado?
Consumers can access, correct, delete, and port their data, plus opt out of targeted advertising, data sales, and profiling.
2. How can businesses comply with Colorado’s privacy law?
Update privacy policies, set up request systems, honor universal opt-out signals, and obtain explicit consent for sensitive data.
3. What is the Colorado Privacy Act effective date?
The law took effect on July 1, 2023. Universal opt-out compliance became mandatory on July 1, 2024.
4. What impact has rulemaking had?
Rulemaking clarified requirements for global opt-out signals, profiling disclosures, loyalty program notices, and consent standards.
5. What are some common exemptions under the CPA?
HIPAA-regulated health data, GLBA-covered financial data, consumer reports under FCRA, and publicly available or de-identified information.
6. How does the CPA define “sensitive data”?
Sensitive data includes race, religion, health info, sex life, citizenship, biometric data, and data from children under 13. Opt-in consent is required before processing.
For complete FAQs, visit the Colorado AG’s FAQ page.
Final Takeaway
The Colorado Privacy Act is not static it’s evolving through new rules and legislative updates. Businesses must stay proactive, as enforcement is now in full swing and penalties can be significant.
Disclaimer: This content is provided for informational purposes only and does not constitute legal advice. We are not a law firm, and no attorney-client relationship is formed by using this website. Use of this content is at your own risk. For advice tailored to your situation, please consult a licensed attorney.