Colorado Privacy Act: What Your Business Needs to Do
A practical guide to the Colorado Privacy Act (CPA) for businesses: applicability thresholds, consumer rights, universal opt-out requirements, compliance steps, and how it compares to other state privacy laws.
Last updated: 2026-02-07
Your SaaS app serves customers across the country, and a chunk of them are in Colorado. A user sends an email asking you to delete their data. You handle it. Then another arrives through a browser-based opt-out signal you have never heard of. Under the Colorado Privacy Act (CPA), you are required to recognize that signal automatically -- no click, no form, no human request needed. Colorado was the third state in the U.S. to pass a comprehensive consumer privacy law, and it was the first to mandate that businesses honor universal opt-out mechanisms. Since taking effect on July 1, 2023, the CPA has set a high bar for businesses that process personal data of Colorado residents.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the Colorado Privacy Act (C.R.S. §§ 6-1-1301 to 6-1-1313) and the Colorado Attorney General's CPA Rules (4 CCR 904-3), as of the date of publication.
Does the Colorado Privacy Act Apply to Your Business?
The CPA applies to entities that conduct business in Colorado or produce products or services intentionally targeted to Colorado residents and meet one of two thresholds:
- Process the personal data of at least 100,000 Colorado consumers during a calendar year, OR
- Process the personal data of at least 25,000 Colorado consumers AND derive revenue or receive a discount on the price of goods or services from the sale of personal data.
Note the second threshold: it does not specify a percentage of revenue. Any revenue from data sales qualifies, which makes it broader than it might appear at first glance. If your business processes data on 25,000 Colorado consumers and earns even a small amount from selling that data, you are covered.
Practical example: A mid-sized e-commerce store with 30,000 Colorado customers that shares customer data with an advertising network in exchange for reduced ad costs could hit the second threshold. A small Shopify store with 5,000 Colorado customers and no data sales would likely be exempt.
Who is exempt? The CPA exempts state and local government entities, certain regulated entities including those governed by HIPAA, GLBA, FCRA, and FERPA, and air carriers. It also exempts certain categories of data rather than the entity itself -- so a healthcare company might be exempt for HIPAA-regulated data but covered for marketing data it collects outside of the treatment context.
Unlike California's CCPA/CPRA, the CPA has no revenue threshold. A company with $500,000 in annual revenue can be covered if it meets the consumer data volume thresholds.
What Rights Do Colorado Consumers Have?
The CPA grants Colorado residents seven privacy rights. Businesses must respond to consumer requests within 45 days, with one possible extension of 45 days if reasonably necessary (with notice to the consumer).
Right to Access. Consumers can confirm whether a controller is processing their personal data and access that data.
Right to Correction. Consumers can request correction of inaccuracies in their personal data, considering the nature of the data and processing purposes.
Right to Deletion. Consumers can request deletion of personal data they have provided or that the controller has obtained.
Right to Data Portability. Consumers can obtain their personal data in a portable, readily usable format that allows transfer to another controller without hindrance.
Right to Opt Out of Sale. Consumers can opt out of the processing of their personal data for the purposes of sale.
Right to Opt Out of Targeted Advertising. Consumers can opt out of the processing of personal data for targeted advertising purposes.
Right to Opt Out of Profiling. Consumers can opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.
| Right | Granted? | Notes |
|---|---|---|
| Access | ✅ | Confirm processing and access personal data |
| Correction | ✅ | Fix inaccurate personal data |
| Deletion | ✅ | Delete personal data held by the controller |
| Portability | ✅ | Obtain data in a portable, usable format |
| Opt-out of sale | ✅ | Stop the sale of personal data |
| Opt-out of targeted ads | ✅ | Stop processing for targeted advertising |
| Opt-out of profiling | ✅ | Stop profiling with legal/significant effects |
| Non-discrimination | ✅ | Cannot penalize consumers for exercising rights |
What Your Business Must Do
The CPA's obligations cover the standard consumer-rights framework, but the universal opt-out requirement adds a technical compliance layer that many businesses overlook.
Recognize universal opt-out mechanisms. This is the CPA's most distinctive requirement. As of July 1, 2024, businesses must honor opt-out preference signals sent through a user's browser or device. The Colorado Attorney General's CPA Rules specify that controllers must treat a universal opt-out mechanism signal as a valid opt-out request for both the sale of personal data and targeted advertising. The most common signal is the Global Privacy Control (GPC). If a Colorado consumer visits your website with GPC enabled in their browser, your site must automatically treat that as an opt-out -- no additional action from the consumer required. This is not optional. If your website ignores GPC signals, you are out of compliance.
Publish a clear privacy notice. Your privacy notice must disclose the categories of personal data collected, the purposes of processing, the categories of personal data shared with third parties, the categories of those third parties, how consumers can exercise their rights (including how to appeal), and whether you sell personal data or use it for targeted advertising.
Respond to consumer requests within 45 days. You need a documented process for intake, identity verification, and response. You can extend the deadline by 45 days if reasonably necessary, but you must notify the consumer within the initial 45-day window and explain the reason for the extension.
Implement an appeal process. If you deny a consumer request, you must provide an appeal mechanism. You have 45 days to respond to an appeal. If you deny the appeal, you must inform the consumer about their right to contact the Colorado Attorney General.
Obtain consent for sensitive data processing. The CPA requires opt-in consent before processing sensitive data, which includes racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data, children's data (under 13), and precise geolocation data.
Conduct data protection assessments. The CPA requires assessments for processing activities that present a heightened risk of harm, including targeted advertising, the sale of personal data, certain profiling activities, and the processing of sensitive data. Assessments must weigh the benefits of processing against the potential risks to the consumer, factoring in available safeguards.
Establish processor contracts. Written agreements with processors must specify processing instructions, confidentiality, deletion or return of data, cooperation with assessments, and audit rights.
Practice data minimization. The CPA requires controllers to limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes of processing. This is not as strict as Maryland's MODPA, but it still means you cannot collect data without a reasonable justification.
How Is the CPA Enforced?
The CPA is enforced exclusively by the Colorado Attorney General and district attorneys. There is no private right of action -- consumers cannot sue your business directly for CPA violations.
The maximum penalty is $20,000 per violation under the Colorado Consumer Protection Act (C.R.S. § 6-1-112). The AG can also seek injunctive relief and recover attorney's fees and costs.
The cure period has expired. The CPA originally provided a 60-day cure period that allowed businesses to fix violations before facing enforcement. This cure period expired on January 1, 2025. Since that date, the Colorado Attorney General has full discretion to bring enforcement actions without offering a cure opportunity. Businesses can no longer count on a grace period to fix problems after they are flagged.
The Colorado Attorney General's office has been proactive about CPA enforcement. The AG published detailed CPA Rules that clarify compliance expectations, particularly around universal opt-out mechanisms. The AG has signaled that enforcement priorities include businesses that fail to honor universal opt-out signals and those that process children's data without proper consent.
How the CPA Compares to Other State Privacy Laws
The CPA shares a similar rights framework with other state laws but stands out for its universal opt-out mandate and its relatively high per-violation penalty.
| Feature | Colorado (CPA) | California (CCPA/CPRA) | Virginia (VCDPA) |
|---|---|---|---|
| Effective date | Jul 1, 2023 | Jan 1, 2020 / Jan 1, 2023 | Jan 1, 2023 |
| Consumer threshold | 100K (or 25K + revenue from data sales) | 100K consumers/households | 100K (or 25K + 50% revenue from data sales) |
| Revenue threshold | None | $25 million | None |
| Universal opt-out signal | Required (from Jul 1, 2024) | Required | Not required |
| Max penalty per violation | $20,000 | $2,500 ($7,500 intentional) | $7,500 |
| Cure period | Expired Jan 1, 2025 | None | Expired Jan 1, 2025 |
| Data minimization | Required | Required but less prescriptive | Required |
| Sensitive data consent | Opt-in required | Opt-out (limit use) | Opt-in required |
| Private right of action | No | Limited (data breaches only) | No |
Compared to Virginia's VCDPA, the CPA has a significantly higher per-violation penalty ($20,000 vs. $7,500) and requires universal opt-out signal recognition, which Virginia does not. Compared to California's CCPA/CPRA, the CPA lacks a private right of action, which reduces litigation risk, but the $20,000 per-violation AG penalty is among the highest of any state. For businesses also subject to Connecticut's CTDPA, the good news is that both states require universal opt-out signal recognition, so implementing GPC compliance covers both jurisdictions.
Action Checklist for Small Businesses
If the CPA applies to your business, here is what to prioritize:
- Implement universal opt-out signal recognition. This is non-negotiable. Ensure your website detects and honors GPC signals for sale and targeted advertising opt-outs. Test with browsers that have GPC enabled (Firefox, Brave, DuckDuckGo).
- Conduct a data inventory. Map what personal data you collect, where it is stored, who has access, who you share it with, and the purpose for each category. This is the foundation for everything else.
- Update your privacy notice. Ensure it includes all CPA-required disclosures: data categories, purposes, third parties, consumer rights, and appeal instructions.
- Set up a DSAR response process. Build a documented intake, verification, and response workflow. Remember the 45-day deadline.
- Get opt-in consent for sensitive data. If you process any sensitive data categories (health, biometric, precise geolocation, children's data), ensure you have clear, affirmative consent.
- Conduct data protection assessments. Evaluate your targeted advertising, data sales, profiling, and sensitive data processing activities for risk.
- Update processor contracts. Ensure all third-party vendor agreements include CPA-required provisions for processing instructions, confidentiality, deletion, and audit rights.
- Train your team. Ensure staff who handle customer interactions and data processing understand the CPA, the universal opt-out requirement, and your internal procedures.
Key Dates
- July 1, 2023: Colorado Privacy Act takes effect.
- July 1, 2024: Universal opt-out mechanism requirement takes effect.
- January 1, 2025: 60-day cure period expires. AG has full enforcement discretion.
References
- Colorado Privacy Act: C.R.S. §§ 6-1-1301 to 6-1-1313 (S.B. 21-190). Full text on Colorado General Assembly site
- CPA Rules: 4 CCR 904-3, Colorado Attorney General's Office. CPA Rules and resources
- Colorado Consumer Protection Act: C.R.S. § 6-1-112 (penalty provisions).
- Global Privacy Control: GPC specification
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
Need to build a DSAR workflow that handles Colorado's universal opt-out requirement? Our DSAR Compliance Guide covers the full process from signal detection to response. Or start with a DSAR Response Template to get your team responding to requests the right way.