Who does the Colorado Privacy Act apply to?

The Colorado Privacy Act applies to businesses that 1) conduct business in Colorado or produce or deliver commercial products or services that are purposely targeted to residents of Colorado; and 2) control or processes personal data of at least 100,000 consumers a year or control or process personal data of at least 25,000 consumers and gain revenue or receives a discount on the price of goods and services, from the sale of personal data.

Does the Colorado Privacy Act require a cookie banner?

The CPA does not mention cookie banners by name, but it requires businesses to provide consumers with the ability to opt out of personal data processing for targeted advertising and sale. Because cookies and trackers are commonly used to collect personal data for these purposes, a compliant consent management tool — including a cookie banner or preference center — is effectively necessary for most businesses operating websites.

What are the penalties for violating the Colorado Privacy Act?

CPA violations are treated as deceptive trade practices under the Colorado Consumer Protection Act. Penalties range from USD 2,000 to USD 20,000 per violation. Violations involving elderly persons carry penalties of USD 10,000 to USD 50,000 per violation. There is no aggregate cap on fines.

What is sensitive data under the CPA?

Sensitive data under the CPA includes information revealing racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship or immigration status, precise geolocation, and genetic or biometric data used to uniquely identify an individual. Personal data belonging to a known child is also classified as sensitive. Processing sensitive data requires explicit opt-in consent.

Does Colorado require recognition of the Global Privacy Control?

Yes, the CPA and its implementing rules require controllers to recognize and honor valid universal opt-out signals, including the Global Privacy Control (GPC). A default device or browser setting does not qualify as a valid opt-out signal; the preference must reflect a deliberate user choice.

How does the CPA differ from the CCPA?

Both laws use an opt-out model, but the CPA does not include a revenue-based compliance threshold, does include explicit data minimization requirements, and grants a 60-day cure period (versus 30 days under the CPRA). Colorado also has no private right of action. The CPA’s consent requirements for sensitive data and children are broadly comparable to California’s, though the 2025 biometric and minor protection amendments have extended Colorado’s requirements in novel directions.

What is the Colorado Privacy Act’s effective date?

The Colorado Privacy Act came into effect on July 1, 2023.

Who qualifies as a consumer under the CPA?

Consumers under the CPA are defined as individuals who are residents of Colorado and act in an individual or household context, excluding those acting in a commercial or employment context.

What are the Colorado Privacy Act’s thresholds for applicability?

Businesses that conduct business in Colorado or deliver commercial products or services targeted to Colorado residents must comply with the CPA if they control or process personal data of at least 100,000 consumers or of at least 25,000 consumers while deriving revenue from the sale of personal data.

What are the Colorado Privacy Act penalties for noncompliance?

Violations of the Colorado Privacy Act are considered deceptive trade practices and can result in fines ranging from USD 2,000 to USD 20,000 per violation. If the violation involves an elderly person, penalties can increase to between USD 10,000 and USD 50,000 per violation.

How does the Colorado Privacy Act define and regulate sensitive data?

Sensitive data under the CPA includes information that reveals racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship status, and personal data from children under 13. Genetic and biometric data used to identify individuals are also considered sensitive. The CPA requires businesses to obtain explicit, opt-in consent before processing sensitive data. Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Colorado Privacy Act (CPA): Compliance Guide for Businesses

Q: What is the Colorado Privacy Act (CPA)?

The Colorado Privacy Act (CPA) is a US state-level consumer privacy law that protects the personal data of Colorado residents and imposes data protection requirements on businesses that operate in the state or offer goods and services to its residents.

Summary

The Colorado Privacy Act (CPA) is a state-wide law that empower consumers in the centennial state with key data privacy rights. Businesses that deliver goods and services to Colorado users must have strategies in place if they meet the law’s compliance requirements.

Colorado enacted the Colorado Privacy Act (CPA) in July 2021, and the law came into force on July 1, 2023. It made Colorado the third U.S. state to enact a comprehensive consumer data privacy law after California and Virginia. As one of the earliest modern U.S. state privacy laws, it has gone through several amendments.

The CPA grants Colorado residents, who are referred to in the law as “consumers”, a set of enforceable rights over their personal data, and it places binding obligations on businesses that collect or process that data.

For U.S. companies operating websites, apps, or digital services that reach Colorado users, the CPA is a live compliance requirement, not a future consideration. Even businesses headquartered elsewhere must comply if they process Colorado residents’ personal data and meet the law’s coverage thresholds.

This guide explains exactly what the CPA requires, how it compares to other state privacy laws, and what practical steps your organization needs to take to remain compliant.

At a Glance

Effective date: July 1, 2023 (Colorado was the third U.S. state to enact a comprehensive consumer data privacy law; significantly amended in 2024 and 2025)
Scope: Applies to businesses conducting business in Colorado, or targeting goods or services to Colorado residents, that either process personal data from at least 100,000 consumers per year, or process data from at least 25,000 consumers per year while deriving revenue from the sale of personal data. No minimum annual revenue threshold.
Consent model: Opt-out, so businesses may generally collect and process personal data without prior consent, but must notify consumers and honor opt-out requests for targeted advertising, data sales, and profiling. Opt-in consent is required for sensitive data, children’s data, and secondary uses.
Consumer rights: Opt-out, access, correction, deletion, and data portability; consumers also have the right to appeal a controller’s denial of a request.
Enforcement: Colorado Attorney General and District Attorneys have exclusive enforcement authority; fines from USD 2,000 to USD 20,000 per violation (USD 10,000 to USD 50,000 for violations against elderly persons); no private right of action; no cure period.
Key 2025 updates: Biometric data obligations expanded (effective July 1, 2025); minor protections requiring consent for under-18 data processing added (effective October 1, 2025); precise geolocation classified as sensitive data (effective May 23, 2025).

What is the Colorado Privacy Act (CPA)?

The Colorado Privacy Act is a state-level consumer data privacy statute encoded in the Colorado Revised Statutes, Title 6, Article 1, Part 13. It followed closely on the passage of Virginia’s Consumer Data Protection Act earlier that year.

The CPA’s core purpose is to give Colorado residents meaningful control over how their personal data is collected, used, and shared by businesses.

Rather than requiring consent before all data collection as the EU’s General Data Protection Regulation (GDPR) does, the CPA adopts an opt-out framework, meaning businesses may generally process consumer data without prior consent, unless the data is sensitive, belongs to a child, or is being used for secondary purposes not previously disclosed.

The Colorado Attorney General’s Office is responsible for enforcement, and it finalized implementing rules on March 15, 2023, covering universal opt-out mechanisms, privacy notice requirements, accessibility standards, and biometric data retention.

Key Definitions Under the Colorado Privacy Act

Understanding the CPA requires clarity on how the law defines several foundational terms.

Personal Data

Personal data under the CPA means any information that is linked or reasonably linkable to an identified or identifiable individual. The definition excludes data that has been de-identified and information that is publicly available, for example, government records or content a consumer has voluntarily made public.

The law does not enumerate specific categories of personal data, but common examples collected by websites and apps include names, email addresses, phone numbers, IP addresses, device identifiers, and browsing history.

Sensitive Data

A distinct subset of personal data, sensitive data triggers stronger protections under the CPA and requires explicit, opt-in consent before a controller may collect or process it. The CPA classifies the following as sensitive data:

Data revealing racial or ethnic origin
Data revealing religious beliefs
Data revealing mental or physical health conditions or diagnoses
Data concerning sex life or sexual orientation
Data revealing citizenship or immigration status
Genetic data
Biometric data processed for the purpose of uniquely identifying an individual
Personal data belonging to a known child

As of July 1, 2025, biometric data protections were significantly strengthened by HB 24-1130, which imposed new consent, notice, retention, and deletion obligations on entities — including employers — that collect biometric identifiers from individuals in Colorado.

As of May 23, 2025, precise geolocation data has been added to the category of sensitive data under the CPA. Collecting precise geolocation must now be justified by necessity and proportionality.

Controller and Processor

A controller is any person or organization that determines the purposes and means of processing personal data. A processor is a person that processes personal data on behalf of the controller. Processors must follow controllers’ instructions and support their compliance obligations.

Before processing begins, controllers must enter into written contracts with processors that detail processing instructions, data security obligations, the conditions for engaging subcontractors, and requirements for deletion or return of data at the end of the contract.

The CPA defines consent as a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to the processing of their personal data. Acceptance of broad terms of service, hovering over or closing content, and consent obtained through dark patterns do not meet this standard.

Sale of Personal Data

Targeted Advertising

The CPA defines targeted advertising as displaying ads to a consumer based on personal data obtained or inferred over time from the consumer’s activities across unaffiliated websites, applications, or services, used to predict preferences or interests. Contextual advertising based on a consumer’s current search query or website visit does not fall within this definition.

Who Must Comply with the Colorado Privacy Act?

The CPA applies to any person or business that conducts business in Colorado or targets commercial products or services to Colorado residents, and that meets one or both of the following thresholds:

Controls or processes the personal data of 100,000 or more consumers in a calendar year
Controls or processes the personal data of at least 25,000 consumers per year, and derives revenue or receives a discount on goods or services from the sale of that data

Businesses that collect or process biometric data or the personal data of minors are subject to CPA obligations now regardless of whether they meet these thresholds.

Colorado does not require a minimum annual revenue figure for compliance, which distinguishes it from California’s CCPA. A business need not have a physical presence in Colorado for the CPA to apply; operating a website or app that is intentionally targeted at Colorado residents is sufficient.

CPA Exemptions

Certain categories of organizations and data are exempt from CPA requirements. Exempt businesses include:

Airlines
Public utilities
National securities associations
Higher education institutions
Health care facilities and providers
Consumer reporting agencies
Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)

Exempt categories of data include:

HIPAA-regulated data
Employment records
Research data
De-identified data
Data regulated under laws, including FERPA, FCRA, COPPA, and the DPPA.

Notably, nonprofit organizations and small businesses are not categorically exempt. If they meet the coverage thresholds and do not otherwise qualify for an enumerated exemption, they must comply.

Consumer Rights Under the Colorado Privacy Act

ThColorado residents have five core rights under the CPA, which controllers must be equipped to honor.

Right of access: Consumers may request confirmation of whether a controller is processing their data, and may obtain a copy of that data.
Right to correction: Consumers may request that a controller correct inaccuracies in their personal data, taking into account the purpose of the processing.
Right to deletion: Consumers may request deletion of their personal data, subject to certain exceptions.
Right to data portability: Consumers may request their personal data in a portable, readily usable format that allows them to transmit it to another entity.
Right to opt out: Consumers may opt out of the processing of their personal data for purposes of targeted advertising, sale, or profiling that produces legal or similarly significant effects.

Handling Consumer Rights Requests Under the CPA

The CPA also gives consumers the right to appeal a controller’s denial of a request. Controllers must respond to an authenticated consumer request within 45 days, with an option to extend by an additional 45 days where reasonably necessary. If a request is denied, the controller must inform the consumer of the available appeals process and of their right to contact the Attorney General.

What the Colorado Privacy Act Means for Cookies and Website Tracking

The CPA does not address cookies or tracking technologies by name, but its definition of personal data encompasses the types of identifiers, such as IP addresses, device IDs, browser fingerprints, and behavioral profiles, that tracking cookies and pixels routinely collect.

Because the CPA requires controllers to provide users with the ability to opt out of data processing for targeted advertising and sale, any cookie or tracker on your website that collects personal data for these purposes must be brought under the user’s control.

In practical terms, this means deploying a consent management solution that presents Colorado users with a clear opt-out mechanism, honors Global Privacy Control (GPC) signals — which the CPA expressly requires controllers to recognize as valid opt-out signals — and maintains records of user preferences.

Your privacy notice must also disclose the categories of personal data collected through cookies and trackers, the purposes for which that data is processed, and the categories of third parties with whom it is shared.

If your marketing stack includes advertising pixels, session replay tools, or behavioral analytics trackers, each constitutes a data processing activity that requires transparency and, where the data is sensitive or the purpose constitutes a secondary use, opt-in consent.

Manage Colorado Privacy Act Compliance with Cookiebot by Usercentrics

Cookiebot by Usercentrics automatically scans your website for cookies and trackers, generates a cookie declaration to support compliance, and delivers a customizable consent banner that enables Colorado users to exercise their opt-out rights.

The platform supports Global Privacy Control recognition (opt-out mechanisms are now required by a number of states), granular consent logging, and automated updates as privacy laws evolve.

Manage data collection, notice, and opt-out requirements with Cookiebot

In 5 minutes you can customize your cookie banner for your brand and relevant regulations. Then start your 14-day trial to see it in action.

Try It Now

Controllers’ Obligations Under the Colorado Privacy Act

Beyond honoring consumer rights requests, the CPA imposes seven affirmative duties on data controllers.

Duty of Transparency

Controllers must publish a privacy notice that is reasonably accessible, clear, and meaningful. The notice must identify:

Categories of personal data collected
Purposes of processing
Categories of third parties with whom data is shared
Mechanism through which consumers can exercise their rights

For businesses operating apps, the notice must also be posted on download pages and in the app’s settings menu. Per the 2023 CPA Rules, the link to the notice must include the word “privacy,” and the notice must be accessible to users with disabilities.

Duty of Purpose Specification and Data Minimization

CControllers must specify the purposes for which personal data is collected, and they may only collect data that is adequate, relevant, and limited to what is reasonably necessary for those stated purposes.

This data minimization requirement differs from California’s CCPA, the original version of which did not include a data minimization requirement. This was added by the California Privacy Rights Act (CPRA), which took effect in January 2023.

Duty to Avoid Secondary Use

Personal data collected for one stated purpose may not be processed for a materially different purpose without first notifying the consumer of the new purpose and obtaining their consent. This is the secondary use prohibition.

Duty of Care and Data Security

Controllers must implement reasonable security measures appropriate to the volume, scope, and sensitivity of the personal data processed. The CPA does not specify minimum technical controls, but enforcement guidance from the Attorney General’s office indicates that the greater the volume and sensitivity of data, the more robust the required security posture.

Duty to Avoid Unlawful Discrimination

Controllers may not process personal data in a manner that violates state or federal anti-discrimination laws.

Data Protection Impact Assessments (DPIAs)

Controllers must conduct and document Data Protection Impact Assessments (DPIAs) for processing activities that present a heightened risk of consumer harm. These activities include targeted advertising, the sale of personal data, the processing of sensitive data, and profiling that could produce decisions with legal or similarly significant effects.

DPIAs must be made available to the Attorney General upon request. Under the October 2025 amendments, controllers offering online services to known or reasonably identifiable minors must conduct DPIAs where those services present a heightened risk of harm to minors, and must retain assessment documentation for at least three years.

The CPA’s opt-out default shifts to an opt-in requirement in three situations:

Processing sensitive data
Processing personal data of a known child under 13 (for which parental or guardian consent is required)
Processing data for secondary purposes

As of October 1, 2025, the standard expanded further: controllers must obtain consent from any consumer under 18 before processing their personal data for targeted advertising, sale, or profiling purposes, provided the controller knew or willfully disregarded that the consumer was a minor.

Universal Opt-Out and the Global Privacy Control

The CPA was among the first U.S. state privacy laws to explicitly require controllers to recognize universal opt-out mechanisms. As of 2026, 12 states now require this. Colorado is one of three states — along with California and Connecticut — to explicitly require respecting Global Privacy Control signals. The GPC is a browser-level signal that transmits a user’s opt-out preference across all sites they visit.

Controllers must honor valid GPC signals from Colorado users and may not configure their consent management platforms to treat a device’s default setting as an affirmative opt-out choice; the signal must reflect a deliberate user action.

2025 CPA Updates: Biometrics, Minors, and Geolocation

The Colorado Privacy Act has been actively amended since going into effect. Businesses subject to the CPA should note the following changes, and stay up to date on future amendments and other relevant legislation that affects personal data and privacy, such as that targeting AI governance.

Biometric Data

HB 24-1130 substantially expanded the CPA’s treatment of biometric data. Under the biometric amendment, controllers — including employers collecting biometric identifiers from employees and job applicants — must provide advance notice of biometric data collection, obtain consent before collection in most circumstances, maintain a written retention and destruction schedule, and implement an incident-response protocol for biometric data breaches.

The amendment imposes obligations that apply regardless of whether the individuals involved qualify as “consumers” under the base CPA.

Minor Protections

SB 24-041 added a broader set of online safety obligations for businesses whose services are directed at or knowingly used by minors. The obligations, which came into effect on October 1, 2025, require controllers to:

Use reasonable care to avoid heightened risks of harm to minors
Obtain consent before processing a minor’s data for targeted advertising, sale, or profiling
Refrain from using design features that significantly increase, sustain, or extend a minor’s use of a service
Obtain parental or guardian consent before collecting precise geolocation data of users under 13

In October 2025, the Colorado Department of Law finalized rules implementing these amendments, clarifying the “willful disregard” standard and the definition of addictive design features.

Precise Geolocation as Sensitive Data

SB 25-276 amended the CPA to classify precise geolocation data as a category of sensitive data. Controllers must now justify the collection of precise geolocation on the basis of necessity and proportionality, consistent with the civil rights protections the bill was enacted to reinforce.

Colorado AI Act

Controllers must enter into contracts with processors before data processing begins. These contracts, while not explicitly referred to as "data processing agreements" under the CPA, serve a similar puColorado has also enacted what is expected to become the first comprehensive state law regulating artificial intelligence systems used in consequential decisions with SB 24-205. Originally passed in 2024, the Colorado AI Act was designed to regulate AI systems used in high-stakes decisions covering areas such as employment, housing, loans, and healthcare.

Its initial effective date of February 1, 2026 was subsequently delayed: on August 28, 2025, Governor Jared Polis signed SB 25B-004, pushing the operative date to June 30, 2026.

The law imposes obligations on both developers and deployers of high-risk AI systems, including requirements to create developer documentation and public statements, implement deployer risk management programs and impact assessments, and issue consumer disclosures when AI contributes to consequential decisions.

Enforcement authority rests with the Colorado Attorney General, and violations are actionable as deceptive trade practices under the Colorado Consumer Protection Act, which is the same enforcement framework that governs CPA violations.

Substantive amendments remain under consideration during the 2026 regular legislative session, and the law's final form is not yet settled.Businesses that use automated or AI-assisted decision-making in Colorado — particularly in employment, lending, or healthcare contexts — should monitor developments and begin assessing whether their systems fall within the Act's definition of a high-risk AI system ahead of the June 30, 2026 effective date.

Colorado Privacy Act Enforcement and Penalties

The Colorado Attorney General and District Attorneys share exclusive enforcement authority under the CPA. Colorado residents have no private right of action, meaning they cannot file lawsuits directly against companies for CPA violations.

Violations of the CPA are classified as deceptive trade practices under the Colorado Consumer Protection Act, which governs the penalty structure. Fines range from USD 2,000 to USD 20,000 per violation in standard cases, and from USD 10,000 to USD 50,000 per violation when the affected party is an elderly individual. Penalties are capped at USD 500,000 in aggregate for a related series of violations.

The CPA originally required the Attorney General or District Attorney to issue a notice of violation and allow 60 days to cure before initiating enforcement. That provision — which was double the 30-day cure period found in several other state privacy laws — sunsetted on January 1, 2025.

The Colorado AG may now pursue enforcement action without first offering a cure opportunity, placing Colorado alongside Connecticut in an enforcement posture that permits immediate penalties.

Because CPA violations fall under the Consumer Protection Act, they can also result in criminal charges in extreme cases, which is an unusual feature among U.S. state privacy laws.

How the CPA Compares to Other Privacy Laws

The CPA shares significant structural DNA with Virginia's Consumer Data Protection Act, including the same five core consumer rights, data minimization and purpose limitation obligations, data protection assessment requirements, and enforcement exclusively through the Attorney General with no private right of action.

Virginia's framework has since become the template for a number of state privacy laws enacted since 2023. Practically speaking, businesses already managing VCDPA compliance will find considerable overlap with CPA requirements, though Colorado's more detailed rulemaking, biometric provisions, and minor protections represent meaningful additions.

Against California, the most significant structural difference remains the absence of a revenue-based compliance threshold in Colorado: the CPA triggers solely on data volume and whether revenue derives from data sales.

Colorado imposes higher maximum penalties — up to USD 20,000 per violation compared to California's USD 7,500.

On universal opt-out, Colorado is now one of 12 states requiring businesses to honor opt-out preference signals such as the Global Privacy Control, with GPC enforcement already the subject of coordinated multi-state investigative sweeps involving California, Colorado, and Connecticut.

Maryland's Online Data Privacy Act (MODPA) is worth noting as a point of comparison for businesses assessing where state law is heading: it imposes the most restrictive data minimization standard currently in force in the U.S. MODPA limits collection to what is necessary for the specific product or service requested and prohibits the sale of sensitive personal data outright, going further than Colorado's opt-in consent requirement.

Against the GDPR, the fundamental structural difference remains: Colorado operates on an opt-out default, whereas European law requires affirmative consent before most data processing.

For businesses subject to both regimes, the CPA's consent requirements for sensitive data, secondary use, children's data, and biometric identifiers meaningfully narrow the operational gap, but the baseline default represents an irreconcilable structural distinction that cannot be harmonized through policy alone.

How to Comply with the Colorado Privacy Act: Seven Steps

Businesses that meet the CPA’s coverage thresholds should work through the following compliance steps.

Audit your data flows

Identify all personal data your organization collects, the sources and purposes, the processors involved, and the third parties with whom data is shared.

Publish a compliant privacy notice

Ensure that your notice identifies the categories of data collected, purposes of processing, third-party data sharing, and the method for consumers to exercise their rights. Post it prominently on your website and on any app download or settings page and keep it updated.

Implement an opt-out mechanism

Provide consumers with a clear means to opt out of targeted advertising, data sales, and profiling. Honor Global Privacy Control signals automatically.

Obtain consent where required

Deploy a consent management solution to collect valid opt-in consent for sensitive data processing, secondary uses, and data belonging to children under 13. For users under 18, obtain consent before processing their data for advertising, sale, or profiling purposes.

Enter into data processing agreements

Execute written contracts with all processors before processing begins, covering the specific requirements set out in the CPA.

Build a consumer request process

Establish a documented system for receiving, authenticating, and responding to consumer rights requests within 45 days, with an appeals pathway.

Conduct and document DPIAs

Complete Data Protection Impact Assessments for high-risk processing activities and retain documentation for at least three years.

Federal, state, and industry rules. Which ones apply to you?

Many businesses have obligations under multiple overlapping regulations. Find out exactly which ones apply to your business. No signup required, takes less than 2 minutes.

Find My Regulations