- \n
- Effective date:<\/strong> July 1, 2023 (Colorado was the third U.S. state to enact a comprehensive consumer data privacy law; significantly amended in 2024 and 2025)<\/li>\n\n\n\n
- Scope:<\/strong> Applies to businesses conducting business in Colorado, or targeting goods or services to Colorado residents, that either process personal data from at least 100,000 consumers per year, or process data from at least 25,000 consumers per year while deriving revenue from the sale of personal data. No minimum annual revenue threshold.<\/li>\n\n\n\n
- Consent model:<\/strong> Opt-out, so businesses may generally collect and process personal data without prior consent, but must notify consumers and honor opt-out requests for targeted advertising, data sales, and profiling. Opt-in consent is required for sensitive data, children\u2019s data, and secondary uses.<\/li>\n\n\n\n
- Consumer rights:<\/strong> Opt-out, access, correction, deletion, and data portability; consumers also have the right to appeal a controller\u2019s denial of a request.<\/li>\n\n\n\n
- Enforcement:<\/strong> Colorado Attorney General and District Attorneys have exclusive enforcement authority; fines from USD 2,000 to USD 20,000 per violation (USD 10,000 to USD 50,000 for violations against elderly persons); no private right of action; no cure period.<\/li>\n\n\n\n
- Key 2025 updates:<\/strong> Biometric data obligations expanded (effective July 1, 2025); minor protections requiring consent for under-18 data processing added (effective October 1, 2025); precise geolocation classified as sensitive data (effective May 23, 2025).<\/li>\n<\/ul>\n\n\n\n
What is the Colorado Privacy Act (CPA)?<\/h2>\n\n\n\n
The Colorado Privacy Act is a state-level consumer data privacy statute encoded in the Colorado Revised Statutes, Title 6, Article 1, Part 13<\/a>. It followed closely on the passage of Virginia\u2019s Consumer Data Protection Act<\/a> earlier that year.<\/p>\n\n\n\n
The CPA\u2019s core purpose is to give Colorado residents meaningful control over how their personal data is collected, used, and shared by businesses. <\/p>\n\n\n\n
Rather than requiring consent before all data collection as the EU\u2019s General Data Protection Regulation (GDPR) does, the CPA adopts an opt-out framework, meaning businesses may generally process consumer data without prior consent, unless the data is sensitive, belongs to a child, or is being used for secondary purposes not previously disclosed.<\/p>\n\n\n\n
The Colorado Attorney General\u2019s Office is responsible for enforcement, and it finalized implementing rules on March 15, 2023, covering universal opt-out mechanisms, privacy notice requirements, accessibility standards, and biometric data retention.<\/p>\n\n\n\n
Key Definitions Under the Colorado Privacy Act<\/h2>\n\n\n\n
Understanding the CPA requires clarity on how the law defines several foundational terms.<\/p>\n\n\n\n
Personal Data<\/h3>\n\n\n\n
Personal data under the CPA means any information that is linked or reasonably linkable to an identified or identifiable individual. The definition excludes data that has been de-identified and information that is publicly available, for example, government records or content a consumer has voluntarily made public.<\/p>\n\n\n\n
The law does not enumerate specific categories of personal data, but common examples collected by websites and apps include names, email addresses, phone numbers, IP addresses, device identifiers, and browsing history.<\/p>\n\n\n\n
Sensitive Data<\/h3>\n\n\n\n
A distinct subset of personal data, sensitive data triggers stronger protections under the CPA and requires explicit, opt-in consent before a controller may collect or process it. The CPA classifies the following as sensitive data:<\/p>\n\n\n\n
- \n
- Data revealing racial or ethnic origin<\/li>\n\n\n\n
- Data revealing religious beliefs<\/li>\n\n\n\n
- Data revealing mental or physical health conditions or diagnoses<\/li>\n\n\n\n
- Data concerning sex life or sexual orientation<\/li>\n\n\n\n
- Data revealing citizenship or immigration status<\/li>\n\n\n\n
- Genetic data<\/li>\n\n\n\n
- Biometric data processed for the purpose of uniquely identifying an individual<\/li>\n\n\n\n
- Personal data belonging to a known child<\/li>\n<\/ul>\n\n\n\n
As of July 1, 2025, biometric data protections were significantly strengthened by HB 24-1130<\/a>, which imposed new consent, notice, retention, and deletion obligations on entities \u2014 including employers \u2014 that collect biometric identifiers from individuals in Colorado.<\/p>\n\n\n\n
As of May 23, 2025, precise geolocation data has been added to the category of sensitive data under the CPA. Collecting precise geolocation must now be justified by necessity and proportionality.<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.cookiebot.com\/us\/wp-content\/uploads\/sites\/8\/2025\/04\/cb_blog_900x450_What-is-sensitive-data-under-the-CPA_.svg\")
<\/figure>\n\n\n\nController and Processor<\/h3>\n\n\n\n
A controller is any person or organization that determines the purposes and means of processing personal data. A processor is a person that processes personal data on behalf of the controller. Processors must follow controllers\u2019 instructions and support their compliance obligations. <\/p>\n\n\n\n
Before processing begins, controllers must enter into written contracts with processors that detail processing instructions, data security obligations, the conditions for engaging subcontractors, and requirements for deletion or return of data at the end of the contract.<\/p>\n\n\n\n
Consent<\/h3>\n\n\n\n
The CPA defines consent as a clear, affirmative act signifying a consumer\u2019s freely given, specific, informed, and unambiguous agreement to the processing of their personal data. Acceptance of broad terms of service, hovering over or closing content, and consent obtained through dark patterns<\/a> do not meet this standard.<\/p>\n\n\n\n
Sale of Personal Data<\/h3>\n\n\n\n
A sale under the CPA is broadly defined as the exchange of personal data for monetary or other valuable consideration by a controller to a third party. Sharing data with processors, affiliates, or third parties in the course of providing a requested product or service is not considered a sale under the law.<\/p>\n\n\n\n
Targeted Advertising<\/h3>\n\n\n\n
The CPA defines targeted advertising as displaying ads to a consumer based on personal data obtained or inferred over time from the consumer\u2019s activities across unaffiliated websites, applications, or services, used to predict preferences or interests. Contextual advertising based on a consumer\u2019s current search query or website visit does not fall within this definition.<\/p>\n\n\n\n
Who Must Comply with the Colorado Privacy Act?<\/h2>\n\n\n\n
The CPA applies to any person or business that conducts business in Colorado or targets commercial products or services to Colorado residents, and that meets one or both of the following thresholds:<\/p>\n\n\n\n
- \n
- Controls or processes the personal data of 100,000 or more consumers in a calendar year<\/li>\n\n\n\n
- Controls or processes the personal data of at least 25,000 consumers per year, and derives revenue or receives a discount on goods or services from the sale of that data<\/li>\n<\/ul>\n\n\n\n
Businesses that collect or process biometric data or the personal data of minors are subject to CPA obligations now regardless of whether they meet these thresholds.<\/p>\n\n\n\n
Colorado does not require a minimum annual revenue figure for compliance, which distinguishes it from California\u2019s CCPA. A business need not have a physical presence in Colorado for the CPA to apply; operating a website or app that is intentionally targeted at Colorado residents is sufficient.<\/p>\n\n\n\n
CPA Exemptions<\/h3>\n\n\n\n
Certain categories of organizations and data are exempt from CPA requirements. Exempt businesses include: <\/p>\n\n\n\n
- \n
- Airlines<\/li>\n\n\n\n
- Public utilities<\/li>\n\n\n\n
- National securities associations<\/li>\n\n\n\n
- Higher education institutions<\/li>\n\n\n\n
- Health care facilities and providers<\/li>\n\n\n\n
- Consumer reporting agencies<\/li>\n\n\n\n
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)<\/a><\/li>\n<\/ul>\n\n\n\n
Exempt categories of data include:<\/p>\n\n\n\n
- \n
- HIPAA<\/a>-regulated data<\/li>\n\n\n\n
- Employment records <\/li>\n\n\n\n
- Research data<\/li>\n\n\n\n
- De-identified data<\/li>\n\n\n\n
- Data regulated under laws, including FERPA, FCRA, COPPA, and the DPPA.<\/li>\n<\/ul>\n\n\n\n
Notably, nonprofit organizations and small businesses are not categorically exempt. If they meet the coverage thresholds and do not otherwise qualify for an enumerated exemption, they must comply.<\/p>\n\n\n\n
Consumer Rights Under the Colorado Privacy Act<\/h2>\n\n\n\n
ThColorado residents have five core rights under the CPA, which controllers must be equipped to honor.<\/p>\n\n\n\n
- \n
- Right of access:<\/strong> Consumers may request confirmation of whether a controller is processing their data, and may obtain a copy of that data.<\/li>\n\n\n\n
- Right to correction:<\/strong> Consumers may request that a controller correct inaccuracies in their personal data, taking into account the purpose of the processing.<\/li>\n\n\n\n
- Right to deletion:<\/strong> Consumers may request deletion of their personal data, subject to certain exceptions.<\/li>\n\n\n\n
- Right to data portability:<\/strong> Consumers may request their personal data in a portable, readily usable format that allows them to transmit it to another entity.<\/li>\n\n\n\n
- Right to opt out:<\/strong> Consumers may opt out of the processing of their personal data for purposes of targeted advertising, sale, or profiling that produces legal or similarly significant effects.<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/www.cookiebot.com\/us\/wp-content\/uploads\/sites\/8\/2025\/04\/cb_blog_900x450_Consumer-rights-under-the-Colorado-Privacy-Act.svg\")
<\/figure>\n\n\n\nHandling Consumer Rights Requests Under the CPA<\/h3>\n\n\n\n
The CPA also gives consumers the right to appeal a controller\u2019s denial of a request. Controllers must respond to an authenticated consumer request within 45 days, with an option to extend by an additional 45 days where reasonably necessary. If a request is denied, the controller must inform the consumer of the available appeals process and of their right to contact the Attorney General.<\/p>\n\n\n\n
What the Colorado Privacy Act Means for Cookies and Website Tracking<\/h2>\n\n\n\n
The CPA does not address cookies or tracking technologies by name, but its definition of personal data encompasses the types of identifiers, such as IP addresses, device IDs, browser fingerprints, and behavioral profiles, that tracking cookies and pixels routinely collect.<\/p>\n\n\n\n
Because the CPA requires controllers to provide users with the ability to opt out of data processing for targeted advertising and sale, any cookie or tracker on your website that collects personal data for these purposes must be brought under the user\u2019s control. <\/p>\n\n\n\n
In practical terms, this means deploying a consent management solution that presents Colorado users with a clear opt-out mechanism, honors Global Privacy Control (GPC)<\/a> signals \u2014 which the CPA expressly requires controllers to recognize as valid opt-out signals \u2014 and maintains records of user preferences. <\/p>\n\n\n\n
Your privacy notice must also disclose the categories of personal data collected through cookies and trackers, the purposes for which that data is processed, and the categories of third parties with whom it is shared. <\/p>\n\n\n\n
If your marketing stack includes advertising pixels, session replay tools, or behavioral analytics trackers, each constitutes a data processing activity that requires transparency and, where the data is sensitive or the purpose constitutes a secondary use, opt-in consent.<\/p>\n\n\n\n
Manage Colorado Privacy Act Compliance with Cookiebot by Usercentrics<\/h2>\n\n\n\n
Cookiebot by Usercentrics<\/a> automatically scans your website for cookies and trackers, generates a cookie declaration to support compliance, and delivers a customizable consent banner that enables Colorado users to exercise their opt-out rights. <\/p>\n\n\n\n
The platform supports Global Privacy Control recognition (opt-out mechanisms are now required by a number of states), granular consent logging, and automated updates as privacy laws evolve.<\/p>\n\n\n
\n\n\n\n\n Manage data collection, notice, and opt-out requirements with Cookiebot <\/h2>\n
\nIn 5 minutes you can customize your cookie banner for your brand and relevant regulations. Then start your 14-day trial to see it in action.<\/span><\/p>\n <\/div>\n
\n\n \nTry It Now<\/span><\/a>\n <\/div>\n <\/div>\n <\/div>\n <\/div>\n <\/div>\n<\/div>\n\n\n\nControllers\u2019 Obligations Under the Colorado Privacy Act<\/h2>\n\n\n\n
Beyond honoring consumer rights requests, the CPA imposes seven affirmative duties on data controllers.<\/p>\n\n\n\n
Duty of Transparency<\/h3>\n\n\n\n
Controllers must publish a privacy notice that is reasonably accessible, clear, and meaningful. The notice must identify: <\/p>\n\n\n\n
- \n
- Categories of personal data collected<\/li>\n\n\n\n
- Purposes of processing<\/li>\n\n\n\n
- Categories of third parties with whom data is shared<\/li>\n\n\n\n
- Mechanism through which consumers can exercise their rights<\/li>\n<\/ul>\n\n\n\n
For businesses operating apps, the notice must also be posted on download pages and in the app\u2019s settings menu. Per the 2023 CPA Rules<\/a>, the link to the notice must include the word \u201cprivacy,\u201d and the notice must be accessible to users with disabilities.<\/p>\n\n\n\n
Duty of Purpose Specification and Data Minimization<\/h3>\n\n\n\n
CControllers must specify the purposes for which personal data is collected, and they may only collect data that is adequate, relevant, and limited to what is reasonably necessary for those stated purposes. <\/p>\n\n\n\n
This data minimization<\/a> requirement differs from California\u2019s CCPA, the original version of which did not include a data minimization requirement. This was added by the California Privacy Rights Act (CPRA), which took effect in January 2023.<\/p>\n\n\n\n
Duty to Avoid Secondary Use<\/h3>\n\n\n\n
Personal data collected for one stated purpose may not be processed for a materially different purpose without first notifying the consumer of the new purpose and obtaining their consent. This is the secondary use prohibition.<\/p>\n\n\n\n
Duty of Care and Data Security<\/h3>\n\n\n\n
Controllers must implement reasonable security measures appropriate to the volume, scope, and sensitivity of the personal data processed. The CPA does not specify minimum technical controls, but enforcement guidance from the Attorney General\u2019s office indicates that the greater the volume and sensitivity of data, the more robust the required security posture.<\/p>\n\n\n\n
Duty to Avoid Unlawful Discrimination<\/h3>\n\n\n\n
Controllers may not process personal data in a manner that violates state or federal anti-discrimination laws.<\/p>\n\n\n\n
Data Protection Impact Assessments (DPIAs)<\/h3>\n\n\n\n
Controllers must conduct and document Data Protection Impact Assessments (DPIAs)<\/a> for processing activities that present a heightened risk of consumer harm. These activities include targeted advertising, the sale of personal data, the processing of sensitive data, and profiling that could produce decisions with legal or similarly significant effects. <\/p>\n\n\n\n
DPIAs must be made available to the Attorney General upon request. Under the October 2025 amendments, controllers offering online services to known or reasonably identifiable minors must conduct DPIAs where those services present a heightened risk of harm to minors, and must retain assessment documentation for at least three years.<\/p>\n\n\n\n
Consent for Sensitive Data, Children, and Secondary Use<\/h3>\n\n\n\n
The CPA\u2019s opt-out default shifts to an opt-in requirement in three situations: <\/p>\n\n\n\n
- \n
- Processing sensitive data<\/li>\n\n\n\n
- Processing personal data of a known child under 13 (for which parental or guardian consent is required)<\/li>\n\n\n\n
- Processing data for secondary purposes<\/li>\n<\/ul>\n\n\n\n
As of October 1, 2025, the standard expanded further: controllers must obtain consent from any consumer under 18 before processing their personal data for targeted advertising, sale, or profiling purposes, provided the controller knew or willfully disregarded that the consumer was a minor.<\/p>\n\n\n\n
Universal Opt-Out and the Global Privacy Control<\/h2>\n\n\n\n
The CPA was among the first U.S. state privacy laws to explicitly require controllers to recognize universal opt-out mechanisms. As of 2026, 12 states now require this. Colorado is one of three states \u2014 along with California and Connecticut \u2014 to explicitly require respecting Global Privacy Control signals. The GPC is a browser-level signal that transmits a user\u2019s opt-out preference across all sites they visit.<\/p>\n\n\n\n
Controllers must honor valid GPC signals from Colorado users and may not configure their consent management platforms to treat a device\u2019s default setting as an affirmative opt-out choice; the signal must reflect a deliberate user action.<\/p>\n\n\n\n
2025 CPA Updates: Biometrics, Minors, and Geolocation<\/h2>\n\n\n\n
The Colorado Privacy Act has been actively amended since going into effect. Businesses subject to the CPA should note the following changes, and stay up to date on future amendments and other relevant legislation that affects personal data and privacy, such as that targeting AI governance.<\/p>\n\n\n\n
Biometric Data<\/h3>\n\n\n\n
HB 24-1130 substantially expanded the CPA\u2019s treatment of biometric data. Under the biometric amendment, controllers \u2014 including employers collecting biometric identifiers from employees and job applicants \u2014 must provide advance notice of biometric data collection, obtain consent before collection in most circumstances, maintain a written retention and destruction schedule, and implement an incident-response protocol for biometric data breaches. <\/p>\n\n\n\n
The amendment imposes obligations that apply regardless of whether the individuals involved qualify as \u201cconsumers\u201d under the base CPA.<\/p>\n\n\n\n
Minor Protections<\/h3>\n\n\n\n
SB 24-041 added a broader set of online safety obligations for businesses whose services are directed at or knowingly used by minors. The obligations, which came into effect on October 1, 2025, require controllers to:<\/p>\n\n\n\n
- \n
- Use reasonable care to avoid heightened risks of harm to minors<\/li>\n\n\n\n
- Obtain consent before processing a minor\u2019s data for targeted advertising, sale, or profiling<\/li>\n\n\n\n
- Refrain from using design features that significantly increase, sustain, or extend a minor\u2019s use of a service<\/li>\n\n\n\n
- Obtain parental or guardian consent before collecting precise geolocation data of users under 13 <\/li>\n<\/ul>\n\n\n\n
In October 2025, the Colorado Department of Law finalized rules implementing these amendments, clarifying the \u201cwillful disregard\u201d standard and the definition of addictive design features.<\/p>\n\n\n\n
Precise Geolocation as Sensitive Data<\/h3>\n\n\n\n
SB 25-276 amended the CPA to classify precise geolocation data as a category of sensitive data. Controllers must now justify the collection of precise geolocation on the basis of necessity and proportionality, consistent with the civil rights protections the bill was enacted to reinforce.<\/p>\n\n\n\n
Colorado AI Act<\/h3>\n\n\n\n
Controllers must enter into contracts with processors before data processing begins. These contracts, while not explicitly referred to as \"data processing agreements\" under the CPA, serve a similar puColorado has also enacted what is expected to become the first comprehensive state law regulating artificial intelligence systems used in consequential decisions with SB 24-205<\/a>. Originally passed in 2024, the Colorado AI Act was designed to regulate AI systems used in high-stakes decisions covering areas such as employment, housing, loans, and healthcare.<\/p>\n\n\n\n
Its initial effective date of February 1, 2026 was subsequently delayed: on August 28, 2025, Governor Jared Polis signed SB 25B-004, pushing the operative date to June 30, 2026.<\/p>\n\n\n\n
The law imposes obligations on both developers and deployers of high-risk AI systems, including requirements to create developer documentation and public statements, implement deployer risk management programs and impact assessments, and issue consumer disclosures when AI contributes to consequential decisions.<\/p>\n\n\n\n
Enforcement authority rests with the Colorado Attorney General, and violations are actionable as deceptive trade practices under the Colorado Consumer Protection Act, which is the same enforcement framework that governs CPA violations.<\/p>\n\n\n\n
Substantive amendments remain under consideration during the 2026 regular legislative session, and the law's final form is not yet settled. Businesses that use automated or AI-assisted decision-making in Colorado \u2014 particularly in employment, lending, or healthcare contexts \u2014 should monitor developments and begin assessing whether their systems fall within the Act's definition of a high-risk AI system ahead of the June 30, 2026 effective date.<\/p>\n\n\n\n
Colorado Privacy Act Enforcement and Penalties<\/h2>\n\n\n\n
The Colorado Attorney General and District Attorneys share exclusive enforcement authority under the CPA. Colorado residents have no private right of action, meaning they cannot file lawsuits directly against companies for CPA violations.<\/p>\n\n\n\n
- Right to correction:<\/strong> Consumers may request that a controller correct inaccuracies in their personal data, taking into account the purpose of the processing.<\/li>\n\n\n\n
- HIPAA<\/a>-regulated data<\/li>\n\n\n\n
- Scope:<\/strong> Applies to businesses conducting business in Colorado, or targeting goods or services to Colorado residents, that either process personal data from at least 100,000 consumers per year, or process data from at least 25,000 consumers per year while deriving revenue from the sale of personal data. No minimum annual revenue threshold.<\/li>\n\n\n\n
![\"\"](\"https:\/\/www.cookiebot.com\/us\/wp-content\/uploads\/sites\/8\/2025\/04\/cb_blog_900x450_Colorado-Privacy-Act-penalties-and-enforcement.svg\")
<\/figure>\n\n\n\n![\"Checklist](\"https:\/\/www.cookiebot.com\/us\/wp-content\/uploads\/sites\/8\/2023\/01\/Checklist_with_a_shield_representing_privacy_compliance_verification-1.svg?v=9945bae901ece5af\"\n)
\n <\/figure>\n <\/div>\n