Colorado Privacy Act
The Colorado Privacy Act is the third comprehensive US state privacy law, granting consumer data rights and notably requiring businesses to honor universal opt-out signals. It is enforced by the Colorado Attorney General and district attorneys.
The Colorado Privacy Act (CPA) is a comprehensive state consumer privacy law signed in July 2021 and effective July 1, 2023. It is the third comprehensive privacy law in the United States and follows the controller and processor framework also used in Virginia. The Colorado Attorney General issued detailed rules that took effect alongside the statute and that added specificity on consent, universal opt-out, and data protection assessments.
A distinctive feature of the CPA is its early and firm requirement that businesses recognize universal opt-out mechanisms, such as browser-based signals, so consumers can opt out of targeted advertising and the sale of their data across many sites at once.
Who It Applies To
The CPA applies to controllers that conduct business in Colorado or target Colorado residents and that either control or process the personal data of 100,000 or more consumers in a year, or control or process the personal data of 25,000 or more consumers while deriving revenue or receiving a discount from the sale of personal data. It protects Colorado residents acting in an individual or household context. It does not apply in the employment or commercial context, and several sectoral exemptions apply.
Key Requirements
Consumers have the rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, the sale of personal data, and profiling that has legal or similarly significant effects. Controllers must respond within 45 days and provide an appeal process. Opt-in consent is required to process sensitive data. Controllers must recognize a universal opt-out mechanism approved by the state. They must provide a transparent privacy notice, follow purpose specification and data minimization, avoid secondary uses without consent, and enter into data processing agreements. Data protection assessments are required for processing that presents a heightened risk of harm.
Penalties for Non-Compliance
Violations of the CPA are treated as deceptive trade practices under Colorado law and can carry civil penalties of up to USD 20,000 per violation. Both the Colorado Attorney General and district attorneys can enforce the law. There is no private right of action.
How to Comply
Assess whether you meet the consumer thresholds. Publish a clear privacy notice and offer rights to access, correct, delete, and port data within 45 days, with an appeal route. Implement a recognized universal opt-out mechanism and honor browser signals. Obtain opt-in consent before processing sensitive data. Apply data minimization and purpose limitation. Sign data processing agreements with processors and conduct data protection assessments for high-risk processing.