The Colorado Privacy Act (CPA) is a state law that grants Colorado residents rights over their personal data and requires covered businesses to honor opt-outs. Signed in 2021 as Senate Bill 21-190, it took effect July 1, 2023. It applies to businesses that meet Colorado's consumer thresholds, wherever they are based.
This guide covers who must comply, the consumer rights, the universal opt-out mandate, sensitive data rules, enforcement, and penalties. It closes with how Consently supports the opt-out side of compliance.
What Is the Colorado Privacy Act (CPA)?
The Colorado Privacy Act is a state law, Senate Bill 21-190, that creates personal-data rights for Colorado consumers. It also sets compliance duties for the businesses, called controllers, that collect their data. It is part of the Colorado Consumer Protection Act. Colorado was the third US state to pass a comprehensive privacy law, after California and Virginia.
The CPA gives Colorado residents the right to access, correct, delete, and port their personal data. It also grants the right to opt out of its sale, its use for targeted advertising, and certain profiling. It places matching duties on controllers: transparency, data minimization, and consent before processing sensitive data.
Colorado's law is one entry in a broader wave of US state privacy laws that followed California's lead. It sits within the wider landscape of data privacy laws that now govern how sites collect and handle personal data. Each state law shares a common structure: opt-out rights and sensitive-data protections. They differ on thresholds, enforcement, and specific mechanics, which the sections below cover for Colorado.
When Did the Colorado Privacy Act Take Effect?
The Colorado Privacy Act took effect July 1, 2023, two years after Governor Jared Polis signed it into law.
The full timeline runs as follows.
- July 7, 2021: Governor Polis signs Senate Bill 21-190, establishing the CPA.
- March 15, 2023: The Colorado Attorney General files final CPA rules with the Secretary of State.
- July 1, 2023: The CPA takes effect; the Attorney General launches enforcement.
- July 1, 2024: Controllers must begin honoring universal opt-out signals.
- January 1, 2025: The 60-day right-to-cure period sunsets.
- 2024 to 2025: Amendments extend sensitive-data protections to precise geolocation data and add biometric and neural data protections under a separate bill, H.B. 1058.
Who Has to Comply with the Colorado Privacy Act?
A business must comply with the CPA if it conducts business in Colorado or targets products or services to Colorado residents. It also must meet one of two consumer-count thresholds.
The two thresholds are:
- 100,000 or more consumers: the business controls or processes the personal data of 100,000 or more Colorado residents in a calendar year.
- 25,000 or more consumers plus data sales: the business derives revenue, or receives a discount, from selling personal data, and controls or processes the personal data of 25,000 or more Colorado residents.
The CPA sets no revenue-size threshold. Unlike the CCPA's roughly $26.6 million annual-revenue gate, a small business with no meaningful revenue can still fall under Colorado's law. It only needs to meet either consumer-count threshold.
The law also applies regardless of where the business is based. A Texas company that processes 150,000 Colorado residents' data is covered the same as a Colorado-headquartered one.
"Consumer" under the CPA means a Colorado resident acting in an individual or household context. The 100,000-consumer threshold counts Colorado residents specifically, not a nationwide total. "Process" also covers data a business currently stores, not only data it collects that year. A site sitting on records for 100,000 past Colorado visitors is in scope even if this year's new signups are far fewer.
Who Is Exempt from the CPA?
The CPA exempts specific entity types and data categories, but it does not exempt nonprofits.
- Financial institutions and their affiliates already covered by the Gramm-Leach-Bliley Act.
- Air carriers regulated by the Federal Aviation Administration.
- National securities associations registered under the Securities Exchange Act.
- Data covered by other federal laws, including HIPAA-protected health data and FCRA-governed consumer report data.
- Employment records and job-applicant data, since "consumer" under the CPA excludes anyone acting in an employment context.
Colorado's law breaks from California's and Virginia's on one point: it does not exclude nonprofits. A nonprofit that meets either consumer-count threshold is a covered controller under the CPA, even though the equivalent California and Virginia laws leave nonprofits out.
What Rights Does the CPA Give Colorado Consumers?
Colorado residents get five core rights, and businesses must act on requests within 45 days.
| Right | What it lets a consumer do |
|---|---|
| Right to Opt Out | Opt out of the sale of personal data, its use for targeted advertising, or certain profiling decisions |
| Right to Access | Confirm whether a controller is processing their data and get a copy of it |
| Right to Correct | Fix inaccuracies in personal data a controller holds |
| Right to Delete | Request deletion of personal data provided by or collected about them |
| Right to Data Portability | Receive their data in a portable, readily usable format to transfer elsewhere |
Controllers must respond to a verified request within 45 days. One 45-day extension is available if they notify the consumer of the delay within the original window.
Colorado consumers exercise the right to opt out of the sale of their personal data directly through a business's privacy notice. They can also use a universal opt-out signal, covered next.
What Is the Universal Opt-Out Mechanism (and Why It Matters)?
A Universal Opt-Out Mechanism (UOOM) is a browser or device signal. It tells every website at once that a consumer opts out of targeted advertising and the sale of personal data. Since July 1, 2024, Colorado controllers must detect and honor a recognized UOOM. They cannot require the consumer to make a separate request to each site.
Global Privacy Control (GPC) is the only UOOM the Colorado Department of Law currently recognizes. GPC is a signal built into certain browsers and browser extensions. When a Colorado resident turns it on, every controller subject to the CPA must treat it as a valid opt-out request.
The Department maintains a public list of recognized mechanisms and updates it periodically. GPC is the current standard, not necessarily the only one Colorado will ever recognize.
Colorado was the first state to require businesses to recognize a universal opt-out mechanism by a fixed date. Controllers must also explain, in their privacy notice, how they process opt-out requests made through a UOOM. The obligation sits with the business. It must build the detection and honoring into its own systems, not rely on a single vendor to supply it automatically.
What Counts as Sensitive Data Under the CPA?
Sensitive data is personal data that reveals specific, high-risk categories about a consumer, and the CPA requires affirmative opt-in consent before a controller processes it.
The CPA's sensitive-data categories include:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health condition or diagnosis
- Sex life or sexual orientation
- Citizenship or immigration status
- Genetic or biometric data used to identify an individual
- Personal data of a known child under 13
- Precise geolocation data, added by 2025 rules
Sensitive data is the one place the CPA flips from opt-out to opt-in. Everywhere else, a controller can process personal data by default and must offer an opt-out. For sensitive data, consent must come first, and that consent must be affirmative, freely given, specific, informed, and unambiguous.
Accepting broad terms of service, hovering over content, or agreeing through a deceptive page design does not count as consent under the CPA.
What Does the CPA Require Businesses to Do?
Covered businesses, called controllers, carry six core duties under the CPA.
- Be transparent: provide a clear privacy notice describing what data is collected, why, and how consumers can exercise their rights.
- Minimize data collection: collect and store only what is reasonably necessary for the stated purpose.
- Avoid secondary uses: do not process data for a new purpose the consumer was not told about, without consent.
- Use reasonable security: apply security practices appropriate to the data's sensitivity.
- Respond to requests: act on consumer rights requests within 45 days.
- Conduct Data Protection Assessments: document risk assessments before high-risk processing.
Controllers may not collect, use, or sell sensitive data without consent, and may not use personal data in a way that results in unlawful discrimination.
Data Protection Assessments
A Data Protection Assessment is a documented risk review a controller must complete before engaging in processing that carries a heightened risk of harm. The CPA requires one before selling personal data, processing sensitive data, or running targeted advertising and certain profiling.
The assessment weighs the benefits of the processing, to the controller, the consumer, and the public, against the risks to consumer rights. The Colorado Attorney General can request a completed assessment, and requesting it does not waive any attorney-client privilege the business holds over the document.
How Is the Colorado Privacy Act Enforced? (Fines and the Attorney General)
The Colorado Attorney General and district attorneys hold sole enforcement power over the CPA. There is no private right of action. Individual consumers cannot sue a business directly for a CPA violation.
A CPA violation is enforced as a deceptive trade practice under the Colorado Consumer Protection Act. That exposes a business to civil penalties of up to $20,000 per violation. Each affected consumer can count as a separate violation, so penalties scale with the number of people impacted. Reporting on the Consumer Protection Act's civil-penalty structure puts the aggregate ceiling at $500,000 for a related series of violations.
Until January 1, 2025, businesses received a 60-day right to cure a remediable violation before facing enforcement. That cure period has now sunset. In its place, businesses can request an opinion letter or interpretive guidance from the Attorney General's office. Neither one guarantees protection from a future enforcement action.
How Is the Colorado Privacy Act Different from the CCPA and GDPR?
The Colorado Privacy Act, the CCPA, and the GDPR all grant data rights, but they diverge sharply on consent model, enforcement, and applicability.
| Colorado Privacy Act | CCPA / CPRA | GDPR | |
|---|---|---|---|
| Consent model | Opt-out by default; opt-in for sensitive data | Opt-out by default; opt-in for minors and sensitive data | Opt-in required before processing |
| Applicability | Consumer-count thresholds only, no revenue gate | Revenue, data-volume, or data-sale-revenue thresholds | Any organization processing EU residents' data |
| Enforcement | Attorney General and district attorneys only; no private right of action | California Privacy Protection Agency and Attorney General; limited private right of action for breaches | National data protection authorities |
| Universal opt-out | Mandatory since July 1, 2024 | Mandatory (Global Privacy Control honoring) | Not applicable; opt-in makes it moot |
Colorado's controller-and-processor terminology and its universal opt-out mandate follow the model Virginia's VCDPA set earlier. That is a closer fit than the CCPA's business-and-service-provider structure.
A site that is compliant with the CPA is not automatically compliant with GDPR. GDPR requires opt-in consent by default, so a site serving both Colorado and EU visitors needs to show each audience the model their law requires.
What the Colorado Privacy Act Means for Your Website and Cookies
A CPA-covered website must give Colorado visitors a working way to opt out of targeted-advertising cookies and data sales. It must also honor universal opt-out signals and keep records of consent choices.
The practical checklist for a covered site:
- Post a privacy notice that discloses what data is collected, why, and whether it is sold or shared
- Show Colorado visitors a clear opt-out control for targeted-advertising cookies and the sale of personal data
- Detect and honor Global Privacy Control signals sent by a visitor's browser, without requiring a separate request
- Get affirmative opt-in consent before loading anything that processes sensitive data
- Keep a record of each visitor's consent and opt-out choices for compliance proof
The targeted-advertising opt-out is the direct link between the CPA's legal text and a site's cookie banner. Any tag that fires for ad targeting or data sale needs a working opt-out path before it runs.
Sites already meeting the GDPR's cookie consent rules have the underlying banner-and-records discipline in place. Colorado's opt-out model layers on top rather than replacing it.
How Consently Helps You Meet Colorado's Opt-Out and Consent Requirements
Consently supports the consumer-facing side of CPA compliance: an opt-out banner for Colorado visitors, region-based display, and an audit trail of consent choices.
Consently shows Colorado visitors a CCPA and US state-law opt-out banner with a built-in Do Not Sell or Share My Personal Information control. It is built from the same opt-out template used across US state privacy laws.
Region-based display means Colorado and other US visitors see the opt-out model, while EU visitors see the GDPR opt-in banner instead. Both run from a single account with no separate setup per region.
Two features back the disclosure and record-keeping side. Consent logs with export give a timestamped record of who opted out and when, useful if the Colorado Attorney General ever requests proof of compliance. The cookie, privacy, and terms-and-conditions policy generators produce the privacy notice the CPA requires, without a separate legal-drafting tool.
One requirement Consently does not handle automatically: detecting and honoring a visitor's Global Privacy Control signal. That obligation sits with the business under the CPA. Consently's banner, region-based display, and consent logs support the disclosure and opt-out tasks around it, not GPC detection itself. A policy generator provides compliance assistance, not a legal guarantee.
Every Consently plan includes a 14-day free trial, no credit card required. Try Consently free to see the opt-out banner and consent log in your own dashboard.
FAQs
What is the Colorado Privacy Act in simple terms?
The Colorado Privacy Act is a Colorado law that gives residents rights over their personal data and requires covered businesses to honor opt-out requests. It took effect July 1, 2023.
When did the Colorado Privacy Act go into effect?
The CPA took effect July 1, 2023. Businesses have also been required to honor universal opt-out signals since July 1, 2024.
Who has to comply with the Colorado Privacy Act?
Businesses that control or process the data of 100,000 or more Colorado consumers per year. Also covered: businesses that process 25,000 or more consumers while deriving revenue from selling personal data. There is no revenue-size threshold.
Does the Colorado Privacy Act apply to small businesses?
Only if a small business meets one of the two consumer-count thresholds. Many small sites fall below 100,000 Colorado consumers, but a site that sells data and reaches 25,000 consumers is covered regardless of its revenue.
What are the penalties for violating the Colorado Privacy Act?
Violations are enforced as a deceptive trade practice under the Colorado Consumer Protection Act, carrying civil penalties of up to $20,000 per violation. Each affected consumer can count as a separate violation, with an aggregate ceiling of $500,000 for a related series.
Who enforces the Colorado Privacy Act?
The Colorado Attorney General and district attorneys hold sole enforcement power. No other agency and no private party can enforce the CPA.
Is there a private right of action under the Colorado Privacy Act?
No. Colorado consumers cannot sue a business directly for a CPA violation; only the Attorney General and district attorneys can bring an enforcement action.
What is a universal opt-out mechanism under the CPA?
A browser or device signal, such as Global Privacy Control, that communicates a consumer's opt-out choice to every website at once. Colorado businesses have had to honor recognized signals since July 1, 2024.
How is the Colorado Privacy Act different from the CCPA?
The CPA sets no revenue threshold and uses controller-and-processor terminology instead of the CCPA's business-and-service-provider model. It also gives consumers no private right of action, while the CCPA allows a limited one for certain data breaches.

