Colorado was the third US state to pass a consumer privacy law, following California and Virginia. The Colorado Privacy Act (CPA) was signed into law in July 2021 and took effect on July 1 2023. The law has been amended several times, with significant changes taking effect in 2025.
What Is the CPA?
The Colorado Privacy Act grants Colorado residents rights over their personal data and establishes obligations for businesses that collect and process that data. Notably, the CPA applies to nonprofits as well as for-profit businesses, unlike most other state privacy laws.
Enforcement is handled by the Colorado Attorney General and local District Attorneys. There is no private right of action.
Does It Apply to Your Business?
The CPA applies to entities that conduct business in Colorado or deliver commercial products or services targeted to Colorado residents. To be covered, an entity must also meet at least one of two thresholds:
Threshold 1: Control or process personal data of 100,000 or more Colorado consumers annually.
Threshold 2: Control or process the personal data of at least 25,000 Colorado consumers AND derive revenue or receive a discount on goods or services from the sale of personal data.
Unlike California, the CPA does not include a revenue threshold. A business with modest revenue can still be covered if it meets the data volume thresholds.
The law applies to consumers acting in an individual or household context. It does not cover people acting in a commercial or employment context.
Exemptions
Several categories of data and entities are exempt:
- Data regulated by HIPAA
- Data covered by the Gramm-Leach-Bliley Act
- Data subject to the Fair Credit Reporting Act
- Higher education institutions (nonprofit)
- Publicly available information
- De-identified data
Unlike some other state laws, nonprofit organizations are generally covered by the CPA unless they fall under a specific exemption.
Key Consumer Rights
Colorado residents have the following rights:
- Right to confirm whether a business is processing their personal data
- Right to access their personal data
- Right to correct inaccuracies
- Right to delete their personal data
- Right to obtain a portable copy of their data
- Right to opt out of targeted advertising
- Right to opt out of the sale of personal data
- Right to opt out of profiling that produces legal or significant effects
Since July 1 2024, businesses must honor universal opt-out mechanisms such as Global Privacy Control.
Business Obligations
Covered entities must:
- Limit data collection to what is adequate, relevant, and reasonably necessary
- Implement reasonable security measures
- Provide clear privacy notices
- Obtain consent before processing sensitive data
- Honor universal opt-out mechanisms (since July 2024)
- Conduct data protection assessments for high-risk processing activities
Sensitive data under the CPA includes racial or ethnic origin, religious beliefs, mental or physical health condition, sex life or sexual orientation, citizenship or immigration status, genetic data, biometric data, children’s data, and precise geolocation.
Enforcement and Penalties
The Colorado Attorney General and District Attorneys have exclusive enforcement authority. Private citizens cannot bring lawsuits under the CPA.
Major change in 2025: The 60-day cure period ended on January 1 2025. The Attorney General now has discretion to immediately enforce penalties without first providing businesses an opportunity to correct non-compliance.
Violations of the CPA are treated as deceptive trade practices under the Colorado Consumer Protection Act. Penalties can reach:
- Up to $2,000 per violation (standard)
- Up to $20,000 per violation (under CPA Rules)
- Maximum aggregate penalty of $500,000
The $500,000 cap means Colorado penalties are less likely to reach the multi-million dollar levels possible in California, but individual violations still carry meaningful fines.
2025 Changes
Several amendments have expanded the CPA’s scope:
January 1 2025: The 60-day cure period ended. Enforcement can now proceed immediately.
July 1 2025: New requirements for biometric data processing take effect. These apply to any entity collecting biometric data from Colorado residents, regardless of whether the business meets the standard CPA thresholds.
October 1 2025: New protections for minors’ data take effect. Controllers must obtain consent before processing data of minors under 18 for targeted advertising, data sales, or profiling. These provisions apply to any controller targeting Colorado residents, without any processing thresholds.
Key Dates
- July 7 2021: CPA signed into law
- July 1 2023: CPA took effect
- July 1 2024: Universal opt-out mechanism requirement took effect
- January 1 2025: 60-day cure period ended
- July 1 2025: Biometric data requirements take effect
- October 1 2025: Minors’ data protections take effect
Where to Find Official Resources
- Colorado Attorney General CPA page: coag.gov/resources/colorado-privacy-act
- Full legal text: Colorado Revised Statutes, Title 6, Article 1, Part 13
- CPA Rules: Available on the Colorado Secretary of State regulations database
Getting Started
Colorado’s CPA has undergone significant changes, particularly the end of the cure period in January 2025. Businesses should treat compliance as urgent, as the Attorney General can now pursue enforcement immediately upon discovering a violation.
Assess whether your organization meets either applicability threshold. If you process biometric data or data from minors, the new 2025 provisions may apply even if you do not meet the standard thresholds.
Implement Global Privacy Control support if you have not already, and review your consent mechanisms for sensitive data processing. The Attorney General has been sending warning letters to businesses, indicating active monitoring of compliance.
