The Colorado Privacy Act took effect on July 1 2023. Enforcement has intensified since January 1 2025, when the 60-day cure period ended and the Attorney General gained discretion to pursue penalties immediately.
How CPA Enforcement Works
The Colorado Attorney General and local District Attorneys have exclusive enforcement authority. Consumers cannot sue businesses directly under the CPA.
Before January 2025, businesses received a 60-day notice to cure alleged violations before enforcement could proceed. That cure period has now ended. The Attorney General can immediately pursue enforcement action upon discovering a violation.
Violations of the CPA are treated as deceptive trade practices under the Colorado Consumer Protection Act. Penalties include:
- $2,000 to $20,000 per violation
- Maximum aggregate penalty of $500,000
The $500,000 cap limits exposure compared to states like California, where fines can reach into the millions. However, individual violations can still result in substantial penalties.
Enforcement Activity
Warning Letters and Investigations
The Colorado Attorney General has been actively monitoring CPA compliance. Throughout 2024 and into 2025, the AG’s office has sent warning letters to businesses identified as potentially non-compliant. These letters typically identify specific concerns and previously provided an opportunity to cure under the 60-day period.
With the cure period now ended, these warning letters may transition to direct enforcement actions.
Data Broker Registration
Colorado requires data brokers to register with the state. The Attorney General has pursued enforcement against unregistered data brokers, though these actions fall under the data broker law rather than the CPA itself.
Enforcement Focus Areas
Based on the CPA’s structure and the Attorney General’s public statements, businesses should expect scrutiny in these areas:
Universal opt-out mechanisms. Since July 2024, businesses must honor signals like Global Privacy Control. Failing to implement GPC support is a clear compliance gap.
Sensitive data consent. The CPA requires explicit consent before processing sensitive personal data. Processing health data, precise geolocation, or biometric data without proper consent creates enforcement risk.
Data protection assessments. Businesses conducting targeted advertising, data sales, profiling, or sensitive data processing must complete and document assessments. Missing or inadequate assessments may trigger enforcement.
Minors’ data. New protections taking effect in October 2025 require consent before processing minors’ data for advertising, sales, or profiling. Early enforcement attention on children’s privacy is likely as these provisions become active.
What This Means for Your Organization
The end of the 60-day cure period in January 2025 significantly changes the enforcement calculus. Businesses can no longer rely on receiving notice and having time to fix issues before penalties apply.
Proactive steps to take:
- Implement Global Privacy Control support immediately if not already in place
- Review consent mechanisms for all sensitive data processing
- Complete required data protection assessments
- Prepare for October 2025 minors’ data requirements
- Monitor the Colorado Attorney General’s announcements for enforcement guidance
The $500,000 penalty cap provides some ceiling on exposure, but reaching that cap through accumulated violations is easier than it may appear. Each consumer affected by non-compliant processing can represent a separate violation.
Colorado’s active enforcement posture, combined with the end of the cure period, makes this one of the more aggressive state privacy enforcement regimes. Businesses should treat CPA compliance as a priority.
