Colorado Privacy Act (CPA): Complete 2026 Compliance Guide

Colorado’s Privacy Act — A Leader in State Privacy Law

The Colorado Privacy Act (CPA) was signed into law on July 7, 2021, and took effect on July 1, 2023, making Colorado the third state in the nation (after California and Virginia) to enact a comprehensive consumer data privacy law. Since then, the CPA has undergone significant amendments that have strengthened its protections and eliminated its cure period, establishing Colorado as one of the most consumer-friendly state privacy regimes.

If your business operates in Colorado or serves Colorado residents, use our Privacy Law Calculator to determine your compliance obligations across all state privacy laws.

Who Must Comply with the CPA?

The CPA applies to entities that conduct business in Colorado or produce products or services intentionally targeted to Colorado residents, AND meet either of these thresholds:

• Control or process personal data of 100,000 or more Colorado consumers during a calendar year, OR
• Control or process personal data of 25,000 or more Colorado consumers AND derive revenue or receive a discount from the sale of personal data

Unlike some other state privacy laws, the CPA does not include a revenue threshold. The focus is purely on the volume of consumer data processed and whether data is sold for revenue.

Exemptions

The CPA exempts several categories:

• Entity exemptions: Government bodies, institutions of higher education, entities regulated by GLBA (entity-level), entities subject to HIPAA (entity-level), nonprofits (with some exceptions)
• Data exemptions: Data governed by HIPAA, GLBA, FCRA, FERPA, DPPA, COPPA, and certain employment and B2B contact data
• Special note: The CPA applies to both for-profit and “all” commercial entities, though most true nonprofits are exempt unless they process data for commercial purposes

Consumer Rights Under the CPA

The CPA grants Colorado residents a robust set of privacy rights:

• Right to access — Confirm whether a controller is processing personal data and access that data
• Right to correction — Request correction of inaccurate personal data
• Right to deletion — Request deletion of personal data
• Right to data portability — Obtain a copy of personal data in a portable, readily usable format
• Right to opt out of data sale — Opt out of the sale of personal data
• Right to opt out of targeted advertising — Opt out of processing for targeted advertising purposes
• Right to opt out of profiling — Opt out of profiling that produces legal or similarly significant effects
• Right to appeal — Appeal a controller’s refusal to act on a rights request

Controllers must respond to consumer rights requests within 45 days, with one 45-day extension if reasonably necessary.

Universal Opt-Out Mechanism (GPC) Requirement

Colorado was one of the first states to mandate that businesses honor universal opt-out mechanisms such as Global Privacy Control (GPC). This requirement went into effect on July 1, 2024.

The Colorado Attorney General has published technical specifications and a list of approved universal opt-out mechanisms. Businesses must:

• Detect and honor GPC browser signals automatically
• Treat a GPC signal as an opt-out of both data sales and targeted advertising
• Not require additional action from the consumer beyond enabling GPC
• Provide clear instructions in their privacy notice about how consumers can use universal opt-out mechanisms

Colorado joins California, Connecticut, Texas, Montana, Delaware, Oregon, and Maryland in requiring universal opt-out recognition. Check your GPC obligations across all states with our GPC Compliance Checker.

Key 2025–2026 Changes

The CPA has undergone several important updates:

Cure Period Eliminated (January 1, 2025)

The CPA’s original 60-day cure period sunset on January 1, 2025. The Colorado Attorney General now has full enforcement discretion and can proceed directly to enforcement without offering businesses a chance to fix violations first. This places Colorado alongside California in having the most aggressive enforcement posture among state privacy laws.

SB 25-276: Precise Geolocation Data as Sensitive Data (2025)

Signed in May 2025, SB 25-276 added precise geolocation data as a new category of sensitive data under the CPA. This means businesses must now obtain opt-in consent before collecting or processing precise geolocation data of Colorado consumers. This aligns Colorado with Oregon and Maryland in providing elevated protections for location data.

SB 24-041: Age-Appropriate Design Code (October 1, 2025)

SB 24-041 introduced significant new requirements for services likely to be accessed by minors:

• Age-appropriate design code: Online services must implement design practices that protect children’s and teens’ privacy
• Opt-in consent for minors 13–17: Targeted advertising and data sales involving minors aged 13–17 now require opt-in consent
• COPPA requirements for under-13: Verifiable parental consent is required for children under 13

Continued CPA Rulemaking (2025–2026)

The Colorado Department of Law filed proposed amendments to CPA rules in July 2025 to clarify the implementation of SB 24-041 and SB 25-276. The rulemaking process for universal opt-out mechanism technical standards also continues, with periodic updates to the approved mechanism list.

Sensitive Data Under the CPA

The CPA requires opt-in consent before processing sensitive personal data. As of 2026, sensitive data categories include:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis
• Sex life or sexual orientation
• Citizenship or immigration status
• Biometric data for identification purposes
• Precise geolocation data (added by SB 25-276)

The addition of precise geolocation data means that businesses collecting location information (such as mobile apps, mapping services, or delivery platforms) must obtain explicit consumer consent before processing this data for Colorado residents.

Data Protection Assessments

The CPA requires controllers to conduct and document data protection assessments (DPAs) before engaging in processing that presents a heightened risk to consumers. Required assessments include:

• Processing personal data for targeted advertising
• Sale of personal data
• Processing for profiling with legal or similarly significant effects
• Processing sensitive personal data
• New: Processing involving automated profiling that produces legal or similarly significant effects (added by SB 24-041)

DPAs must weigh the benefits of the processing against the potential risks to consumer rights and be made available to the Attorney General upon request.

Enforcement and Penalties

The CPA is enforced by the Colorado Attorney General and District Attorneys. There is no private right of action.

• Penalties: Up to $20,000 per violation
• Additional penalties: Up to $50,000 for violations involving deceptive trade practices
• Cure period: None (sunset January 1, 2025)

The $20,000 per-violation maximum makes the CPA one of the stricter state privacy laws. The absence of a cure period since January 2025 means the AG can act swiftly. View all state enforcement actions on our Enforcement Tracker.

How Colorado Compares to Other State Privacy Laws

• GPC pioneer: Colorado was among the first states (alongside California and Connecticut) to mandate universal opt-out mechanism recognition
• No cure period: The 60-day cure period sunset on January 1, 2025 — Colorado joins California, Maryland, and Oregon in this strict approach
• High penalties: $20,000 per violation is among the highest flat rates — exceeded only by Maryland ($10K/$25K escalating) and Florida ($50K)
• Precise geolocation as sensitive data: SB 25-276 aligns Colorado with the emerging trend of treating location data as a special category
• Age-appropriate design code: SB 24-041 places Colorado alongside California in having specific design requirements for services accessed by minors
• Active AG rulemaking: Colorado’s AG has been among the most active in developing detailed implementation rules, providing clearer compliance guidance than most states

Use our State Comparison Tool to see how Colorado stacks up against all 20+ state privacy laws.

8-Step CPA Compliance Plan

1. Assess applicability — Determine if your organization processes data of 100,000+ Colorado consumers, or 25,000+ while deriving revenue from data sales. Use the Privacy Law Calculator.
2. Implement GPC recognition — Ensure your website and apps recognize and honor Global Privacy Control and other approved universal opt-out mechanisms. This has been required since July 1, 2024.
3. Audit geolocation data collection — Obtain opt-in consent before collecting or processing precise geolocation data from Colorado consumers (required by SB 25-276).
4. Review minor data practices — Implement age-appropriate design practices. Obtain opt-in consent for targeted advertising and data sales involving consumers aged 13–17. Ensure COPPA compliance for children under 13.
5. Update privacy notices — Include all CPA-required disclosures, including categories of data, purposes, third-party sharing, consumer rights, and universal opt-out instructions.
6. Build consumer rights processes — Create intake, verification, fulfillment, and appeals workflows for all eight consumer rights. Configure 45-day response timelines.
7. Conduct data protection assessments — Document DPAs for all high-risk processing activities including targeted advertising, data sales, profiling, sensitive data processing, and automated decision-making.
8. Review processor contracts — Ensure all data processor agreements include CPA-mandated provisions governing scope, purpose, confidentiality, and data return or deletion.

For a detailed walkthrough, visit our Colorado Compliance Checklist.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 29, 2026.