Who does the Colorado Privacy Act apply to?

The CPA applies to entities conducting business in Colorado or targeting Colorado residents that process personal data of 100,000+ consumers annually, or 25,000+ consumers while deriving revenue from data sales.

Does Colorado require honoring GPC signals?

Yes. As of July 1, 2024, businesses must recognize and honor universal opt-out mechanisms including Global Privacy Control (GPC) signals.

What are the penalties under the CPA?

The CPA imposes penalties of up to $20,000 per violation, enforced by the Colorado Attorney General and District Attorneys. There is no private right of action.

Does the CPA still have a cure period?

The 60-day cure period sunset on January 1, 2025. The AG now has full discretion in deciding whether to provide an opportunity to cure before enforcement.

Colorado Privacy Law

Colorado Privacy Act

Effective: July 1, 2023Active

Overview

The Colorado Privacy Act (CPA) was signed into law on July 7, 2021, and took effect on July 1, 2023. Colorado was the third state to enact a comprehensive consumer privacy law, and its approach closely mirrors the Virginia VCDPA framework while adding several notable consumer-friendly provisions, including a requirement to honor universal opt-out mechanisms. The CPA provides Colorado residents with rights to access, correct, delete, and obtain a portable copy of their personal data. Consumers also have the right to opt out of the sale of personal data, targeted advertising, and certain profiling activities. Colorado was one of the first states to mandate that businesses recognize universal opt-out signals such as Global Privacy Control (GPC), which went into effect on July 1, 2024. The law applies to controllers that conduct business in Colorado or target Colorado residents and that process personal data of 100,000 or more consumers annually, or process personal data of 25,000 or more consumers and derive revenue or receive a discount from the sale of personal data. The CPA originally included a 60-day cure period, which sunset on January 1, 2025 — the AG now has full discretion in enforcement. In 2025, SB 25-276 added precise geolocation data as a new category of sensitive data requiring opt-in consent, and SB 24-041 strengthened minor protections with age-appropriate design code requirements. Penalties can reach $20,000 per violation, making the CPA one of the stricter state privacy laws.

Applicability Thresholds

Conditions are joined by OR — meeting ANY one triggers applicability.

100,000+

Colorado consumers' data processed

25,000+ consumers

AND 50%+ revenue from data sales

Consumer Rights

Right to Access

Right to Delete

Right to Correct

Data Portability

Opt-Out of Sale

Opt-Out of Targeted Ads

Opt-Out of Profiling

Limit Sensitive Data Use

Right to Appeal

Private Right of Action

Key Changes in 2025-2026

The 60-day cure period sunset on January 1, 2025 — AG now has full enforcement discretion
SB 25-276 (signed May 2025) added precise geolocation data as a new category of sensitive data requiring opt-in consent
SB 24-041 (effective October 1, 2025) added age-appropriate design code requirements and strengthened minor protections
Department of Law filed proposed amendments to CPA rules in July 2025 to clarify SB 24-041 and SB 25-276 requirements
Continued rulemaking by the Colorado AG on universal opt-out mechanism technical standards
Enhanced enforcement activity as the cure period has expired

Enforcement Details

Enforced By

Colorado Attorney General and District Attorneys

Penalty Per Violation

$20,000

Cure Period

None — immediate enforcement

Private Right of Action

No — AG enforcement only

Sensitive Data Categories

Consent model: opt-in

Racial or ethnic originReligious beliefsMental or physical health condition or diagnosisSex life or sexual orientationCitizenship or immigration statusBiometric data for identificationPrecise geolocation data

Universal Opt-Out / GPC Requirements

GPC / Universal Opt-Out Required

As of July 1, 2024, businesses must recognize and honor universal opt-out mechanisms such as Global Privacy Control (GPC). The Colorado AG has published technical specifications for compliance with this requirement.

Effective: July 1, 2024

Minor / Child Protections

The CPA requires opt-in consent before processing sensitive data, which includes data of known children. Businesses must obtain verifiable parental consent for children under 13, consistent with COPPA. SB 24-041 (effective October 1, 2025) added age-appropriate design code requirements and strengthened protections for minors aged 13-17, including opt-in consent for targeted advertising and data sales.

Compliance Checklist

1Assess whether your organization meets the CPA applicability thresholds for Colorado consumer data processing
2Implement technical mechanisms to recognize and honor universal opt-out signals such as GPC
3Update privacy notices to include all CPA-required disclosures, including opt-out mechanism instructions
4Establish processes to respond to consumer rights requests within the 45-day statutory period
5Obtain opt-in consent before processing sensitive personal data, including precise geolocation data (SB 25-276)
6Comply with age-appropriate design code requirements for services accessed by minors (SB 24-041)
7Conduct data protection assessments for high-risk processing activities
8Review and update data processing agreements with processors to comply with CPA requirements

Colorado Privacy Law FAQ

Official Resources

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.