🆕  Migrate from OneTrust seamlessly with Ketch Switch. Exclusive offer through 4/30/2025.
The Colorado Privacy Act (CPA) is a comprehensive data privacy law that grants Colorado residents enhanced control over their personal data and imposes specific obligations on businesses operating within the state. Enacted on July 7, 2021, and effective from July 1, 2023, the CPA aligns with a growing trend of state-level data privacy regulations in the United States.
The Colorado Privacy Act (CPA) is unique because it requires businesses to honor universal opt-out mechanisms for targeted ads and data sales, mandates data protection assessments for high-risk processing, and includes stricter consent requirements for sensitive data. It also grants broad consumer rights while balancing business compliance obligations.
The Colorado Privacy law introduces several critical terms that businesses and consumers need to understand, as defined in § 6-1-1303 of the Colorado Revised Statutes.
The CPA applies to entities conducting business in Colorado or targeting Colorado residents and that either:
Notably, the CPA does not include a minimum revenue threshold for applicability.
“Consumer” means a natural person who is a resident of Colorado acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context.
‍- § 6-1-1303 of the Colorado Revised Statutes.
‍The Colorado Privacy Act (CPA) exemptions include:
These exemptions are outlined in § 6-1-1304 of the Colorado Revised Statutes
The U.S. still doesn’t have a comprehensive privacy law and is mostly governed under a handful of sectoral laws such as COPPA, HIPAA and GLB. In response to what they perceive is a vacuum at the federal level, a number of U.S. states have enacted their own comprehensive privacy laws. The Colorado Privacy Act is the third U.S. state to pass a comprehensive data privacy law protecting its residents, following California and Virginia.
The Colorado Privacy Act (CPA) primarily follows an opt-out model for data processing activities such as targeted advertising, the sale of personal data, and certain types of profiling. However, it requires opt-in consent for processing sensitive data, such as race, health information, biometric data, and sexual orientation.
Like most U.S. privacy and data protection laws passed over the past five years, Colorado has adopted a broad definition of personal information.
It is designed to cover pseudonymous personal data (e.g., IP address, Mobile Advertising ID (MAID), Hashed Email (HEM)) and identifiable personal data (e.g., email or postal address, telephone number). There are exemptions for “public” information and “de-identified” data.
Consumers are granted rights to access, correct, delete, and obtain a portable copy of their personal data. They can also opt out of the sale of their data, targeted advertising, and certain types of profiling.
Colorado mostly has a notice and opt-out choice regime. That means that you can process most types of data, so long as:
But be careful! Colorado’s guidance requires consent if your use of data is outside the scope of the privacy policy under which the data was initially collected (i.e., a secondary use of data). Also, Colorado requires opt-in consent for the processing of “sensitive information” (see below).
A data subject access request (DSAR) is a formal request from an individual (the data subject) to a company, requesting a copy of their personal data stored with the company. The CPA provides consumers with the right to see the data that companies have on them (including pseudonymous data, in many instances). Consumers then have the right to correct and/or delete that information.
The CPA has created a new category of data called “Sensitive Data.” Sensitive Data is modeled on “special category” data in EU data protection law. It includes personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; (b) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or (c) personal data from a known child.
Colorado requires opt-in consent prior to processing sensitive data. More importantly, the CPA Guidance’s inclusion of inferences and derivative data indicates that “health conditions” and other forms of sensitive data should be construed broadly. Collecting potentially sensitive data will likely require some adjustments to many companies’ data taxonomy and data governance ruleset
The CPA utilizes the GDPR terms for controller (i.e., controls the means of processing) and processor (i.e., takes direction from the controller). Moreover, the CPA requires processors to offer controllers an opportunity to object to the use of sub-processors and provides certain rights for controllers to audit the privacy practices of their processors.
In other words, controllers must provide transparent privacy notices, specify data processing purposes, minimize data collection to what is necessary, avoid secondary data use without consent, implement reasonable data security measures, and conduct data protection assessments for high-risk processing activities.
Like some other states, Colorado places guard rails around how companies may process data. The expectation is for companies to only collect data that is absolutely necessary (“data minimization”) and to store it for as little time as possible (“data retention”).
Another concept borrowed from EU data protection law, Colorado requires companies to complete Privacy Impact Assessments (PIAs): systematic evaluations of their data collection and use practices with an eye towards identifying risks and minimizing or eliminating those risks. The Colorado AG’s guidance provides a roadmap for what the AG expects to see within a privacy impact assessment.
The CPA suggests a data processing agreement (DPA) between controllers and processors. The purpose of a DPA is to outline how the parties plan to ensure that their intra-party data transfers are compliant with privacy laws, and to specify the permitted uses of the data.
While GDPR ushered in a new era of large privacy and compliance fines, a few of the U.S. State Privacy Laws also incorporated some fairly aggressive fine structures. The first CCPA fine was $1.2 million.Â
Fines are often determined by the number of violations–which is often dependent on the number of records in your database. Needless to say, those numbers can add up quickly if you’re working with millions of consumers in one of the states–and the fines typically don’t include legal fees or injunctive relief.
‍
‍
‍
Under the CPA privacy law, violations are considered deceptive trade practices under the Colorado Consumer Protection Act. The penalties for noncompliance include:
Since January 1, 2025, the 60-day cure period for alleged violations of the Colorado Privacy law is no longer required. This means that the Colorado Attorney General and District Attorneys will have the discretion to immediately enforce penalties for violations without first providing businesses an opportunity to correct noncompliance.
‍
.webp)
‍
Businesses must assess their data processing activities to ensure compliance with the CPA. This includes updating privacy policies, implementing mechanisms for consumers to exercise their rights, conducting data protection assessments, and establishing procedures for obtaining consent, especially concerning sensitive data.Â
Non-compliance can result in significant financial penalties and reputational damage.
The Colorado Privacy Act (CPA) requires businesses to:
Consumers gain enhanced control over their personal data, including rights to access, correct, delete, and port their data.Â
The CPA also empowers consumers to opt out of data sales, targeted advertising, and profiling, thereby increasing transparency and trust between consumers and businesses.
The Colorado Privacy Act (CPA), effective July 1, 2023, is similar in many respects to recent privacy laws passed in California, Connecticut, Nevada, Utah, and Virginia.
What these U.S. state laws have in common is the implementation of a notice and opt-out choice regime.Â
A “notice and opt-out choice regime” means that business can process most types of data as long as there is a consumer-facing privacy notice that describes the intended use of data, and the consumer (data subject) is provided with the opportunity to opt-out of certain uses of such data (e.g., profiling, sale, targeted ads).
‍
‍
The Colorado Privacy Act (CPA) stands out from other U.S. privacy laws due to:
These features make CPA one of the strictest and most consumer-friendly U.S. privacy laws.
Like California’s CCPA/CPRA, the CPA is supplemented by a set of regulations. A regulation is a rule or order that is issued by a government agency to implement a law.Â
The Colorado attorney general crafted the CPA regulations with some input from the public, including the business community. Regulations are usually more specific than laws, and they provide guidance on how to comply with the law.Â
“Public input is vital to the creation of successful rules that ensure consumers are protected and businesses have guidance on how to comply with those rules.”
- Attorney General Phil Weiser
The Colorado Privacy Act (CPA) differs from GDPR in key ways: CPA applies to certain businesses, while GDPR covers all handling EU data. CPA uses an opt-out model, while GDPR is opt-in, and requires a legal basis for processing. GDPR has stricter enforcement, higher fines, and mandates a Data Protection Officer (DPO) for some businesses.
If you’ve read this far, you know that building a privacy-compliant business is important, but also far from easy. Here are eight key steps every business should take to ensure they don’t fall foul of regulators:
CPA compliance means businesses follow the Colorado Privacy Act by honoring consumer rights (access, correction, deletion, and opt-outs), providing clear privacy notices, obtaining opt-in consent for sensitive data, conducting data protection assessments, securing personal data, and complying with enforcement by the Colorado Attorney General.
To comply with CPA, you must:
CPA generally operates under a notice and opt-out choice privacy regime. However, the CPA and CPA Regulations impose an opt-in consent standard where data is used or shared for a “secondary use.”Â
As a result, it’s really important to provide clear and detailed privacy notices–and the privacy notice that data was collected under so as to ensure that you’re not tripping into an opt-in consent standard inadvertently.
The only way to manage data governance across a full data ecosystem is to individually label every single bit of data you collect, effectively creating a layer of metadata that articulates how any given fact or unit of information can be used [APC1].
For instance, Ketch can automatically crawl and scan your data ecosystem to create and maintain that classification of data labeling metadata so that you can understand, and act on data that’s within the scope of the Colorado privacy regulation.
Your data labels can’t be written in permanent ink. Instead, they need to reflect the rules under which the data subject is operating (which may be subject to change). For that reason, it’s important that your systems are nimble and flexible enough to allow users to change their minds and revoke or modify permissions at any moment.
Data labels can’t be anchored in your own internal data-handling processes; instead, they need to be incorporated into the data itself. That’s vital because it’s the only way to ensure that changes made by your users will propagate out to your outside partners, and define their data-handling processes too.
Given the amount of time and energy the Colorado AG has dedicated to creating the CPA Regulations, we believe that it is likely that the CPA will be robustly enforced–even during the period where the CPA has a 60 day notice and cure period in place. Keeping clear records about how you’re handling data is vital when it comes to communicating with users and regulators.
Like many of the other U.S. States, Colorado requires adherence to opt-out requests sent by a “Universal Opt-Out Mechanism” (UOOM). These provisions are not set to go into effect until January 1, 2024.Â
While the Colorado AG will create a list of recognized UOOMs and provide controllers with six months to implement newly added UOOMs.Â
Given the limited timeline for implementation, it would be prudent to say abreast of new UOOMs so as to ensure that you are in position to honor their signals.
Unlike GDPR, the CPA does not require the appointment of a data protection or privacy officer with a legally mandated set of responsibilities.Â
Regardless, it’s still a good idea to have an internal person or team dedicated to ensuring privacy compliance. And bringing in an outside resource such as a privacy lawyer can help you make sure you understand all of your compliance obligations.
Rules change, and new privacy rules are being written all the time. By encoding compliance metadata directly into your data, you can ensure that your datasets can quickly be brought into compliance not just with Colorado Privacy Act as they exist today, but with any new iterations or copycat statutes introduced by other states.
With the Ketch Data Permissioning Platform, you can:
‍
When you automate these processes, you enable your internal stakeholders:Â
‍With the CPA now in effect, businesses must proactively align their data privacy practices with the law's requirements. This involves not only compliance efforts but also fostering a culture of data protection and consumer respect. Staying informed about regulatory updates and engaging in continuous improvement will be crucial as data privacy laws evolve.
‍Contact Ketch today to streamline your compliance and future-proof your privacy strategy.Â
‍Read further: 2025 U.S. State Privacy Laws: what you need to know
