Colorado Privacy Law Overview
Colorado's privacy law took effect on July 1, 2023 and is notable for its universal opt-out requirement: businesses must recognize a single browser or device signal through which consumers opt out of data sales and targeted advertising. The Colorado Attorney General has issued detailed rules and added biometric-specific obligations in 2025.
The Colorado Privacy Act (CPA)
The Colorado Privacy Act grants access, correction, deletion, portability and opt-out rights, and was among the first laws to require businesses to honor a browser-based universal opt-out mechanism. Sensitive data requires opt-in consent, and a 2024 amendment added specific protections for biometric data effective July 1, 2025.
CPA: Quick Overview
- Effective Date: July 1, 2023
- Citation: Colo. Rev. Stat. § 6-1-1301 et seq.
- Enforced By: Colorado Attorney General and district attorneys
- Maximum Penalty: Up to $20,000 per violation
- Private Right of Action: No (enforcement by the state only)
- Right to Cure: 60 days (expired January 1, 2025)
Who Must Comply
The CPA applies to businesses that meet Colorado's applicability thresholds:
- Controls or processes the personal data of 100,000+ Colorado consumers per year, or
- Processes data of 25,000+ consumers and derives revenue or discounts from selling personal data
What makes Colorado different: Colorado was one of the first states to mandate recognition of a universal opt-out mechanism, and a 2024 amendment (HB 24-1130) added dedicated biometric-data rules effective July 1, 2025.
Consumer Rights Under the CPA
Colorado residents can exercise the following rights over their personal data:
- Right to access / confirm what data is held
- Right to correct inaccurate data
- Right to delete personal data
- Right to data portability
- Right to opt out of targeted advertising
- Right to opt out of the sale of personal data
- Right to opt out of profiling for significant decisions
Sensitive personal data: Businesses must obtain opt-in consent before processing sensitive data (such as health, biometric, precise-geolocation, or demographic data).
Data Breach Notification in Colorado
Colorado requires notice to affected residents within 30 days, and to the Attorney General when a breach affects 500 or more Coloradans.
- Deadline to notify residents: Within 30 days of determining a breach occurred
- Attorney General notice: Notify the Colorado Attorney General if 500 or more residents are affected
- Covered data: Name combined with sensitive identifiers (SSN, driver's license, financial-account or medical information, and more)
Federal Privacy Laws That Apply in Colorado
Even where Colorado law is silent, residents and businesses are covered by federal privacy statutes:
- HIPAA — health information held by providers, plans and their vendors
- GLBA — privacy and safeguards rules for financial institutions
- FERPA — student education records
- FCRA — consumer reporting agencies and background screening
- COPPA — online collection of data from children under 13
- FTC Act §5 — unfair or deceptive privacy and data-security practices
Colorado Privacy Law FAQ
What is the universal opt-out mechanism in Colorado?
Who enforces the Colorado Privacy Act?
How a Colorado Privacy Attorney Can Help
For Businesses
- Build and audit a privacy compliance program
- Draft privacy policies, notices and vendor contracts
- Respond to consumer rights requests
- Manage data-breach response and notification
- Defend regulatory investigations and enforcement
For Consumers
- Enforce your privacy rights against non-compliant businesses
- Pursue or join data-breach litigation
- File complaints with the Colorado Attorney General
- Seek damages for identity theft and fraud
- Stop unlawful data sales and unwanted marketing
Need a Colorado Privacy Attorney?
Whether you are a business working toward compliance or a Colorado resident whose privacy has been violated, our network of Colorado-licensed attorneys can help.
Find a Colorado Privacy Attorney