Colorado Privacy Law

Please note that this is intended to be a summary. It is not a complete recitation of the applicable laws and/or regulations and is not intended to be used as legal advice.

In 2021, Colorado passed the Colorado Privacy Act (“CPA”). The law goes into effect in July 2023. The Attorney General has rulemaking power and announced on April 12, 2022 announced that draft rules would be in place by the fall of 2022.  These regulations will assist companies to meet their obligations discussed below and to create a mechanism to opt out of the sale or use of data for targeted advertising. Enforcement actions will likely be stayed until the regulations are completed and implemented.

Obligations under the Colorado law are placed on any business delivering services or products in the state that meets either of the following:

Company controls or processes defined “personal” data of at least 100,000 Colorado consumers; or


Company controls or processes personal information of at least 25,000 Colorado consumers and derives revenue or gets discounts on goods or services from the sale of personal data.

Initially, the regulations do not apply in the commercial or employment contexts. Further, certain entities are exempt from the obligations under the CPA – including government entities, state institutions of higher learning and entities that must comply with certain rules or regulations such at Gramm-Leach Biley, FERPA, FCRA or HIPAA. Note that unlike some other states, non-profits are not exempt entities.

The CPA contains an obligation for all covered entities to have a privacy notice detailing what they collect or process, why it is collected or processed, how a consumer can assert their legal rights described below, what categories of personal information are shared with third parties and who those third parties generally are.

A covered entity must get a data protection assessment and have written contracts with anyone who processes its customers personal data.

The covered entities must also get consent to process specific defined “sensitive” personal data.

A consumer must be told how they can have their data excluded from being sold (the opt-out) as well as how they can have their personal data deleted. A company has 45 days to respond to a consumer’s demand.

Only the state Attorney General and District Attorneys have enforcement power under the CPA. The maximum penalty for a violation is $20,000 per occurrence. Covered entities have a 60-day cure period (in place until Jan. 1, 2025) to fix any deficiencies brought to their attention by the regulating authorities.

Have more Questions?