Colorado
Code/Regulations
- Code: Colo. Code § 6-1-1301 to -1313 (2022)
- Colorado Privacy Act (CPA)
- Colorado Privacy Act Rules
Effective Date: July 1, 2023
Details
Threshold
Entities conducting business in Colorado or delivering products or services targeted to Colorado residents that either:
(1) control or process the personal data of 100,000 or more consumers during a year, OR
(2) control or process the personal data of 25,000 or more consumers and derive revenue or receive a discount on the price of goods or services from the sale of personal data
Definition of "Personal Data"
Linked or reasonably linkable to an identified or identifiable individual. Personal data does not include data from people acting in an employment or commercial context.
Definition of "Sale"
Exchange of personal data for monetary or other valuable consideration by a controller to a third party
Data-Protection Assessments
Required for targeted advertising, sale, sensitive data, certain profiling
Opt-In Consent Required for Processing Sensitive Data
Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability
Yes
Consumer Right to Opt Out of Sale
Yes
Consumer Right to Opt Out of Targeted Ads
Yes
Consumer Right to Opt Out of Profiling
Yes
Pseudonymous Data Exempt from Consumer Requests
Yes
Appeal Rights
Yes
Universal Opt-Out Mechanism Required Recognition/Date
Yes (July 1, 2024)
Data of Minors
COPPA exception; obtain parental consent to process personal data concerning a known child
GLBA Exemption
Yes (both entity-level and data-level)
HIPAA Exemption
Yes (data-level)
Applies/Does Not Apply to Personal Information in a Commercial or Employment Context
Does not apply to commercial or employment context; applies in an individual or household context
Nonprofit Exemption
No
Private Right of Action
No
Cure Period
60 Days
Cure Period Expiration
January 1, 2025
Enforcement Authority/Damages
Attorney General & District Attorneys/up to $20,000 per violation with a maximum total penalty of $500,000
Attorney General granted both discretionary and mandatory rulemaking authority
Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice.