Skip to content
DWT logo
People Services Insights
About Offices Careers
Search
People
Services
Insights
About
Offices
Careers
Search
State General Privacy Law Tracker

Colorado

  •  

Code/Regulations

  • Code: Colo. Code § 6-1-1301 to -1313 (2022)
  • Colorado Privacy Act (CPA)
  • Colorado Privacy Act Rules

Effective Date:  July 1, 2023

Details

Threshold

Entities conducting business in Colorado or delivering products or services targeted to Colorado residents that either:

(1) control or process the personal data of 100,000 or more consumers during a year, OR

(2) control or process the personal data of 25,000 or more consumers and derive revenue or receive a discount on the price of goods or services from the sale of personal data

Definition of "Personal Data"

Linked or reasonably linkable to an identified or identifiable individual. Personal data does not include data from people acting in an employment or commercial context.

Definition of "Sensitive Data"

As with all state general privacy laws, includes the following Personal Data:

  • Race or ethnic origin;
  • Religious beliefs;
  • Citizenship or immigration status;
  • Genetic data;
  • Biometric data;
  • Physical or mental health diagnosis; and
  • Sexual orientation.

In addition, Colorado's definition also includes:

  • Sex life;
  • Biological data, including neural data; and
  • Personal data collected from a known child.

Definition of "Sale"

Exchange of personal data for monetary or other valuable consideration by a controller to a third party

Data-Protection Assessments

Required for targeted advertising, sale, sensitive data, certain profiling

Opt-In Consent Required for Processing Sensitive Data 

Yes

Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability

Yes

Consumer Right to Opt Out of Sale

Yes

Consumer Right to Opt Out of Targeted Ads

Yes

Consumer Right to Opt Out of Profiling

Yes

Pseudonymous Data Exempt from Consumer Requests

Yes

Appeal Rights

Yes

Universal Opt-Out Mechanism Required Recognition/Date

Yes (July 1, 2024)

Data of Minors

COPPA exception; obtain parental consent to process personal data concerning a known child

GLBA Exemption

Yes (both entity-level and data-level)

HIPAA Exemption

Yes (data-level)

Applies/Does Not Apply to Personal Information in a Commercial or Employment Context

Does not apply to commercial or employment context; applies in an individual or household context

Nonprofit Exemption

No

Private Right of Action

No

Cure Period

60 Days

Cure Period Expiration

January 1, 2025

Enforcement Authority/Damages

Attorney General & District Attorneys/up to $20,000 per violation with a maximum total penalty of $500,000
Attorney General granted both discretionary and mandatory rulemaking authority

Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice. 

Searching...
Abstract privacy shield
03.17.23
Insights
State Privacy Laws
Final Rules Implementing Colorado Privacy Act Have Arrived Read More
Keyboard close up
10.10.22
Insights
State Privacy Laws
A First Look at the Colorado Privacy Act Proposed Rules Read More
Keyboard close up
07.08.21
Insights
State Privacy Laws
Colorado Adds to the Privacy Law Patchwork – What to Expect Read More
Your search returned no results. Please try another search or remove search criteria.
DWT logo
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.
Media Kit Affiliations Legal notices
Privacy policy Employees DWT Collaborate EEO

SUBSCRIBE
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.