Colorado Privacy Act guide
The Colorado Privacy Act (CPA) is now enforced. This guide covers who it applies to, consumer rights, final rules, UOOM, 2025 amendments, and compliance steps.
Colorado follows avalanche of new data privacy regulations
The Colorado Privacy Act is now an actively enforced privacy law. If your business collects or uses personal data from Colorado residents, you may need to review your privacy notice, consent setup, opt-out process, and data rights workflow.
This guide explains who the CPA applies to, what it requires, and what practical steps businesses can take to reduce risk.
Key takeaways
- The CPA applies to businesses that process data from 100,000 or more Colorado residents annually, or 25,000 or more if revenue comes from data sales.
- There is no revenue threshold, and nonprofits are not automatically exempt.
- Businesses that process personal data for targeted advertising or data sales must honor valid browser-based opt-out signals, including Global Privacy Control (GPC).
- Sensitive data usually requires opt-in consent.
- Businesses should review their privacy notice, consent setup, DSR process, and cookie/tracker behavior.
- Minors’ data and biometric data now require extra attention.
What is the Colorado Privacy Act?
The Colorado Privacy Act (CPA) is a comprehensive state data privacy law that gives Colorado residents control over their personal data and places legal obligations on businesses that collect and process it.
Signed into law on July 7, 2021, and effective since July 1, 2023, it makes Colorado one of the first three US states to enact comprehensive privacy legislation. The full text of Senate Bill 21-190 is publicly available on the Colorado General Assembly's website.
The CPA is similar to other major privacy laws, but it has several important differences. It applies to nonprofits, requires opt-in consent for sensitive data, requires businesses to honor Universal Opt-Out Mechanism signals, and includes data protection assessment obligations for higher-risk processing.
Does the Colorado Privacy Act apply to your business?
The CPA applies to businesses that operate in Colorado or intentionally offer products or services to Colorado residents.
Your business may fall under the CPA if it meets one of these thresholds:
- You control or process personal data from 100,000 or more Colorado residents in a year; or
- You control or process personal data from 25,000 or more Colorado residents and earn revenue, or receive a discount, from selling that data.
The CPA does not have a revenue threshold. This means a business does not need to reach a certain annual revenue level before the law can apply.
Nonprofits are also not automatically exempt. If a nonprofit meets the CPA’s data-volume thresholds, it may have the same obligations as a for-profit business.
Who is exempt from the Colorado Privacy Act?
Some organizations and data types are outside the CPA, but exemptions are limited. Do not assume your business is exempt just because you are small, nonprofit, or already covered by another privacy framework.
Entity-level exemptions
Colorado state and local government bodies
Air carriers regulated under federal aviation law
Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
Data-level exemptions
The following federal frameworks create data-level exemptions within CPA:
HIPAA: protected health information and related health data held by covered entities and business associates
COPPA: personal data collected from children under 13, to the extent covered by COPPA
FERPA: student educational records maintained by educational institutions
DPPA: personal data from motor vehicle records
GLBA: financial data covered by the Gramm-Leach-Bliley Act
Employment records maintained solely for HR purposes
De-identified data, pseudonymised data, and publicly available information are also excluded from CPA obligations. However, de-identified data must meet specific technical and administrative standards under the final rules to qualify.
What rights do Colorado consumers have under the CPA?
Businesses generally have 45 days to respond to consumer requests. If a request is denied, the business must also provide an appeal process.
Consumer right | What it means in practice |
|---|---|
Right to opt out | Consumers can opt out of targeted advertising, data sales, and certain profiling. UOOM signals must also be honored. |
Right of access | Consumers can ask whether you hold their data and request a copy. |
Right to correct | Consumers can ask you to fix inaccurate personal data. |
Right to delete | Consumers can ask you to delete personal data, unless an exception applies. |
Right to data portability | Consumers can request their data in a usable, transferable format. |
If your business receives many privacy requests, a DSR workflow can help track intake, deadlines, responses, and appeals.
What does the CPA mean for your website?
For many businesses, CPA readiness starts with the website. If your website uses analytics tools, advertising pixels, retargeting scripts, forms, embedded content, or other third-party services, you should review how those tools collect and use data from Colorado visitors.
Your website should be able to show the right consent or opt-out experience, honor GPC signals, provide a clear opt-out path, link to an accurate privacy notice, and support consumer rights requests.
What does the CPA require for sensitive data?
Under the CPA, businesses usually need opt-in consent before processing sensitive personal data.
In practice, this means businesses should know whether they collect sensitive data before launching forms, analytics tools, identity checks, health-related features, age-gated services, or biometric tools.
The following data categories are defined as sensitive under the CPA and require opt-in consent before any processing:
Racial or ethnic origin
Religious or philosophical beliefs
Mental or physical health condition or diagnosis
Sex life or sexual orientation
Citizenship or immigration status
Genetic data that could uniquely identify an individual
Biometric data processed for identification purposes
Neural data (added through attorney general rulemaking)
Personal data from a known child
The attorney general's final rules clarified that consent for sensitive data must meet GDPR-like standards: in simple terms, users need to understand what they are agreeing to and actively choose to give consent.
Consent should also be easy to understand and freely chosen. Designs that pressure users into agreeing, such as confusing buttons, pre-ticked boxes, or hard-to-decline banners, may not count as valid consent.
What is a Universal Opt-Out Mechanism under the CPA?
A Universal Opt-Out Mechanism, or UOOM, lets users automatically tell websites that they do not want their personal data used for targeted advertising or sold.
In Colorado, businesses that use personal data for targeted advertising or data sales must recognize valid UOOM signals. The most common example is the Global Privacy Control, or GPC, which sends a user’s opt-out preference through their browser.
When a website receives a valid signal, the business must treat it like a direct opt-out request. The user should not have to fill out another form or take extra steps.
This matters for websites using advertising pixels, retargeting scripts, analytics tools, or other tracking technologies. Your consent setup needs to detect these signals and apply the right restrictions before data is used for targeted advertising or sale.
For a deeper breakdown, read our guide on Colorado’s Universal Opt-Out Mechanism requirements.
When do you need a data protection assessment?
The CPA requires businesses to complete a data protection assessment before using personal data in ways that may create higher risks for consumers.
This usually applies when a business is involved in:
- targeted advertising
- selling personal data
- processing sensitive data
- profiling that could significantly affect a consumer
A data protection assessment should explain why the data is being used, what risks it may create, and what safeguards the business has in place to reduce those risks.
Businesses also need to update assessments when the processing activity changes in a meaningful way, such as a new purpose, new data source, or new collection method.
The Colorado Attorney General can request copies of these assessments. Businesses must provide them within 30 days, so they should be treated as important compliance records rather than one-time paperwork.
What changed for minors and biometric data in 2025?
Colorado added two important updates in 2025: one for minors’ data and one for biometric data.
New protections for users under 18 (effective October 1, 2025)
Signed in May 2024, SB 24-041 extended CPA privacy protections to all users under 18, not just children under 13. In practice, businesses with websites, apps, accounts, games, subscriptions, communities, or online services used by teenagers should review how they collect, use, sell, or share minors’ data.
Critically, this duty applies regardless of whether the business meets the standard CPA data-volume thresholds. A small business that knowingly offers a service to Colorado teenagers is subject to these obligations even if it processes data from far fewer than 100,000 people.
Specific obligations for minors include restricting the sale of their data without explicit consent, prohibiting processing of their data for targeted advertising without consent, and implementing age-appropriate design practices.
New rules for biometric data (effective July 1, 2025)
Effective July 1, 2025, HB 24-1130 created specific obligations for businesses collecting biometric data, including facial geometry scans, voiceprints, fingerprints, and retina scans. Businesses must:
Have a written policy setting out retention schedules and destruction guidelines for biometric data
Obtain informed opt-in consent before collecting biometric data
Obtain parental consent before collecting biometric data from minors
Protect biometric data using reasonable security measures appropriate to the sensitivity of the data
If biometric data is collected from users under 18, the requirements of both HB 24-1130 and SB 24-041 apply simultaneously.
Colorado Privacy Act enforcement and penalties
The Colorado Attorney General’s Office and district attorneys enforce the CPA. Consumers do not have a private right of action under the CPA for most violations.
CPA violations can carry civil penalties of up to $20,000 per violation, with a $500,000 cap for a related series of violations.
The previous 60-day cure period expired on January 1, 2025. This means businesses should not assume they will receive a mandatory opportunity to fix issues before enforcement moves forward.
In November 2025, AG Phil Weiser formally launched CPA enforcement, sending letters to businesses with identified violations.
How does the CPA compare to CCPA and GDPR?
Businesses operating across multiple jurisdictions need to understand where the CPA diverges from other major privacy laws. The key differences are below.
Feature | CPA (Colorado) | CCPA/CPRA (California) | GDPR (EU) |
|---|---|---|---|
Effective date | July 1, 2023 | January 1, 2020 | May 25, 2018 |
Applies to nonprofits? | Yes | No | Yes |
Revenue threshold? | No | Yes ($25M+) | No |
Sensitive data consent | Opt-in required | Opt-out (limit use) | Opt-in (explicit) |
Universal opt-out required? | Yes, UOOM/GPC | Yes, GPC | |
Data protection assessments | Required | Required (PIAs) | Required (DPIAs) |
Private right of action? | No | Limited (breaches) | Yes |
Max penalty per violation | $20,000 | $7,500 (intentional) | Up to 4% global revenue |
Enforcement body | AG + district attorneys | CPPA + AG | National DPAs |
How to work toward CPA compliance
If your business already works toward CCPA or GDPR requirements, some of that work may also support your CPA obligations. The main areas to review are:
- Check if the CPA applies to you
Review the Colorado consumer thresholds and whether your online service is used by minors. - Map your data
Identify what personal data you collect, where it comes from, how you use it, and who you share it with. - Update your privacy notice
Explain what data you collect, why you collect it, who receives it, and how consumers can exercise their rights. - Review your consent setup
Make sure Colorado visitors receive the right consent or opt-out experience, including support for GPC and other UOOM signals. - Set up a data rights process
Create a clear process for access, correction, deletion, portability, opt-out requests, and appeals. - Document high-risk processing
Complete data protection assessments for targeted advertising, data sales, sensitive data, and certain profiling activities. - Review sensitive and biometric data
Check whether you need opt-in consent, a biometric retention policy, or parental consent for minors.
How Clym can help with Colorado privacy requirements
Clym helps bring key privacy workflows into one platform, so your team can manage them with less manual work. With Clym, businesses can:
- Show the right consent experience by location
Present Colorado visitors with the appropriate opt-out experience while supporting different privacy rules in other states and regions. - Respect browser-based opt-out signals
Detect GPC and GPP signals and apply opt-out preferences where required, without relying on custom development. - Manage consumer rights requests
Use a structured workflow to collect, verify, track, and respond to access, correction, deletion, portability, and opt-out requests. - Keep privacy and cookie notices easier to maintain
Create and manage notices that reflect your current data practices and can be updated as regulations change. - Monitor cookies and trackers more easily
Scan your website for third-party cookies and trackers, then apply consent behavior based on user preferences and location.
Clym does not guarantee compliance. Your obligations depend on your data practices, legal interpretations, and internal processes. The platform gives your team tools to support privacy operations and work toward CPA and other regulatory requirements.
Conclusion
The Colorado Privacy Act is now actively enforced, so businesses that collect or use data from Colorado residents should review their privacy setup carefully.
The most important areas to check are whether the law applies to your business, how you handle consent and opt-out signals, whether your privacy notice is accurate, and how you manage consumer rights requests.
Start with a data mapping exercise, then review your consent management, DSR process, sensitive data handling, and policy documentation. A website scan can also help identify cookies, trackers, and consent-related areas that may need closer review.
Frequently asked questions
The CPA applies to businesses that operate in Colorado or target Colorado residents and either process data from 100,000 or more Colorado residents annually, or process data from 25,000 or more residents and derive revenue from data sales. Nonprofits are not exempt. If you offer an online service knowingly used by minors in Colorado, the SB 24-041 provisions apply regardless of data volume.
A Universal Opt-Out Mechanism (UOOM) is a browser-based signal that automatically communicates a user's opt-out preferences when they visit a website. The CPA has required businesses to honor these signals as formal opt-out requests since July 1, 2024. The Global Privacy Control (GPC) is the most widely deployed UOOM.
The CPA differs from the CCPA in several ways. It has no revenue threshold, applies to nonprofits that meet the data-volume thresholds, and requires opt-in consent for sensitive data. It also requires businesses to honor Universal Opt-Out Mechanism signals such as GPC.
No. The 60-day cure period, which previously required the AG to notify businesses of violations and allow them 60 days to fix the issue before imposing penalties, expired on January 1, 2025. Enforcement can now proceed immediately after a violation is identified.
SB 24-041, effective October 1, 2025, extended CPA protections to all users under 18 and requires businesses to exercise reasonable care to avoid heightened risks of harm to minors, regardless of data-volume thresholds. HB 24-1130, effective July 1, 2025, added specific requirements for biometric data from minors, including parental consent. See the SB 24-041 bill text for the full scope of obligations.
Each CPA violation is treated as a deceptive trade practice under the Colorado Consumer Protection Act, carrying a civil penalty of up to $20,000 per violation. Total penalties for a related series of violations are capped at $500,000. There is no private right of action under the CPA, enforcement lies exclusively with the Colorado AG and district attorneys.
Adam is the Head of Digital Marketing at Clym, where he leverages his diverse expertise in marketing to support businesses with their compliance needs and drive awareness about data privacy and web accessibility. As one of the company’s original team members, Adam has been instrumental in shaping its journey from the very beginning. When he’s not diving into marketing strategies, Adam can be found cheering on his favorite sports teams or enjoying fishing.
