The Colorado Privacy Act (CPA) is Colorado’s consumer privacy regulation, aimed at providing consumers with more control and oversight of their personal data. As US states individually enact their own privacy laws to safeguard consumer data, Colorado is no exception. Signed into law in July 2023, the law gives consumers a range of rights related to their data and privacy.
The CPA stipulates a number of requirements for businesses to be in compliance:
Data minimization:
Businesses must only collect the personal data necessary for the specific purposes disclosed to consumers.
Transparency:
Businesses must provide clear, accessible explanations of data collection practices, consumers’ rights, and how data is shared with third parties.
Risk assessments:
If engaged in high-risk data processing activities, such as profiling or targeted advertising, companies must conduct data protection assessments to evaluate potential risks to consumers.
Data collection purposes:
Organizations must clearly explain why the business is collecting personal data and how it will be used.
Data security:
Organizations must implement security measures to protect personal data from breaches and unauthorized access.
The CPA applies to businesses and nonprofits as well as vendors, service providers, and contractors that manage data on behalf of these companies in Colorado or with Colorado residents. One of the following criteria must also apply:
Affected businesses must process the personal data of 100,000 or more consumers annually, and/or
Gain revenue or receive discounts from the sale of personal data of 25,000 or more consumers.
The CPA gives Colorado residents five core rights pertaining to their personal data:
Consumers can request personal data collected about them
Consumers can demand the removal of their data, with the exception of data required for legal compliance
Consumers can refuse profiling and targeted advertising
Consumers can request fixes to inaccurate data
Consumers can request a copy of personal data collected about them in a readable format
Businesses are required to respond within 45 days of a CPA-related complaint and have the possibility of a 45-day extension. While in other jurisdictions, consumers can bring legal action against businesses for violations, the CPA only offers relief through enforcement by state authorities.
Cookies make up a fundamental part of the data collection experience. Cookies are small pieces of data stored on a user’s device to track behavior, preferences, and interactions with a website. These kinds of cookies trigger CPA obligations. Transparent disclosure and securing user opt-in consent through clear, informative consent banners before loading non-essential cookies is a key part of compliance. After consent, websites must also allow users to withdraw or opt-out at any time.
With cookies as a central part of Colorado’s data privacy ethos, businesses need to manage cookie consent properly, obtaining clear authorization from users before collecting personal data via cookies and ensuring they have the right to opt out or withdraw consent at any time.
Failure to comply with CPA can result in penalties for infringement. If your website is accessible to users in Colorado, it is important to understand and comply with the CPA. Non-compliance can result in immediately applicable penalties up to 20,000 USD per violation, with each representing a separate infringement of consumer rights.
The CPA provides a 60-day “cure period”, during which businesses have the opportunity to remedy any violations. The 60 days begin once the business is notified of the infraction by the state, and if fixed during this grace period, the business can avoid the fine or further penalties.
Businesses can take a number of steps to help stay in compliance with the CPA and fulfill general data privacy best practices:
Review data practices:
Conduct a comprehensive audit of your data handling practices, including collection, storage and sharing. Identify where personal data is being used and check that it complies with CPA requirements.
Implement consent management:
Platforms like CookieHub provide an easy way to manage consumer consent for data processing.
Check partner contracts:
Check partner contracts: Review third-party service provider contracts to ensure agreements meet CPA standards for data protection.
Update privacy policies:
Keep your privacy policy up to date and accessible, including detailed information on how data is collected, processed and shared.
Train staff:
Educate employees about CPA and its implications, and their role in maintaining compliance.
Building awareness and visibility into what data your website collects from users is a cornerstone of creating a consent-first, privacy-respecting experience. A feature-rich, customizable consent management platform (CMP) like CookieHub makes CPA compliance easy and relieves the risk burden.
Most businesses build their websites focused on their core business, not thinking too much about the changing legal landscape. That’s why CookieHub exists – to help you get control of consent management and comply with regulations like CPA easily and seamlessly.
The Colorado Privacy Act (CPA) applies to entities conducting business in Colorado or targeting Colorado residents, and that either control or process the personal data of at least 100,000 consumers per year or derive revenue from the sale of personal data and process data for at least 25,000 consumers. It grants Colorado residents rights over their personal data, including the rights to access, correct, delete, and opt out of data processing for targeted advertising or sale.
Under the CPA, personal data is any information that is linked or reasonably linkable to an identified or identifiable individual. This includes names, email addresses, account information, and any data that can be used to identify a person—excluding de-identified or publicly available information.
The CPA defines sensitive data as personal information that reveals a consumer’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or immigration status, as well as genetic or biometric data used for identification, and personal data from a known child (under 13 years old).
the Colorado Attorney General and district attorneys are responsible for enforcing the CPA. The Attorney General also has rulemaking authority to issue guidance and clarify compliance requirements under the law.
The CPA does not apply to certain organizations and data types. Exemptions include government entities, certain financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), entities governed by HIPAA, and data used for purely personal or household purposes.
You can find official information, guidance, and updates on the CPA by visiting the Colorado Attorney General’s website.
©2025 CookieHub ehf.
