On this pageDoes the Colorado Privacy Act apply to your business?
State Law Practice Note

Colorado Consumer Privacy Law (CPA)

The Colorado Privacy Act gives Colorado consumers rights over their personal data and imposes notice, universal-opt-out, contracting, and consent duties on controllers above defined thresholds — it reaches nonprofits, is enforced by the Attorney General and district attorneys, has no cure period, and provides no private right of action.

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary lawColo. Rev. Stat. § 6-1-1304

Does the Colorado Privacy Act apply to your business?

It depends on volume, not revenue — and unlike most states, nonprofits are not exempt. The CPA applies to a controller that does business in Colorado or targets Colorado residents and meets one of two thresholds: controlling or processing the personal data of 100,000 or more consumers in a year, or 25,000 or more consumers while deriving revenue (or a discount) from selling personal data .

Two features make Colorado broader than the California or Texas models. First, there is no dollar revenue floor — the trigger is consumer-count plus a Colorado nexus. Second, the CPA reaches nonprofit organizations, which several other state privacy laws carve out entirely. As with the other state regimes, a consumer is a Colorado resident acting in an individual or household context, not an employee or a business contact, and entity- and data-level exemptions (for GLBA, HIPAA, and FCRA-regulated data, among others) still apply.

Sources for this answer

Primary law

A.1 Colo. Rev. Stat. § 6-1-1304PDF

The CPA applies to a controller that conducts business in Colorado or targets Colorado residents and meets a 100,000-consumer threshold, or a 25,000-consumer threshold while deriving revenue from selling personal data.

this part 13 applies to a controller that: (a) Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and (b) Satisfies one or both of the following thresholds:

See Colo. Rev. Stat. § 6-1-1304(1).

What must your Colorado privacy policy contain?

The CPA imposes a duty of transparency: a controller must give consumers a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purposes of processing, how to exercise and appeal consumer rights, the categories shared with third parties, and the categories of third parties .

For a template privacy policy, treat section 6-1-1308 as the content checklist. Two Colorado specifics go beyond the baseline list. If you process personal data for targeted advertising or sell it, the policy must disclose that and provide a clear, conspicuous opt-out method both inside the notice and in a separate, readily accessible location . And processing sensitive data — or the personal data of a known child — requires consent, so the data practices the notice describes must line up with the consents the controller actually collects .

Sources for this answer

Primary law

B.1 Colo. Rev. Stat. § 6-1-1308PDF

A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purposes of processing, how consumers may exercise and appeal their rights, the categories of personal data shared with third parties, and the categories of those third parties.

A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: (I) The categories of personal data collected or processed by the controller or a processor; (II) The purposes for which the categories of personal data are processed; (III) How and where consumers may exercise the rights pursuant to section 6-1-1306, including the controller's contact information and how a consumer may appeal a controller's action with regard to the consumer's request; (IV) The categories of personal data that the controller shares with third parties, if any; and (V) The categories of third parties, if any, with whom the controller shares personal data.

See Colo. Rev. Stat. § 6-1-1308(1)(a).

Primary law

B.2 Colo. Rev. Stat. § 6-1-1308PDF

If a controller sells personal data or processes it for targeted advertising, the privacy notice must clearly and conspicuously disclose that sale or processing and the manner in which a consumer may opt out.

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.

See Colo. Rev. Stat. § 6-1-1308(1)(b).

What must your contracts with processors say?

Processing by a processor must be governed by a binding contract between the controller and the processor — so a data processing agreement is a statutory requirement. The contract must set out the processing instructions, including the nature and purpose of the processing .

Section 6-1-1305 then enumerates the rest of the required terms: the types of personal data and the duration of processing; a duty to delete or return the data at the controller's direction; an obligation to make available the information needed to demonstrate compliance; and a right to reasonable audits (or, alternatively, an annual independent audit report) . A compliant template DPA tracks each of these, and no contract can relieve either party of the liabilities the CPA assigns to its role.

Sources for this answer

Primary law

C.1 Colo. Rev. Stat. § 6-1-1305PDF

Processing by a processor must be governed by a binding contract that sets out the processing instructions; the type of personal data and duration of processing; the statutory requirements imposed on the processor; a duty to delete or return the data at the controller's direction; a duty to make available information needed to demonstrate compliance; and a right to reasonable audits, or, alternatively, an annual independent audit report.

Processing by a processor must be governed by a contract between the controller and the processor that is binding on both parties and that sets out: (a) The processing instructions to which the processor is bound, including the nature and purpose of the processing; (b) The type of personal data subject to the processing, and the duration of the processing; (c) The requirements imposed by this subsection (5) and subsections (3) and (4) of this section; and (d) The following requirements: (I) At the choice of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; (II) (A) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations in this part 13; and (B) The processor shall allow for, and contribute to, reasonable audits and inspections by the controller or the controller's designated auditor. Alternatively, the processor may, with the controller's consent, arrange for a qualified and independent auditor to conduct, at least annually and at the processor's expense, an audit of the processor's policies and technical and organizational measures in support of the obligations under this part 13 using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable. The processor shall provide a report of the audit to the controller upon request.

See Colo. Rev. Stat. § 6-1-1305(5).

Must you honor a universal opt-out signal?

Yes. This is where Colorado is stricter than many states: since July 1, 2024, a controller that processes personal data for targeted advertising or sells it must let consumers opt out through a user-selected universal opt-out mechanism that meets the technical specifications the Attorney General has adopted .

In practice that means honoring browser-level signals such as the Global Privacy Control, not just a website opt-out link — and the Attorney General maintains a public list of recognized mechanisms in the CPA Rules. The opt-out is one of a fuller set of consumer rights (access, correction, deletion, portability, and opt-out of targeted advertising, sale, and certain profiling), to which a controller must respond within 45 days. A template privacy program should wire the universal-opt-out handling into its consent and preference logic, not bolt it on as a static link.

Sources for this answer

Primary law

D.1 Colo. Rev. Stat. § 6-1-1306PDF

Since July 1, 2024, a controller that processes personal data for targeted advertising or sells it must allow consumers to opt out through a user-selected universal opt-out mechanism meeting the Attorney General's technical specifications.

a controller that processes personal data for purposes of targeted advertising or the sale of personal data shall allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6-1-1313.

See Colo. Rev. Stat. § 6-1-1306(1)(a)(IV)(B).

Can a consumer sue your business under the CPA?

No. The CPA states that nothing in it provides a basis for a private right of action, so consumers cannot sue under it . Enforcement belongs exclusively to the Colorado Attorney General and district attorneys .

One Colorado wrinkle raises the stakes: the CPA's right-to-cure provision was repealed effective January 1, 2025, so a controller can no longer count on a guaranteed notice-and-cure window before an enforcement action. Violations are deceptive trade practices subject to the Colorado Consumer Protection Act's penalties. The compliance posture, then, is to build the privacy notice, opt-out, and contracting controls in advance rather than relying on a cure period that no longer exists.

Sources for this answer

Primary law

E.1 Colo. Rev. Stat. § 6-1-1311PDF

The CPA bars any private right of action for its violation.

nothing in this part 13 shall be construed as providing the basis for, or being subject to, a private right of action for violations of this part 13 or any other law.

See Colo. Rev. Stat. § 6-1-1311(1)(b).

Primary law

E.2 Colo. Rev. Stat. § 6-1-1311PDF

The Attorney General and district attorneys have exclusive authority to enforce the CPA.

the attorney general and district attorneys have exclusive authority to enforce this part 13 by bringing an action in the name of the state or as parens patriae on behalf of persons residing in the state to enforce this part 13 as provided in this article 1, including seeking an injunction to enjoin a violation of this part 13.

See Colo. Rev. Stat. § 6-1-1311(1)(a).

Also for Colorado

Researching a different state? This survey covers all 51 U.S. jurisdictions

OpenAgreements is a free legal reference project. See our methodology for how we research and verify the content.
This research preview is not legal advice. Page text is intended for reuse under CC BY 4.0; source excerpts and linked materials belong to their respective owners.
PrivacyTermsDisclaimer