Colorado Privacy Act (CPA) Assessment

The CPA applies to controllers that conduct business in Colorado or intentionally target Colorado residents and either control or process the personal data of 100,000 consumers or more in a calendar year, or derive revenue or receive a discount from the sale of personal data and control or process the personal data of 25,000 consumers or more.

Under the CPA, personal data means information that is linked or reasonably linkable to an identified or identifiable individual. Publicly available and de-identified data are excluded. Colorado also treats certain information as sensitive data, such as data revealing racial or ethnic origin, religious beliefs, health condition diagnosis, sex life or sexual orientation, citizenship status, genetic or biometric data used to identify an individual, and personal data from a known child.

It notes exemptions for certain entities and data, including Gramm-Leach-Bliley Act (GLBA)-regulated financial institutions, air carriers, certain securities organizations, and multiple sector-specific data categories such as Health Insurance Portability and Accountability Act (HIPAA), Fair Credit Report Act (FCRA), Family Educational Rights and Privacy Act (FERPA), Children's Online Privacy Protection Act (COPPA), driver data, certain public-sector data, and employment records.

It treats data mapping and classification as foundational because organizations need to know what data they collect, where it is stored, how it flows, who has access, and what safeguards apply.

The CPA provides rights to access, correction, deletion, portability, and opt out. Controllers generally must respond within 45 days, with one possible 45-day extension when reasonably necessary. Colorado’s rules also require request methods that are easy to use and reasonably secure.

The CPA gives consumers the right to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions producing legal or similarly significant effects. Colorado’s AG also requires recognized universal opt-out mechanisms to be honored for sale and targeted advertising beginning July 1, 2024.

It groups accountability and governance around ownership, training, complaints, transparency, non-discrimination, data minimization, and purpose limitation. The CPA itself requires controllers to avoid secondary uses incompatible with disclosed purposes unless consent is obtained, and to avoid unlawful discrimination.

The CPA requires consent before processing sensitive data, before processing a known child’s personal data in the relevant contexts, and before processing personal data for purposes that are not reasonably necessary to or compatible with disclosed purposes. Colorado’s AG also provides detailed guidance on UOOMs and consent-related rules.

The CPA requires reasonable security practices appropriate to the volume and nature of the personal data.

The CPA requires contracts with processors that address instructions, confidentiality, deletion or return, assistance with consumer rights and security obligations, subcontractor terms, and assessments or reports demonstrating compliance.

The CPA requires documented data protection assessments for targeted advertising, the sale of personal data, certain profiling, and the processing of sensitive data. Colorado’s rules also provide details on assessment expectations.

The CPA and CPA Rules require a privacy notice that is understandable, reasonably accessible, and specific about processing categories, purposes, rights, and appeal mechanisms.

It notes that opt-out requests may be submitted by authorized agents and that a parent or guardian may submit requests on behalf of a child. Colorado’s rules also address agent authority and authentication.

Because Colorado’s rules get quite detailed on authentication, denials, appeals, and UOOM handling, keeping evidence of those decisions is important for defensibility and audits. The Colorado AG also maintains enforcement and rulemaking resources that show continued active oversight.

Colorado’s CPA Rules have continued to evolve, and the Colorado regulations page shows newer effective versions, including updates effective January 30, 2025, and December 1, 2025. Colorado also amended the CPA in 2024 for minors’ online activity.