Colorado Privacy Act

Passed on July 8, 2021, the Colorado Privacy Act (CPA) was the third state privacy law in the US.

With enforcement beginning on July 1, 2023, the CPA places new obligations on businesses that process consumer data in Colorado (CO) while extending new data rights to Colorado residents.

To be subject to the CPA, a business must:

  • Conduct business in Colorado or target goods/services to Colorado residents OR
  • Control or process personal data for 100,000+ consumers a year OR
  • Control personal data for at least 25,000 consumers AND derive revenue or receive a discount from selling personal data

Under the CPA, Colorado residents have the following rights.

Right to access - A consumer may request access and confirm permission for any personal data processed by the controller.

Right to correction - A consumer has the right to correct any inaccuracy in the personal data held by a controller.

Right to delete - Consumers can request deletion of their personal data.

Right to data portability - Consumers have the right to access and transfer their personal data—the data must be in a format that's easy to use and transmit. Consumers can exercise their right to data portability twice a year.

Right to opt out - Consumers have the right to opt-out of personal data processing in relation to:

  • targeted advertising;
  • the sale of personal data; or
  • profiling that affects legal decision making

A data controller must honor these rights, unless there is a reasonable justification not to do so. If a data controller refuses to comply with a consumer's request, they must provide a reason and the consumer may appeal the decision.

Read our full guide to the Colorado Privacy Act or check out our infographic comparing US tate privacy laws.