The Colorado Privacy Act (CPA) (CRS 6-1-1301) is Colorado’s key data privacy law. Other data protection laws in Colorado include its data security law (CRS 6-1-713.5), its data disposal law (CRS 6-1-713), and its data breach notification law (CRS 6-1-716).

To date, no significant judicial decisions or published enforcement actions have interpreted or applied the CPA. 

The CPA defines “personal data” as information linked to or reasonably linkable to an identified or identifiable individual. The CPA's personal data definition excludes de-identified data, information made publicly available by federal, state, or local government, information made publicly available by a consumer, and personal data of individuals acting in a commercial or employment context. 
“Sensitive data” is defined as personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status, genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, and personal data from a known child.

Under the CPA, personal data is protected through a combination of legal obligations imposed on entities that process such data. These obligations include providing consumers with transparency, collecting and using personal data only as reasonably necessary and proportionate to the specified purposes disclosed to consumers, honoring requests from consumers to exercise their personal data rights, conducting data protection assessments before engaging in personal data processing activities that present a heightened risk of consumer harm, entering into contracts with processors that include specific terms governing the processing and protection of personal data, and requiring that controllers and processors implement reasonable security measures to protect personal data.

The CPA applies to entities, including nonprofits, that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado, and either: (a) process the personal data of more than 100,000 consumers in any calendar year; or (b) derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more consumers. The law also applies to service providers (i.e., processors) that provide services and process personal data on behalf of these companies. 
Protections for biometric data and biometric identifiers apply to entities that collect such data from Colorado residents, even if not otherwise covered by the CPA. Beginning on October 1, 2025, protections for minors (under 18) that are offered online services, products, or features will apply to any entity doing business in Colorado or targeting Colorado residents. 
The CPA excludes some types of entities from complying with its requirements, including: (a) financial institutions and affiliates subject to the Gramm-Leach-Bliley Act; (b) air carriers subject to Federal Aviation Administration regulation; and (c) national securities associations registered under the Securities Exchange Act. The CPA also does not apply to certain types of personal data maintained in compliance with specific federal privacy laws, such the Health Insurance Portability and Accountability Act and the Fair Credit Reporting Act, or for certain governmental purposes. See CRS 6-1-1304 for a complete list.

"Process" or "processing" means the collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data and includes the actions of a controller directing a processor to process personal data.

The CPA establishes the following core principles for personal data processing: (a) transparency, which requires that a controller provide consumers with a reasonably accessible, clear, and meaningful privacy notice; (b) purpose specification, which requires that a controller specify the express purposes for which personal data are collected and processed; (c) data minimization, which requires that the collection of personal data by a controller is adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed; (d) avoidance of secondary use, which prohibits a controller from processing personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, except with consent; (e) a duty of care, which requires that a controller take reasonable measures to secure personal data during both storage and use from unauthorized acquisition; (f) non-discrimination, which prohibits a controller from processing personal data in violation of state or federal anti-discrimination laws; and (g) consent for sensitive data, which prohibits a controller from processing sensitive data without first obtaining consent.

The CPA does not require controllers to identify a specific lawful basis for processing personal data. However, it imposes substantive obligations on how personal data may be processed, including requirements to limit processing to what is reasonably necessary, to obtain consent for processing sensitive data, and to honor consumer rights such as opting out of targeted advertising, sales, and profiling.

The CPA imposes a duty of care on controllers, requiring that they take reasonable measures to secure personal data during both storage and use from unauthorized acquisition. The data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business. Controllers must also clearly allocate responsibilities for implementing security measures in processor contracts.
Both controllers and processors are also required to implement appropriate technical and organizational measures, taking into account the context of processing, to ensure a level of security appropriate to the risk. Processors must also ensure that each person processing personal data is subject to a duty of confidentiality.
While the CPA does not prescribe specific retention periods, it requires that personal data be collected and retained only for purposes that are reasonably necessary and proportionate to the purposes disclosed to the consumer. This implies that organizations should not retain personal data longer than needed to fulfill the original purpose of collection, unless otherwise required by law.
CRS 6-1-713.5, Colorado’s data security law, also specifically requires that covered entities implement and maintain reasonable security procedures and practices that are designed to protect personal identifying information from unauthorized access, use, modification, disclosure, or destruction.
CRS 6-1-713, Colorado’s data disposal law, governs the disposal of personal identifying information and requires covered entities to take reasonable steps to destroy or arrange for the destruction of paper or electronic documents containing such information when they are no longer needed, by shredding, erasing, or otherwise modifying the data to make it unreadable or indecipherable.

Under the CPA, Colorado residents are granted the following rights: (a) the right to confirm whether personal data is being processed and to access it (Access); (b) the right to correct inaccuracies in personal data (Correction); (b) the right to request the deletion of personal data (Deletion); (c) the right to obtain data in a portable, readily usable format (Data Portability); and (d) the right to opt out of processing for targeted advertising, sales of personal data, and profiling that produce legal or similarly significant effects (Right to Opt Out). The CPA also requires that controllers obtain consumers' prior consent to process sensitive data. Controllers of biometric data may also need to provide consumers with additional access rights.

The CPA requires a controller to obtain prior consent to process or sell sensitive data. If the consumer is a known child, the controller must obtain consent from the child's parent or lawful guardian.
Beginning on October 1, 2025, controllers that offer online services, products, or features to consumers they know or willfully disregard are under 18 (minors) must obtain consent from a minor over age 13 or the parent or guardian of minor under age 13 to: (a) process their personal data for: (i) targeted advertising, sale, or profiling for decisions producing legal or similarly significant effects; (ii) any processing purpose other than what the controller disclosed at collection or what is reasonably necessary for and compatible with that disclosed purpose; or (iii) longer than is reasonably necessary to provide the online service, product, or feature; (b) use a system design feature to significantly increase, sustain, or extend a minor's use of the online service, product, or feature; or (c) collect their precise geolocation data unless that data is: (i) reasonably necessary for the controller to provide an online service, product, or feature; (ii) only collected for the time necessary to provide that online service, product, or feature; and (iii) collected while the controller provides a continuous signal that indicates the collection is occurring.
Consent requires a clear, affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear affirmative action, by which the consumer signifies agreement to the processing of personal data.
Acceptance of general or broad terms of use or a similar document that includes descriptions of personal data processing along with other, unrelated information, hovering over, muting, pausing or closing a given piece of content, and agreement obtained through dark patterns do not constitute consent.

Under the CPA, controllers must obtain a consumer’s consent before processing or selling sensitive data. Starting October 1, 2025, additional restrictions apply to minors under 18, including the need for affirmative authorization before processing their sensitive data or using their data for targeted advertising, sales, or certain profiling. For general personal data, the CPA does not require prior consent, but controllers must provide transparent privacy notices, limit processing to specified purposes, and honor consumer opt-out rights for sales, targeted advertising, and certain profiling.

No. 

The CPA itself does not define “data incidents” or “data breaches.” However, Colorado’s data breach notification law (CRS 6-1-716) governs how breaches must be handled and reported.
Under CRS 6-1-716, “security breach” is defined as the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity. Good faith acquisition of personal information by an employee or agent of a covered entity for the covered entity's business purposes is not a security breach if the personal information is not used for a purpose unrelated to the lawful operation of the business or is not subject to further unauthorized disclosure.
“Personal information” under CRS 6-1-716 includes: (a) a Colorado resident's first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: (i) Social security number; (ii) student, military, or passport identification number; (iii) driver's license number or identification card number; (iv) medical information; (v) health insurance identification number; or (vi) biometric data; (b) a Colorado resident's username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account; and (c) a Colorado resident's account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media

Breach notification requirements are governed by Colorado’s data breach notification law, CRS 6-1-716.
Under CRS 6-1-716, Colorado’s data breach notification law, a covered entity that maintains, owns, or licenses computerized data that includes personal information about a resident of Colorado must, when it becomes aware that a security breach may have occurred, conduct in good faith a prompt investigation to determine the likelihood that personal information has been or will be misused. The covered entity must give notice to affected Colorado residents unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur. Notice must be made in the most expedient time possible and without unreasonable delay, but not later than thirty days after the date of determination that a security breach occurred, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.
If the security breach affects 500 or more Colorado residents, the entity must also notify the Colorado Attorney General within the same 30-day period, unless its investigation determines that the misuse of information about a Colorado resident has not occurred and is not likely to occur. In cases where notification is required for 1,000 or more residents, the entity must also notify all nationwide consumer reporting agencies as defined under the federal Fair Credit Reporting Act.

The Colorado Attorney General.

CRS 6-1-716, Colorado’s data breach notification law, does not provide for a private right of action. The Colorado Attorney General may bring an action in law or equity to ensure compliance with the law and recover direct economic damages.

The CPA does not specifically regulate electronic marketing in the same way as CAN-SPAM or TCPA. However, under the CPA, consumers have the right to opt out of targeted advertising based on their personal data and consent is required if electronic marketing involves processing sensitive data.

In the healthcare sector, entities must comply not only with federal laws like HIPAA but also with the Colorado Medical Records Act (CRS 25-1-801), which governs access to and confidentiality of medical records. The education sector is governed by the Student Data Transparency and Security Act (CRS 22-16-101), which imposes specific privacy, transparency, and security requirements on public schools and ed tech providers.

Not applicable.

Under the CPA’s implementing regulations (4 CCR 904-3), controllers are required to maintain records of all consumer data rights requests for at least 24 months. In addition to tracking consumer requests, controllers must maintain documentation demonstrating compliance with key CPA requirements, such as consent management, data security practices, and data protection assessments, for the duration of the processing activity and for at least 24 months thereafter. 

The CPA requires data protection assessments (DPAs) before conducting personal data processing activities that present a heightened risk of consumer harm, such as for targeted advertising, selling personal data, processing sensitive data, and profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment of, or unlawful disparate impact on, consumers, financial or physical injury to consumers, a physical or other intrusion on consumers' solitude, seclusion, private affairs, or private concerns, if it would offend a reasonable person, or other substantial consumer injury.

Under the CPA, controllers must ensure that any processors processing personal data comply with the CPA’s requirements through written contracts. These agreements must clearly define the nature and purpose of processing, the categories of personal data involved, the processing duration, and obligations for returning or deleting data at the end of the agreement. Processors are required to follow the controller’s instructions, assist with consumer rights requests, data protection assessments, and breach notifications, and allow for reasonable audits or inspections. Additionally, processors must impose confidentiality obligations on any sub-processors and controllers retain the right to object to their use. When sharing de-identified data, controllers must contractually ensure processors take reasonable measures to prevent re-identification.

Violations of the CPA constitute a deceptive trade practice under CRS 6-1-105. The potential civil penalty maximum for unfair or deceptive trade practice violations is $20,000 per violation.

Under the CPA, controllers must be able to respond to consumer rights requests within 45 days. They are also required to maintain internal records of these requests for at least 24 months. The CPA requires controllers to perform DPAs for processing activities that present a heightened risk of harm to consumers, including profiling, targeted advertising, the sale of personal data, or the processing of sensitive data. DPAs must be updated in the event of a material change and controllers must make them available to the Colorado Attorney General within 30 days of a request. Controllers must also ensure ongoing compliance with other CPA requirements, including data minimization, purpose specification, and transparency requirements.

The new obligations under the CPA for controllers that provide online services, products, or features to minors take effect on October 1, 2025.