Colorado CPA Compliance Guide | Blue Frog Docs

Colorado CPA Compliance Guide

Comprehensive guide to the Colorado Privacy Act (CPA), including requirements, universal opt-out mechanisms, and implementation best practices.

Overview

The Colorado Privacy Act (CPA) is one of the most consumer-friendly state privacy laws in the United States, notable for its requirement to recognize universal opt-out mechanisms and its strong consumer rights framework.

Full Name and Description

Colorado Privacy Act (CPA): Signed into law on July 7, 2021, and effective July 1, 2023, the CPA provides Colorado residents with rights over their personal data and imposes comprehensive obligations on businesses that process consumer data.

Enforcement Date

  • Effective Date: July 1, 2023
  • Universal Opt-Out Requirement: July 1, 2024
  • Cure Period Ends: January 1, 2025

Governing Body

  • Colorado Attorney General: Primary enforcement authority
  • District Attorneys: May also bring enforcement actions
  • No Private Right of Action: Consumers cannot directly sue for CPA violations

Primary Purpose

The CPA was designed to:

  • Empower Colorado consumers with meaningful data rights
  • Require businesses to honor universal opt-out signals (like Global Privacy Control)
  • Establish transparency in data processing practices
  • Create a comprehensive yet business-practical privacy framework

Applicability

Who Needs to Comply?

The CPA applies to entities that conduct business in Colorado or produce products/services intentionally targeted to Colorado residents AND meet one of the following thresholds:

  1. Control or process personal data of 100,000+ Colorado consumers per calendar year, OR
  2. Control or process personal data of 25,000+ Colorado consumers AND derive revenue or receive discounts from the sale of personal data

Key Exemptions

Entity-Level Exemptions:

  • State and local government entities
  • Financial institutions subject to GLBA
  • HIPAA-covered entities and business associates
  • Certain nonprofit organizations
  • Higher education institutions
  • Air carriers

Data-Level Exemptions:

  • Employment data
  • B2B contact information
  • Data subject to specific federal laws (FCRA, FERPA, COPPA)
  • Publicly available information

Unique Threshold Considerations

Unlike California's CCPA (which uses revenue thresholds), Colorado's CPA focuses on data volume and data sales revenue. A small company processing significant consumer data could be subject to the law even with modest overall revenue.

What the CPA Governs

Types of Data Covered

Personal Data - Information linked or reasonably linkable to an identified or identifiable individual. Explicitly excludes de-identified or publicly available data.

Sensitive Data (requires opt-in consent):

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis
  • Sex life or sexual orientation
  • Citizenship or citizenship status
  • Genetic or biometric data processed for identification
  • Personal data from a known child
  • Precise geolocation data

Consumer Rights Under CPA

Colorado residents have five core rights:

  1. Right to Access: Confirm whether a controller processes their data and access it
  2. Right to Correct: Request correction of inaccuracies in personal data
  3. Right to Delete: Request deletion of personal data provided by or obtained about them
  4. Right to Portability: Obtain a copy of data in a portable, readily usable format
  5. Right to Opt-Out: Decline:
    • Targeted advertising
    • Sale of personal data
    • Profiling in furtherance of automated decisions producing legal or similarly significant effects

Universal Opt-Out Mechanism (Key Differentiator)

Starting July 1, 2024, controllers must:

  • Recognize and honor universal opt-out signals (e.g., Global Privacy Control)
  • Provide clear notice that such signals will be processed as valid opt-out requests
  • Not require consumers to submit separate opt-out requests if a valid signal is detected

This makes Colorado the first state to mandate universal opt-out recognition by a specific date.

Compliance Requirements

Key Obligations for Controllers

1. Privacy Notice Requirements

Controllers must provide reasonably accessible, clear privacy notices including:

  • Categories of personal data processed
  • Purposes for processing personal data
  • Categories of personal data shared with third parties
  • Categories of third parties with whom data is shared
  • How consumers may exercise their rights
  • How consumers may appeal a controller's decision regarding rights requests

2. Purpose Limitation

  • Process personal data only for purposes disclosed to the consumer or compatible purposes
  • Obtain consent for processing incompatible with disclosed purposes
  • Practice data minimization - collect only what is necessary

3. Security Requirements

  • Implement reasonable security measures appropriate to the volume and sensitivity of data
  • Protect personal data during storage and use
  • Include security requirements in processor contracts

4. Consumer Request Handling

  • Respond within 45 days of receipt
  • One extension of 45 days permitted when reasonably necessary
  • Inform consumers of extension and reason
  • Appeals process required: If a request is denied, provide mechanism for appeal
  • Respond to appeals within 45 days
  • If appeal denied, inform consumer how to contact the Attorney General

Technical and Operational Requirements

Data Protection Assessments (DPAs) required for:

  • Processing for targeted advertising
  • Sale of personal data
  • Processing for profiling with risk of unfair/deceptive treatment, financial injury, physical injury, or intrusion on solitude
  • Processing sensitive data
  • Any processing with heightened risk of harm

DPA requirements:

  • Identify and weigh benefits vs. risks to consumers
  • Factor in use of de-identification, consumer expectations, and context
  • Maintain assessments for at least 3 years
  • Make available to Attorney General upon request

Data Processing Agreements between controllers and processors must include:

  • Clear instructions for processing
  • Nature and purpose of processing
  • Type of data subject to processing
  • Duration of processing
  • Rights and duties of both parties
  • Requirement for processor to assist controller with consumer requests

Universal Opt-Out Signals

What Counts as a Universal Opt-Out?

The Colorado Attorney General has rulemaking authority to recognize specific mechanisms. Currently, Global Privacy Control (GPC) is the primary recognized signal.

Implementation Requirements

// Example: Detecting Global Privacy Control
if (navigator.globalPrivacyControl === true) {
  // User has enabled GPC
  // Must treat as valid opt-out for:
  // - Sale of personal data
  // - Targeted advertising

  disableTargetedAdvertising();
  disableDataSales();
  recordOptOutChoice();
}

Technical Considerations

  • GPC signals must be honored without requiring additional action from the consumer
  • Controllers may inform consumers that a signal was detected
  • No authentication required for opt-out signal processing
  • Must apply to all data collected going forward

Consequences of Non-Compliance

Enforcement Process

  1. Cure Period: Before July 1, 2025, controllers have 60 days to cure violations after notice
  2. Post-Cure Period: After January 1, 2025, no cure period - immediate enforcement possible
  3. Investigation: Attorney General or District Attorneys may investigate
  4. Enforcement Action: Civil action for violations

Penalties and Fines

  • Up to $20,000 per violation (civil penalty)
  • Attorney fees and costs may be recovered
  • Injunctive relief may be ordered
  • Enhanced penalties for willful violations

No Private Right of Action

Like Virginia, Colorado does not allow consumers to sue directly for CPA violations. Enforcement is through public authorities only.

Why the CPA Exists

Historical Background

  • 2021: Colorado legislature passes SB 21-190 with bipartisan support
  • July 7, 2021: Governor Polis signs CPA into law
  • July 1, 2023: CPA takes effect
  • July 1, 2024: Universal opt-out mechanism requirement begins

Distinctive Features

Colorado's CPA is notable for:

  1. Universal opt-out mandate: First state to require recognition of browser-based opt-out signals
  2. Appeals process requirement: Consumers must have a way to appeal denied requests
  3. Strong rulemaking authority: Attorney General can issue detailed implementation rules
  4. District Attorney enforcement: Local enforcement option beyond state AG

Influence on Other States

The CPA's universal opt-out provision has influenced other state laws and set a precedent for user-friendly privacy controls that don't require individual website opt-outs.

Implementation & Best Practices

How to Become Compliant

Step 1: Threshold Assessment

  • Count Colorado consumers in your data systems
  • Determine if you derive revenue from personal data sales
  • Document applicability determination

Step 2: Data Mapping

  • Inventory all personal data from Colorado consumers
  • Identify sensitive data requiring opt-in consent
  • Map data flows to processors and third parties
  • Document processing purposes for each data type

Step 3: Privacy Notice Updates

  • Disclose all processing purposes
  • Explain consumer rights clearly
  • Describe how to exercise each right
  • Include information about the appeals process
  • Describe universal opt-out signal recognition

Step 4: Consumer Rights Infrastructure

  • Build intake mechanisms for requests
  • Implement 45-day response workflow
  • Create appeals process
  • Train staff on request handling
  • Document all decisions and responses

Step 5: Universal Opt-Out Implementation

  • Implement GPC detection on your website
  • Configure advertising and data sale systems to respect signals
  • Test signal detection across browsers
  • Document signal processing logic

Step 6: Sensitive Data Consent

  • Implement opt-in consent mechanisms
  • Obtain affirmative consent before processing sensitive data
  • Maintain consent records
  • Provide easy consent withdrawal

Ongoing Compliance Maintenance

  • Annual Data Protection Assessments for high-risk processing
  • Regular Signal Testing to ensure opt-out detection works
  • Quarterly Request Audits to verify timely responses
  • Privacy Notice Reviews when processing changes
  • Processor Compliance Checks for vendor adherence

Additional Resources

Official Documentation

Technical Resources

Industry Guidance

  • IAPP Colorado Privacy Act Resource Center
  • Colorado CPA Implementation Toolkit (various vendors)

Conclusion

The Colorado Privacy Act distinguishes itself through its universal opt-out mechanism requirement and consumer-friendly appeals process. Organizations processing Colorado consumer data should prioritize implementing Global Privacy Control recognition alongside standard privacy compliance infrastructure.

The July 1, 2024 deadline for universal opt-out recognition represents a significant technical requirement that may require updates to advertising, analytics, and data processing systems. Planning for this implementation should begin well in advance.

↑ Back to top
// SYS.FOOTER