Library / Jurisdictions
CPA

Colorado Privacy Act

Colorado's comprehensive consumer privacy law, in force since July 2023, with a Universal Opt-Out Mechanism requirement that is the first of its kind in the US.

At a glance
Effective
1 July 2023
Authority
Colorado Attorney General; Department of Law
Maximum fine
$20,000 per violation
Vendor monitoring
Required (§ 6-1-1305, processor obligations)

The Colorado Privacy Act is structurally similar to VCDPA but distinguished by its early adoption of a Universal Opt-Out Mechanism (UOOM) — a technical signal browsers can send to opt out of sale and targeted advertising automatically.

Who it applies to

A "controller" subject to CPA conducts business in Colorado or produces products/services intentionally targeted at Colorado residents, and:

  • Controls or processes personal data of 100,000+ Colorado consumers in a calendar year, or
  • Controls or processes personal data of 25,000+ consumers and derives revenue or receives a discount on the price of goods or services from selling personal data.

No revenue threshold; broader than VCDPA in that respect.

The UOOM and its implications

Since July 2024, controllers subject to CPA must recognise and honour Universal Opt-Out Mechanism signals — practically, the Global Privacy Control (GPC) browser signal — as opt-outs from sale and targeted advertising. This is the first US state law mandating recognition of an automated signal.

The vendor implication: any vendor handling sale or targeted advertising on the controller's behalf must also support UOOM. A vendor whose product silently ignores GPC creates a compliance gap the controller is responsible for.

Controller and processor obligations

Largely parallel to VCDPA:

  • Privacy notice with specified contents.
  • Data Protection Assessments for high-risk processing.
  • Processor contracts with required terms (instructions, confidentiality, security, sub-processing notice, audit cooperation, end-of-engagement deletion).
  • Sensitive data opt-in.

Sensitive data under CPA:

  • Race or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or immigration status.
  • Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual.
  • Personal data from a known child.

CPA's CO regulations also call out precise geolocation as sensitive (within 1,750 feet of a consumer's location).

Consumer rights

Same set as VCDPA, with one addition: an explicit right to appeal a controller's denial of a rights request, with the Attorney General as ultimate venue.

Response window: 45 days, extendable by 45.

What vendor monitoring looks like under CPA

In addition to the standard set:

  • UOOM compliance. New vendors handling marketing or advertising data must be confirmed to honour GPC. Existing vendors may need to be re-evaluated as their products evolve.
  • Sensitive data handling. Any vendor touching health, biometric, or precise location data needs DPIA-equivalent documentation.
  • Sub-processor notification windows. Track and exercise within the contractual window.

Enforcement

The Attorney General has primary enforcement authority. The Department of Law issued detailed implementing regulations in 2023 covering the universal opt-out, consent, sensitive data, and DPIAs. There was an initial 60-day cure period that sunsetted in January 2025; enforcement is now without cure.

No private right of action.

Related references