2021

Colorado Senate Bill 21-190, Protect Personal Data Privacy, was signed into law on July 7, 2021 by Governor Jared Polis and established the Colorado Privacy Act (CPA).

2023

On July 1, 2023, the CPA went into effect.

Amendments

Who

The CPA protects the personal data of consumers. Under the statute, a consumer is a Colorado resident acting in an individual or household context, not in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.¹

The CPA applies to persons that conduct business in Colorado or produce or deliver commercial products or services that are targeted to residents of Colorado and that do one or both of the following²:

• control or process personal data of at least 100,000 consumers in a year OR derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control personal data of 25,000 consumers or more; or
• control or process personal biometric identifiers or biometric data.

The CPA distinguishes between controllers and processors.³ A controller is an entity that alone, or jointly with others, determines the purposes and means for processing personal data.⁴ A processor is an entity that processes personal data on behalf of a controller. ⁵

Processing means the collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data.⁶

The CPA imposes restrictions and obligations on the relationship between controllers and processors. Processors must follow the controller’s instructions on how personal data may be processed.⁷ Contracts between controllers and processors must include the following⁸:

• instructions for processing the personal data,
• the type(s) of personal data and the duration of processing,
• the obligation to delete or return data upon the controller’s request,
• a requirement for appropriate technical and organizational measures to respond to consumers’ requests to exercise their data rights,
• a duty to maintain technical and organizational measures to secure personal data,
• the obligation to provide information to the controller to support the controller’s completion of data protection assessments,
• an assertion that persons handling personal data have a duty of confidentiality, meaning they do not disclose data to unauthorized parties,
• the right for the controller to object to any subcontractor processing personal data,
• the ability to provide evidence to demonstrate compliance with contractual obligations, and
• the right for the controller or their designee to conduct audits of the processor’s technical and organizations measures related to the protection of personal data.

What

Personal Data

The CPA regulates how companies can collect, use, and share personal data. “Personal data” means information that is linked or reasonably linkable to an identified or identifiable person, subject to some exceptions and with some particular types of personal data (such as sensitive or deidentified data) receiving more or fewer protections.⁹

Sensitive Data

The CPA provides additional guidance around a subcategory of personal data: sensitive data.¹⁰ Colorado provides heightened protections to this subcategory of personal information based on the assumption that misuse, loss, or unauthorized disclosure of the data can lead to discrimination, financial loss, identity theft, or reputational damage.

Sensitive data includes:¹¹

• racial or ethnic origin,
• religious beliefs,
• mental or physical health condition or diagnosis,
• sex life,
• sexual orientation,
• citizenship or citizenship status,
• genetic or biometric information processed for the purpose of uniquely identifying an individual,
• personal data of known children (someone younger than 13 years of age), and
• biological data, such as information about bodily functions and neural data when used or intended to be used for identification purposes.

Exemptions

Exempt Entities

The CPA does not apply to the following entities¹²:

• personal data maintained by the state, the judicial department of the state, or a county, city, or municipality if the data is collected, maintained, disclosed, communicated, and used as authorized by state and federal law for noncommercial purposes,
• state institutions of higher education,
• national securities associations that are registered under 15 U.S.C. § 78o-3 of the Securities Exchange Act of 1934,
• financial institutions subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.,
• covered entities or business associates as defined in the Health Insurance Portability and Accountability Act (HIPAA), and
• air carriers as defined in 49 U.S.C. § 40102 governing aviation programs and regulated under the Federal Aviation Act of 1958 (49 U.S.C. 40101 et seq.) and the Airline Deregulation Act of 1978 (49 U.S.C. § 41713).

Exempt Data

The following types of data are exempt from the CPA¹³:

• protected Health Information under the Health Insurance Portability and Accountability Act (HIPAA) that is collected, stored, and processed by a covered entity or their business associates,
• healthcare information that is governed by part 8 of article 1 of title 25 of the Colorado Revised Statutes,
• Patient identifying information for the purposes of 42 U.S.C. § 290dd-2, which covers confidentiality of records related to substance abuse and mental health services,
• identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46, which governs research involving human subjects,
• identifiable private information that is collected as part of human subjects research pursuant to the “Good Clinical Practice” guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or for the protection of human subjects under 21 C.F.R. Parts 50 and 56, which govern research involving human subjects,
• patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act (42 U.S.C. § 299b-21 et seq.),
• information used for public health activities and purposes as authorized by HIPAA,
• personal data collected, maintained, disclosed, sold, communicated, or used in a manner that has bearing on a consumer's credit worthiness to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.),
• personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.),
• personal data regulated by the federal Family Educational Rights and Privacy Act (20 U.S.C. § 1232g et seq.),
• data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.),
• data processed or maintained for applications for employment or employment purposes,
• personal data maintained by a public utility as defined in section 40-1-103 (1)(a)(I) of the Colorado Revised Statutes or an authority as defined in section 43-4-503 (1) of the Colorado Revised Statutes, if the data are not collected, maintained, disclosed, sold, communicated, or used except as authorized by state and federal law,
• personal data collected, processed, sold or disclosed in relation to price, route or service, as such terms are used in the Federal Aviation Act of 1958 (49 U.S.C. § 40101 et seq.) and the Airline Deregulation Act of 1978 (49 U.S.C. § 41713), and
• data regulated by the federal Children's Online Privacy Protection Act of 1998 (15 U.S.C. secs. 6501 to 6506).

Deidentified Data

The CPA includes an exemption for deidentified data.¹⁴

Deidentified data is data that cannot reasonably be used to infer information about or be linked to an identified individual or a device linked to such individual.¹⁵ Controllers processing deidentified data must¹⁶:

• take reasonable measures to ensure that the data is deidentified and cannot be associated with an individual,
• publicly commit to not attempt to reidentify the data, and
• contractually obligate recipients of deidentified data to take measures to ensure the data cannot be associated with an individual and not attempt to reidentify the data.

Publicly Available Data

The CPA does not apply to publicly available information.¹⁷ Publicly available information is information that¹⁸:

• is lawfully made available through government records, or
• the controller has a reasonable basis to believe the consumer has lawfully made available to the general public.

Pseudonymous Data

Pseudonymous data is data that cannot be attributed to a specific individual without the use of additional information that is maintained separately.¹⁹ Where the controller is able to demonstrate that any information necessary to identify the individual is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information, the controller is not required to grant individuals’ rights to their data.²⁰

Consumers have several rights under the CPA²¹:

• right of access,
• right to correct,
• right to delete,
• right to opt out,
• right to opt into the processing of sensitive data,
• right to not be discriminated against, and
• minors’ rights.

Right to Access

Consumers have the right to know whether a controller is processing their personal data and what personal data is being processed about them.²² This includes the right to obtain a copy of their data in a format that is portable such that the consumer can transmit the data to another controller.²³

Controllers must also disclose related information in their privacy notice. The notice must include²⁴:

• the categories of personal data processed by the controller,
• the purpose for processing personal data,
• how consumers can exercise their rights,
• the categories of personal data that the controller shares with third parties,
• the categories of third parties with whom the controller shares personal data, and
• a disclosure of any sale of personal data.

Right to Correct

Consumers have the right to request that a controller correct inaccuracies in their personal data.²⁵

Right to Delete

Consumers have the right to request that a controller delete any personal data provided by the consumer or obtained about the consumer.²⁶

Right to Opt Out

Consumers have the right to opt out of a controller processing their personal data for the purpose of targeted advertising, the sale of personal data, or consumer profiling used to analyze individuals and make decisions about them that have legal consequences or have other serious impacts on their lives.²⁷

Targeted advertising is the display of ads to a consumer where the ads are selected based on the consumer’s personal data obtained over time across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.²⁸ Targeted advertising does not include²⁹:

• Advertisements based on activities within a controller's own websites or online applications,
• Advertisements based on the context of a consumer's current search query or current visit to a website or online application,
• Advertisements directed to a consumer in response to the consumer's request for information or feedback, or
• Personal data processed solely for measuring or reporting advertising performance.

Sale of data is the transfer of personal data from a controller to a third party for money or other consideration.³⁰ Sale does not include³¹:

• The disclosure of personal data to a processor that processes the personal data on behalf of the controller,
• The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer,
• The disclosure or transfer of personal data to an affiliate of the controller or that is made as part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets,
• The disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party, or
• The disclosure of information that the consumer intentionally made available to the general public.

Profiling is the automated processing of personal data to evaluate, analyze, or predict personal aspects of a consumer’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.³²

Right to Opt In for Sensitive Data

Controllers may not process sensitive data without obtaining consent from the consumer.³³ Accordingly, the consumer has the right to not have their sensitive data processed unless they have opted into such processing.³⁴

Consent must be ³⁵:

• freely given, meaning the consent is given voluntarily,
• specific, meaning the consent is given for a clearly defined purpose and is not an acceptance of general or broad terms of use,
• informed, meaning the data subject is provided an explanation of how the data will be processed, and
• unambiguous, meaning it is clear the data subject has consented (e.g., by clicking “I agree”).

Colorado’s opt-in standard for sensitive data is stricter than California’s opt-out: under the CPA, controllers must obtain consent before processing sensitive data.

Biometric Data

The CPA includes detailed guidance on the collection, use, and retention of biometric data.³⁶ The CPA requires consent before a company collects biometric data, and companies may not sell, lease, or trade biometric identifiers with any entity.³⁷ Companies may not disclose or disseminate biometric identifiers except with the consumer’s consent, when disclosing to a processor for the original collection purpose, or when required by law.³⁸

Controllers may purchase biometric identifiers only if they pay the consumer for the identifier, the purchase is unrelated to providing a product or service, and the consumer has consented. Controllers must delete biometric identifiers once the original purpose for collection is satisfied or no later than 24 months after the consumer’s last interaction with the controller, whichever is earlier.³⁹

The CPA also includes protections around employee data.⁴⁰ Employers are permitted to require that employees consent to the collection of biometric identifiers only for the following purposes⁴¹:

• to permit access to secure, physical locations, hardware, and software,
• to record the start and end of employees’ workdays, and
• for safety or security of the workplace, or
• to improve or monitor the safety or security of the public in emergencies or crises.

Employers may collect biometric data for other purposes, but only with the consent of the employee and provided that the employer does not retaliate against any employee who does not consent to such collection or processing.⁴²

Right to Not Be Discriminated Against

Consumers have the right for their personal data to not be processed in violation of state and federal laws that prohibit unlawful discrimination.⁴³

Minors’ Rights

Controllers may not use a minor’s personal data without consent of the minor or their legal guardian for the following purposes⁴⁴:

• targeted advertising,
• sale of personal data, and
• profiling to analyze individuals and make decisions about them that have legal consequences or have other serious impacts on their lives

Controllers must also not⁴⁵:

• use system design features to increase or extend the minor’s use of such service or application,
• collect precise geolocation data unless such data is necessary to provide the service, in which case such data may only be collected for the time needed to provide the service and there is a signal indicating that the controller is collecting precise geolocation data, or
• offer any direct messaging platform to minors without providing safeguards to restrict unsolicited communications from adults (excludes email and electronic transmission of text, images, or videos between devices where such content is exchanged privately between the sender and recipient and visible only to those parties).

Exercising Rights

A consumer may exercise their rights to access, correct, delete, or opt out under the CPA by submitting a request to the controller that specifies the right they wish to invoke.⁴⁶ Consumers may also assign an authorized agent to exercise opt-out rights on their behalf.⁴⁷

In its privacy notice, the controller must describe one or more methods for consumers to submit requests.⁴⁸ This mechanism cannot require the creation of a new account to exercise the consumer’s rights.⁴⁹ A controller must respond to the consumer’s request within 45 days of receipt indicating the actions taken and may request additional information needed to authenticate the consumer and their request.⁵⁰ If unable to reasonably authenticate the consumer, a controller may refuse the request.⁵¹

If reasonably necessary due to the complexity or quantity of consumer requests, the controller may extend their response period by 45 days so long as the controller notifies the consumer within the initial 45-day period of such extension and provides a reason for the extension.⁵²

A controller must provide information in response to a consumer request free of charge, but it may charge a reasonable fee for a second or subsequent request within a twelve-month period.⁵³ The right to obtain a portable copy of personal data may be exercised up to twice per calendar year.⁵⁴ Controllers must also establish an appeals process for a consumer to appeal any refusal by the controller to take action on a request.⁵⁵ If the controller denies an appeal, they must notify the consumer within 45 days, though the controller may extend that period by an additional 60 days if reasonably necessary.⁵⁶

Universal Opt Out

Colorado is one of several states that require websites to recognize a browser-based signal, known as a universal opt-out mechanism, that opts users out of the web tracking and cross-site data sharing commonly used in targeted advertising and the sale of personal data.⁵⁷

The Attorney General of Colorado and district attorneys have the authority to enforce the provisions of the CPA via an injunction or fine.⁵⁸ In the first years after the CPA took effect, businesses that were found to be in violation had an opportunity to fix the problem before facing formal action. This was the right to cure.⁵⁹ That window closed on January 1, 2025, and the Attorney General and district attorneys may now pursue enforcement action directly for most CPA violations without first giving businesses a chance to correct them⁶⁰. For violations related to the CPA's minors' protections specifically, businesses retain that opportunity: until December 31, 2026, the Attorney General and district attorneys must issue a notice of violation and give the controller 60 days to cure those violations before pursuing action. If the controller fails to cure within 60 days, the Attorney General or district attorneys may pursue action.⁶¹

Under the Colorado Consumer Protection Act, civil penalties can be up to $20,000 per violation and are paid to the general fund of Colorado.⁶²

1. C.R.S. § 6-1-1303(6). ↩
2. C.R.S. § 6-1-1304 ↩
3. C.R.S. § 6-1-1303(7), (19). ↩
4. C.R.S. § 6-1-1303(7). ↩
5. C.R.S. § 6-1-1303(19). ↩
6. C.R.S. § 6-1-1303(18). ↩
7. C.R.S. § 6-1-1305 ↩
8. C.R.S. § 6-1-1305 ↩
9. C.R.S. § 6-1-1303(17). ↩
10. C.R.S. § 6-1-1308(7). ↩
11. C.R.S. § 6-1-1303(24). ↩
12. C.R.S. § 6-1-1304(2). ↩
13. Id. ↩
14. C.R.S. § 6-1-1303(17). ↩
15. C.R.S. § 6-1-1303(11). ↩
16. Id. ↩
17. C.R.S. § 6-1-1303(17). ↩
18. Id. ↩
19. C.R.S. § 6-1-1303(22). ↩
20. C.R.S. § 6-1-1307(3). ↩
21. C.R.S. § 6-1-1306 ↩
22. C.R.S. § 6-1-1306(1)(b). ↩
23. C.R.S. § 6-1-1306(1)(e). ↩
24. C.R.S. § 6-1-1308(1)(a)-(b). ↩
25. C.R.S. § 6-1-1306(1)(c). ↩
26. C.R.S. § 6-1-1306(1)(d). ↩
27. C.R.S. § 6-1-1306(1)(a). ↩
28. C.R.S. § 6-1-1303(25). ↩
29. Id. ↩
30. C.R.S. § 6-1-1303(23). ↩
31. Id. ↩
32. C.R.S. § 6-1-1303(20). ↩
33. C.R.S. § 6-1-1308(7). ↩
34. Id. ↩
35. C.R.S. § 6-1-1303(5). ↩
36. C.R.S. § 6-1-1314. ↩
37. C.R.S. § 6-1-1314(4)(b). ↩
38. Id. ↩
39. C.R.S. § 6-1-1314(2)(a)(III), (4)(c)(III). ↩
40. C.R.S. § 6-1-1314(6). ↩
41. C.R.S. § 6-1-1314(6)(a). ↩
42. C.R.S. § 6-1-1314(6)(b). ↩
43. C.R.S. § 6-1-1308(6). ↩
44. C.R.S. § 6-1-1308.5(2). ↩
45. C.R.S. § 6-1-1308.5(2)-(3). ↩
46. C.R.S. § 6-1-1306(1). ↩
47. C.R.S. § 6-1-1306(1)(a)(II). ↩
48. C.R.S. § 6-1-1308(1)(a)(III). ↩
49. C.R.S. § 6-1-1306(1). ↩
50. C.R.S. § 6-1-1306(2)(a). ↩
51. C.R.S. § 6-1-1306(2)(d). ↩
52. C.R.S. § 6-1-1306(2)(a). ↩
53. C.R.S. § 6-1-1306(2)(c). ↩
54. C.R.S. § 6-1-1306(1)(e). ↩
55. C.R.S. § 6-1-1306(3)(a). ↩
56. C.R.S. § 6-1-1306(3)(b). ↩
57. C.R.S. § 6-1-1306(1)(a)(IV)(B); C.R.S. § 6-1-1313. ↩
58. C.R.S. § 6-1-1311(1)(a). ↩
59. C.R.S. § 6-1-1311(1)(d)(I). ↩
60. Id. ↩
61. C.R.S. § 6-1-1311(1)(d)(II). ↩
62. C.R.S. § 6-1-112(1)(a). ↩