What is the Colorado Privacy Act?

The Colorado Privacy Act (CPA) is a US state consumer data privacy law that gives Colorado residents enhanced rights and protections surrounding how businesses handle their personal information. It went into effect on July 1, 2023.

The CPA applies to for-profit companies doing business in Colorado or producing products/services targeted at Colorado consumers, provided they meet either of these thresholds:

  • Control or process personal data of 100,000+ Colorado consumers per calendar year
  • Derive revenue or receive discounted pricing for selling personal data of 25,000+ consumers per year

Here are the key requirements of the Act:

  • Provide transparency into data practices
  • Limit collection and retention to what is reasonably necessary
  • Mandate heightened protections for sensitive categories of personal information
  • Avoid discrimination

Colorado consumers gain rights to access, correct, delete, and download personal data, and in addition to that, they can opt out of targeted advertising, data sales, and profiling.

Enforcement rests exclusively with the Colorado Attorney General and District Attorneys. Fines run from $2,000 up to $20,000 per violation with a 60-day cure period.

Check out how you can comply with the Colorado Privacy Act.