colorado-cpa-compliance
Colorado Privacy Act (CPA) Compliance
Overview
The Colorado Privacy Act (CPA), codified as C.R.S. §6-1-1301 through §6-1-1313, was signed into law on July 7, 2021 (SB 21-190), and became effective July 1, 2023. Colorado was the third state to enact comprehensive consumer privacy legislation. The CPA is notable for its robust rulemaking by the Colorado Attorney General, resulting in detailed implementing regulations at 4 CCR 904-3, and for being the first state (alongside Connecticut) to require recognition of universal opt-out mechanisms.
The Colorado AG published final rules effective March 1, 2024, with the universal opt-out mechanism requirement taking effect July 1, 2024.
Applicability (§6-1-1304)
The CPA applies to controllers that conduct business in Colorado or produce products or services intentionally targeted to Colorado residents AND:
- Control or process personal data of 100,000 or more Colorado consumers per calendar year; OR
- Control or process personal data of 25,000 or more Colorado consumers AND derive revenue or receive a discount on the price of goods or services from the sale of personal data.
Note: Threshold (2) does not require a specific revenue percentage (unlike Virginia's 50% threshold).