CPA - Colorado Privacy Act

The CPA is the latest addition to a growing list of state privacy laws in the United States, following in the footsteps of California's Consumer Privacy Act (CCPA) and Virginia's Consumer Data Protection Act (CDPA).

Signed into law on July 7, 2021, and scheduled to go into effect on July 1, 2023.


The CPA applies to organizations that conduct business in Colorado or produce products or services targeted to Colorado residents and that either control or process the personal data of 100.000 or more Colorado residents annually or derive revenue from the sale of personal data and control or process the personal data of 25.000 or more Colorado residents.

One notable difference between the CPA and other state privacy laws is that the CPA does not include a private right of action, which means that individuals cannot sue organizations for violations of the CPA.

Key provisions of the CPA:

  • Individual Rights: The CPA provides Colorado residents the right to access, correct, delete, and obtain a copy of their personal data held by an organization. They can also opt-out of the sale of their personal data or the processing of their data for targeted advertising;
  • Transparency: Organizations must provide clear and conspicuous privacy notices to individuals about their data processing practices, including the categories of personal data they collect and the purposes for which the data will be used. They must also obtain opt-in consent from individuals for sensitive personal data, such as health or financial information;
  • Data Security: The CPA requires organizations to implement reasonable security measures to protect the personal data they collect from unauthorized access, disclosure, or use. If a data breach occurs, organizations must notify affected individuals and the Colorado Attorney General's office;
  • Vendor Management: Organizations that share personal data with third-party vendors must include contractual provisions requiring the vendors to comply with the CPA's requirements and notify the business of any data breaches.

The CPA provides enforcement authority to the Colorado Attorney General's office and allows for civil penalties of up to $20,000 per violation, with a cap of $500,000 per event.