This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
header image


Colorado Privacy Act (CPA)

Passed July 7, 2021
Effective Date July 1, 2023
Who it applies to
  • Entities that control/process data of 100,000+ residents annually
  • Entities that derive revenue from selling data of 25,000+ consumers.
  • Exempt entities include airlines, government agencies, consumer reporting agencies, higher education institutions, organizations that use data for the purposes of health insurance or employment records, judicial departments, and public utility companies.
Penalties Up to $20,000 per violation, and up to $50,000 if the violation involves the data of an elderly person.

What’s notable about it:

Except for California, Colorado is the only state to have passed regulations under its privacy law. The regulations tell us how the state’s Attorney General interprets the law, and how they might enforce it. Answer: Strictly.

The Colorado Privacy Act Rules prescribe a particularly rigorous process for “data protection assessments”, and a European-style interpretation of “consent” (that means specific, informed, “opt-in” consent). This requires businesses to inform upfront about privacy-invasive data practices and ask people to expressly consent. It also gives a broad definition of “sensitive data”. Expect the Attorney General to flex its enforcement muscles soon.

The Strict Spectrum

Less Strict