In 2022, Colorado became the third state in the US to pass comprehensive consumer privacy law. The Colorado Privacy Act (CPA) was the first to introduce an obligation to recognize a universal opt-out mechanism and apply to non-profits. Since passage, it has seen significant amendments including new rules for processing biometric data and minors’ data, and adding biological data to its list of sensitive personal information (SPI). Plus, the attorney general has published implementation regulations with which in-scope organizations also need to comply.

Scope

Colorado’s privacy law applies to organizations that operate in, intentionally target products or services to, or collect data from residents of Colorado. And in most cases they must meet one of the following two conditions to be subject to the Colorado Privacy Act:

  1. Control or process the personal data of at least 100,000 consumers per year OR
  2. Receive revenue or a discount on goods or services from the sale of personal data while controlling or processing the personal information of at least 25,000 consumers

However, organizations that process biometric identifiers in any amount may also be in scope — and this includes biometric information of employees. Plus, businesses that process information on kids under 18 are in scope for those provisions.

It’s worth noting that non-profits are in scope, but there are some data- and entity- and use case-level exemptions related to regulated industries like healthcare, finance, education, and aviation.

Obligations for The Colorado Privacy Act

The main requirements of the Colorado Privacy Act should look familiar to privacy pros who’ve seen other comprehensive laws. These duties include:

  • Transparency, in the form of a “reasonably accessible, clear, and meaningful privacy notice” that includes the categories of data collected and the people with whom data is shared;
  • Providing privacy rights;
  • Specifying exact purposes for collection and processing of personal information;
  • Data minimization practices;
  • Implementation of reasonable security measures;
  • Obtaining consent via a “clear affirmative act signifying consent is freely given” before certain processing activities;
  • Conducting regular risk assessments; and
  • Preventing discrimination against consumers.

Sensitive Personal Information

The Colorado Privacy Act requires consent for processing SPI, which includes:

  • Racial or ethnic origin;
  • Religious beliefs;
  • Mental or physical health condition or diagnosis;
  • Sex life or sexual orientation;
  • Citizenship or citizenship status;
  • PI from a known child;
  • Genetic or biometric data processed for identification purposes; and
  • Biological data.

In early 2024, Colorado made a splash in the privacy world when it added biological data to its list of SPI and specified that “neural data” was included in that category. It also added protections for children and more rules for organizations processing biometrics in 2024.

Minors’ Data

In May of 2024, the Colorado legislature expanded online protections for children and minors in the Colorado Privacy Act.

As of October 1, 2025, controllers that process minors’ personal information online must obtain consent from the minor or their parent (under 13) prior to using their information for targeted ads, sale or certain profiling; for a purpose not disclosed upon collection; processing their personal information longer than necessary for the purpose; or collecting their precise geolocation.

Controllers also have a duty of care; they need to avoid any heightened risk of harm caused by their products and services or using features that extend or increase a minor’s use of their product or service. Controllers are required to conduct a data protection assessment any time they cannot avoid such harm.

Biometric data

Also passed in May 2024, is an amendment increasing obligations for controllers that process biometric data or biometric identifiers beyond just the consent required for all processing of sensitive personal information.

As of July 1, 2025, prior to collection of a biometric identifier, controllers must notify consumers about the purpose for collection, length of retention, and whether it will be shared with a processor and for what purpose. They must then obtain consent for the processing. Additionally, controllers must implement a written policy that covers consumer biometric data, which they may need to make publicly available. They are prohibited from selling it or sharing it without consent or a legal obligation, and they must provide appropriate security protections for it at rest and in transit. Notably, the amendment also put in place limitations and consent obligations on controllers’ use of biometric identifiers of employees. This is the only area in which the CPA is applicable in the employment context.

Privacy Rights

Privacy rights under the Colorado Privacy Act are standard fare as well. Rights to access, correct, and delete information are no surprise. The only real diversion is that under CPA there is no right to opt out of profiling — though rights to opt out of sale and targeted advertising are mandated. Organizations have 45 days to respond and provide consumers a mechanism to appeal a rights decision.

Colorado was the first state to obligate in-scope organizations to honor a universal opt-out mechanism, and most states have followed its lead.

Enforcement

Enforcement of consumer privacy laws has been a challenge for many states, as resources in their respective Attorney Generals’ Offices are limited. Uniquely among US privacy laws, the Colorado Privacy Act can be enforced by both the state attorney general and district attorneys. This spreads the regulatory load and may increase enforcement actions.

As of Jan. 1, 2025, the CPA’s 60-day cure period ends. Meaning entities will no longer have a grace period to cure violations unless the AG chooses to provide it based on circumstances.

Violating the CPA is a deceptive trade practice punishable by up to $20,000 per violation.

Get your organization ready

There is broad agreement across US state privacy laws on the high-level obligations for in-scope organizations. The good news there is that if you are compliant with other state privacy laws, you are likely in good shape for complying with the Colorado Privacy Act. If you’re working to get your privacy program off the ground and compliance seems a long way off, here are some steps you can begin right now to get on the right track.

Here are some steps you can take now. For more information, consult our

Start a data inventory

A data map or data inventory tracks personal information from the time you collect it to when it is deleted or destroyed. It will help you understand what data you collect, from what sources, how you use it, if you share it with third parties, where it’s stored, for how long, and how it’s protected. All these things work together to tell you where your privacy risk lies and how to mitigate it.

Update your privacy notice

Your privacy notice is where you tell the world about your data handling practices. It must be accurate, up-to-date, and include the elements required by applicable privacy and data protection laws. It is also an opportunity to build trust, so ensuring your customers can understand it and know where to go to ask questions is important.

Download our free resource, Privacy Notice Roadmap: A Business Guide, to learn how to create and maintain an effective privacy notice that builds trust and complies with regulations.

Make a privacy rights plan

Being ready for the Colorado Privacy Act — and other state privacy laws — means being able to respond to privacy rights. Your data inventory will go a long way to prepare you for this, but you also need to have a way for consumers to submit requests and a plan for what to do when you get one.

Create a risk assessment process

The Colorado Privacy Act prohibits businesses from processing personal information in ways that present a heightened risk of harm to consumers unless they conduct a data protection assessment. Implementing a data protection assessment policy, as well as a procedure and questionnaire will get you on the path to compliance.

Train employees

Privacy is a team sport. The success of any privacy team depends on the rest of the organization understanding how to appropriately handle personal information. Privacy training and awareness activities should be integrated into your organizational culture through regular role-based training sessions, informational posters, company newsletters, and any other organization-wide communications.

Review security protections

Work with your security team to review and strengthen your security and access controls around personal information. Data privacy can’t exist without appropriate security safeguards, so this is essential to ensuring you meet compliance objectives.

One more bonus tip

Here’s one more tip for you: Get help! The privacy consultants like at Red Clover Advisors are experts in this stuff — we do it all the time. We are passionate about making privacy easier to operationalize, getting you to compliant quickly and helping you build trust with your customers.

We have a variety of programs that can meet your needs and your budget.

Contact us today and let us take the stress out of your Colorado Privacy Act compliance program.

Downloadable Resource

10 Steps To Comply with CPA