U.S. Consumer Data Privacy Law Guide: Colorado

Professionals

Name / Keyword Office Practice Industry Language Show All
Practices

Antitrust and Competition Law

Business and Corporate

Construction

Cross-Border Business

Data Protection, Privacy and Cybersecurity

Emerging Companies

Environment, Social and Governance (ESG)

Environmental, Sustainability, and Product Stewardship

Financial Services

Government Enforcement and Investigations

Government Relations and Public Policy

Health Law

Hospitality

Immigration

Intellectual Property

Labor & Employment

Litigation

Mergers and Acquisitions

Product Liability, Class Action and Mass Tort

Real Estate

Securities

Tax

Technology

Transportation and Logistics
Industries

Automotive

Aviation

Construction

Disaster Recovery and Government Services

Drug, Device and Life Sciences

Education

Energy

Financial Services

Food and Beverage

Gaming

Governmental Entities

Health Care

Hospitality

Manufacturing

Real Estate

Retail

Seniors Housing and Long Term Care

Technology

Telecommunications

Transportation and Logistics
Experience

Featured Case Study
Community Healthcare Trust Incorporated Community Healthcare Trust Incorporated More Case Studies

Search Experience
Keywords Practice Industry
News & Events

Professionals
Practices
Industries
Experience
News & Events
Other Pages

Quick Results

View More Results

U.S. Consumer Data Privacy Law Guide: Colorado

This state-specific guide covers data privacy law, rules, and regulations that professionals and clients often encounter or have questions about in Colorado.

Last updated: January 2025

Please note this is a highlighted overview and not a complete overview of privacy laws for this state. If you would like a complete review of this state's privacy laws or a multi-state privacy compliance cheat sheet on specific topics, please contact Vivien Peaden at vpeaden@bakerdonelson.com.

Disclaimer: These materials do not constitute legal advice and should not be substituted for the advice of legal counsel.

The Colorado Privacy Act

Effective Date: July 1, 2023, as amended by House Bill 1130 and Senate Bill 041 in 2024.

Overarching Law: The Colorado Privacy Act (CPA) was passed as a sub-part of the Colorado Consumer Protection Act. Please note that many parts of the CPA, such as remedies and limitations, are further governed by the Colorado Consumer Protection Act.

1. Applicability Thresholds:

Subject to certain entity-level and data-level exemptions, this law applies to a Controller who conducts business in the State of Colorado or produces or delivers commercial products or products or services that intentionally are targeted to Colorado residents (consumer); and controls, processes, and satisfies one or both of the following:

100,000+ Colorado consumers' personal data, during a calendar year; or
25,000+ Colorado consumers' personal data and derived any revenue or received a discount on the price of goods or services from the sale of personal data.

2. Key Definitions:

Sales of Personal Data: Similar to California, "Sale," "Sell," or "Sold" is broadly defined to include the exchange of personal data for not only monetary compensation but also "other valuable consideration," subject to certain exemptions.

Sensitive Data: The CPA requires a Controller to obtain consumer consent before processing sensitive data by a Controller. Sensitive data includes:

personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status;
genetic or biometric data;
personal data of known children under the age of 13;
biological data, which is defined as "data generated by the technological processing, measurement, or analysis of an individual's biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual's body or bodily functions, which data is used or intended to be used, singly or in combination with other personal data, for identification purposes. 'Biological data' includes neural data."
- As of August 7, 2024, biological data also includes all neural data, which is defined as "information that is generated by the measurement of the activity of an individual's central or peripheral nervous systems and that can be processed by or with the assistance of a device."

3. Heightened Protection for Minors Under the Age of 18:

Effective October 1, 2025, Senate Bill 041 amends the CPA to introduce the definition of "Minor" as any consumer who is under 18 years of age, similar to the requirements under the Connecticut privacy laws.

4. Business Obligations:

The CPA imposes additional obligations on persons who, alone or jointly with others, determine the purposes for and means of processing personal data (Controller):

Data Processing Agreement (DPA): Processing activities by a supplier (Processor) shall be governed by a DPA between the Controller and Processor.
Data Protection Assessment. Yes, where processing activities present a heightened risk of harm to consumers (including Minors), including targeted advertising, certain high-risk profiling, sales of personal data, and processing sensitive data (including biometric data with amended definition under House Bill 1130), among others.
Privacy Notice: A Controller must provide consumers with a privacy notice.
Universal Opt-out Mechanism: Beginning on July 1, 2024, the CPA requires Controllers to recognize one or more universal opt-out mechanism(s) published on the CO attorney general's Universal Opt-out Shortlist, including the Global Privacy Control.

5. Consumer Rights:

Subject to certain exceptions, a Colorado consumer has the right to:

Confirm whether or not a Controller is processing their personal data and access the categories of data being processed;
Correct inaccuracies in the consumer's personal data;
Delete personal data provided by, or obtained about, the consumer;
Obtain a copy of the personal data of a consumer no more than twice per calendar year; and
Opt-out of data processing for targeted advertising, sales of personal data, and profiling for decisions that produce legal or similarly significant effects concerning a consumer.

6. Enforcement and Penalties:

Private Right of Action: None

Penalties: Up to $20,000 per violation; and up to $50,000 per violation if a deceptive trade practice is committed against a senior citizen over the age of 60.

Cure Period: 60-day cure period. Such a cure period was only available until January 1, 2025.

U.S. Consumer Data Privacy Law Guides

Key Contact

Vivien F. Peaden, AIGP, CIPP/US, CIPP/E, CIPM, PLS

T: 678.406.8722

Email Professional

Related Practices

Resources

Download PDF version

Have Questions?
Let's Talk!

To contact a Baker Donelson Privacy Professional, click above to email us.

Search By Last Name

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Baker Donelson is a national law firm with more than 650 attorneys and public policy advisors representing more than 30 practice areas to serve a wide range of legal needs. Clients receive knowledgeable guidance from experienced, multi-disciplined industry and client service teams, all seamlessly connected across 24 offices in Alabama, Florida, Georgia, Louisiana, Maryland, Mississippi, North Carolina, South Carolina, Tennessee, Texas, Virginia, and Washington, D.C.