Does the Colorado Privacy Act apply to your business?
It depends on volume, not revenue — and unlike most states, nonprofits are not exempt. The CPA applies to a controller that does business in Colorado or targets Colorado residents and meets one of two thresholds: controlling or processing the personal data of 100,000 or more consumers in a year, or 25,000 or more consumers while deriving revenue (or a discount) from selling personal data .
Two features make Colorado broader than the California or Texas models. First, there is no dollar revenue floor — the trigger is consumer-count plus a Colorado nexus. Second, the CPA reaches nonprofit organizations, which several other state privacy laws carve out entirely. As with the other state regimes, a consumer is a Colorado resident acting in an individual or household context, not an employee or a business contact, and entity- and data-level exemptions (for GLBA, HIPAA, and FCRA-regulated data, among others) still apply.
Sources for this answer
Primary law
A.1 Colo. Rev. Stat. § 6-1-1304PDFThe CPA applies to a controller that conducts business in Colorado or targets Colorado residents and meets a 100,000-consumer threshold, or a 25,000-consumer threshold while deriving revenue from selling personal data.
this part 13 applies to a controller that: (a) Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and (b) Satisfies one or both of the following thresholds:
See Colo. Rev. Stat. § 6-1-1304(1).
What must your Colorado privacy policy contain?
The CPA imposes a duty of transparency: a controller must give consumers a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purposes of processing, how to exercise and appeal consumer rights, the categories shared with third parties, and the categories of third parties .
For a template privacy policy, treat section 6-1-1308 as the content checklist. Two Colorado specifics go beyond the baseline list. If you process personal data for targeted advertising or sell it, the policy must disclose that and provide a clear, conspicuous opt-out method both inside the notice and in a separate, readily accessible location. And processing sensitive data — or the personal data of a known child — requires consent, so the data practices the notice describes must line up with the consents the controller actually collects.
Sources for this answer
Primary law
B.1 Colo. Rev. Stat. § 6-1-1308PDFA controller must provide a reasonably accessible, clear, and meaningful privacy notice listing the categories of personal data processed and the purposes of processing, among other required disclosures.
A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: (I) The categories of personal data collected or processed by the controller or a processor; (II) The purposes for which the categories of personal data are processed;
See Colo. Rev. Stat. § 6-1-1308(1)(a).
What must your contracts with processors say?
Processing by a processor must be governed by a binding contract between the controller and the processor — so a data processing agreement is a statutory requirement. The contract must set out the processing instructions, including the nature and purpose of the processing .
Section 6-1-1305 then enumerates the rest of the required terms: the types of personal data and the duration of processing; a duty to delete or return the data at the controller's direction; an obligation to make available the information needed to demonstrate compliance; and a right to reasonable audits (or, alternatively, an annual independent audit report). A compliant template DPA tracks each of these, and no contract can relieve either party of the liabilities the CPA assigns to its role.
Sources for this answer
Primary law
C.1 Colo. Rev. Stat. § 6-1-1305PDFProcessing by a processor must be governed by a binding contract that sets out the processing instructions, including the nature and purpose of the processing, and the required processor obligations.
Processing by a processor must be governed by a contract between the controller and the processor that is binding on both parties and that sets out: (a) The processing instructions to which the processor is bound, including the nature and purpose of the processing;
See Colo. Rev. Stat. § 6-1-1305(5).
Must you honor a universal opt-out signal?
Yes. This is where Colorado is stricter than many states: since July 1, 2024, a controller that processes personal data for targeted advertising or sells it must let consumers opt out through a user-selected universal opt-out mechanism that meets the technical specifications the Attorney General has adopted .
In practice that means honoring browser-level signals such as the Global Privacy Control, not just a website opt-out link — and the Attorney General maintains a public list of recognized mechanisms in the CPA Rules. The opt-out is one of a fuller set of consumer rights (access, correction, deletion, portability, and opt-out of targeted advertising, sale, and certain profiling), to which a controller must respond within 45 days. A template privacy program should wire the universal-opt-out handling into its consent and preference logic, not bolt it on as a static link.
Sources for this answer
Primary law
D.1 Colo. Rev. Stat. § 6-1-1306PDFSince July 1, 2024, a controller that processes personal data for targeted advertising or sells it must allow consumers to opt out through a user-selected universal opt-out mechanism meeting the Attorney General's technical specifications.
a controller that processes personal data for purposes of targeted advertising or the sale of personal data shall allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6-1-1313.
See Colo. Rev. Stat. § 6-1-1306(1)(a)(IV)(B).
Can a consumer sue your business under the CPA?
No. The CPA states that nothing in it provides a basis for a private right of action, so consumers cannot sue under it . Enforcement belongs exclusively to the Colorado Attorney General and district attorneys .
One Colorado wrinkle raises the stakes: the CPA's right-to-cure provision was repealed effective January 1, 2025, so a controller can no longer count on a guaranteed notice-and-cure window before an enforcement action. Violations are deceptive trade practices subject to the Colorado Consumer Protection Act's penalties. The compliance posture, then, is to build the privacy notice, opt-out, and contracting controls in advance rather than relying on a cure period that no longer exists.
Sources for this answer
Primary law
E.1 Colo. Rev. Stat. § 6-1-1311PDFThe CPA bars any private right of action for its violation.
nothing in this part 13 shall be construed as providing the basis for, or being subject to, a private right of action for violations of this part 13 or any other law.
See Colo. Rev. Stat. § 6-1-1311(1)(b).
Primary law
E.2 Colo. Rev. Stat. § 6-1-1311PDFThe Attorney General and district attorneys have exclusive authority to enforce the CPA.
the attorney general and district attorneys have exclusive authority to enforce this part 13 by bringing an action in the name of the state or as parens patriae on behalf of persons residing in the state to enforce this part 13 as provided in this article 1, including seeking an injunction to enjoin a violation of this part 13.
See Colo. Rev. Stat. § 6-1-1311(1)(a).