Applies to businesses processing personal data of 100,000+ Colorado residents annually, or 25,000+ if you derive any revenue from selling personal data.
Effective
2023-07-01
Penalty max
$20,000
Cure period
None
Honor GPC
Required
Overview
The Colorado Privacy Act (CPA) took effect July 1, 2023, making Colorado the third state with a comprehensive consumer privacy law. The law gives Colorado residents rights to access, correct, delete, and port their personal data, plus the right to opt out of targeted advertising, data sales, and profiling for consequential decisions. The 60-day cure period ended on January 1, 2025 — meaning the AG can now bring enforcement actions without first giving businesses time to fix violations. The Colorado AG has been one of the more active enforcement bodies, with formal rulemaking that requires honoring browser-level Global Privacy Control (GPC) signals as an opt-out mechanism. For e-commerce, this means a static 'we use cookies' banner is insufficient; you must implement a real opt-out flow that suppresses tracking when GPC is detected.
Who it applies to
Businesses processing personal data of 100,000+ Colorado residents annually.
Businesses processing personal data of 25,000+ Colorado residents AND deriving 50%+ of revenue from selling personal data.
Consumer rights
Right to access
Consumers can request a copy of the personal data you hold about them.
Right to correction
Consumers can request you correct inaccurate personal data.
Right to deletion
Consumers can request you delete their personal data, subject to limited exceptions.
Right to portability
Consumers can request a machine-readable copy of their data to transfer elsewhere.
Right to opt out of sale
Consumers can opt out of the sale of their personal data to third parties.
Right to opt out of targeted advertising
Consumers can opt out of personalized ad targeting based on their behavior.
Right to opt out of profiling
Consumers can opt out of automated profiling for decisions with legal or similarly significant effects.
What this means for e-commerce
If you run Facebook Pixel, Google Ads remarketing, TikTok Pixel, or any behavioral advertising, the CPA's opt-out requirement applies to you. A passive cookie banner is not enough — Colorado requires you to honor Global Privacy Control (GPC) signals sent by the browser, and your opt-out link must use the standardized 'Your Privacy Choices' or equivalent language.
Penalties & enforcement
Enforced by the Colorado Attorney General. Penalties range from $2,000 to $20,000 per violation.
The cure period sunset on 2025-01-01 — the AG can bring enforcement actions immediately upon finding a violation, without first giving you time to fix the problem.
Compliance checklist
Update your privacy policy to disclose the categories of personal data you collect and the purposes of processing
Add a 'Your Privacy Choices' link in the site footer
Implement an opt-out mechanism that disables targeted advertising and data sales
Configure your site to detect and honor Global Privacy Control (GPC) browser signals
Create a process to respond to consumer data requests (access, deletion, correction) within 45 days
Conduct data protection assessments for high-risk processing (targeted ads, sale of data, sensitive data)
Review vendor and processor agreements to include CPA-required data processing terms
Does the CPA apply to your business?
Run a free 60-second compliance check across all state privacy laws — including Colorado.
BriefStack is for informational purposes only and does not constitute legal advice. For decisions specific to your business, consult a qualified attorney.