CPA

Colorado Privacy Act

Flag of US
Colorado, United StatesOpt-outState
Back to Regulations Guide

Key Facts

Effective Date
July 1, 2023
Enacted
July 7, 2021
Enforcing Authority
Colorado Attorney General; District Attorneys
Consent Model
Opt-out
Fulfillment Time
45 days
Applies To
Entities in CO or targeting CO residents: 100,000+ consumers OR 25,000+ consumers and revenue from selling PI

Overview

The Colorado Privacy Act features the highest per-violation penalties among US state privacy laws ($20,000) and mandatory GPC signal honoring since July 2024. Colorado participated in a joint GPC enforcement sweep with California and Connecticut in September 2025, signaling aggressive enforcement.

What This Means for Your Website

  • GPC (Global Privacy Control) signals must be honored since July 2024
  • Opt-in consent is required for sensitive data processing
  • The cure period was eliminated in January 2025 — the AG can take immediate action
  • Penalties are $2,000-$20,000 per violation, the highest among US states
  • October 2025 amendments add a duty of care for minors under 18 with no processing thresholds

Key Requirements

The Colorado AG and District Attorneys enforce the CPA. Consumer requests must be fulfilled within 45 days. The September 2025 joint GPC enforcement sweep with California and Connecticut demonstrates multi-state coordination on privacy enforcement. Biometric data processors are covered regardless of thresholds since July 2025.

How ConsentStack Handles This

ConsentStack detects Colorado visitors, honors GPC signals automatically, and applies the opt-out model with opt-in for sensitive data. The platform ensures compliance with the strictest US state penalty structure.

Penalties

$2,000-$20,000 per violation (treated as deceptive trade practices).

Maximum Fine
$20,000 per violation

Key Requirements

  • Honor GPC/universal opt-out signals since July 2024
  • Opt-in consent for sensitive data processing
  • Data protection assessments required
  • Right to access, correct, delete, port, and opt out
  • Data minimization obligations

Notable Provisions

  • Highest per-violation penalty ($20,000) among US states
  • Cure period eliminated January 2025
  • Joint GPC sweep with CA and CT September 2025
  • Biometric and minor protection expansions in 2025 remove thresholds

US State Specifics

Private Right of Action
No
Global Opt-out Required
Yes
Sensitive Data Opt-in
Yes
Children Provisions
Under 13 data is sensitive (opt-in). October 2025: duty of care for minors under 18 with no processing thresholds.

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
CCPACalifornia, United States
The CCPA was the first comprehensive consumer privacy law in the United States, giving California residents the right to know what personal information businesses collect and to opt out of its sale. It established the opt-out consent model that most subsequent US state privacy laws adopted.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
MODPAMaryland, United States
The most restrictive US state privacy law. Sensitive data may only be processed when strictly necessary to deliver a requested service — and sale of sensitive data is completely prohibited even with consent. Under-18 sale and targeted advertising are prohibited regardless of consent. Strictest data minimization in the US.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.

Frequently Asked Questions

What makes Colorado's privacy law unique?

Colorado has the highest per-violation penalties ($20,000) among US states, mandatory GPC signal honoring, and participated in a multi-state GPC enforcement sweep in September 2025.

Must websites honor GPC signals in Colorado?

Yes, since July 2024. ConsentStack automatically detects and honors GPC signals for Colorado visitors.

Does Colorado have a cure period?

Not anymore. The 60-day mandatory cure period was eliminated January 1, 2025. The AG now has discretion on enforcement.

What are the Colorado CPA penalties?

$2,000-$20,000 per violation, treated as deceptive trade practices — the highest among US state privacy laws.

Stay compliant with CPA

ConsentStack helps you implement Opt-out consent for Colorado, United States automatically.

Get started free