Colorado Privacy Act (CPA)
The Colorado Privacy Act (CPA) is a comprehensive state privacy law that governs how businesses collect, use, and share personal data from Colorado residents, enhancing transparency and consumer control over personal information.
What is the Colorado Privacy Act (CPA)?
The Colorado Privacy Act (CPA) establishes privacy rights for residents of Colorado and applies to organizations that process personal data of at least 100,000 consumers annually or derive revenue from selling personal data.
Enacted in 2021 and effective as of July 1, 2023, the CPA aligns closely with other U.S. state privacy laws such as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
It grants consumers rights to access, correct, delete, and opt out of data processing for targeted advertising and data sales, while requiring businesses to maintain transparent privacy notices and perform data protection assessments.
Why the Colorado Privacy Act (CPA) matters
The CPA reinforces consumer trust by providing individuals with control over their data and ensuring accountability for organizations that process it.
For businesses, it introduces obligations for consent management, data minimization, and risk assessments similar to the General Data Protection Regulation (GDPR).
The Colorado Attorney General enforces the law, and noncompliance may result in significant fines or penalties. Implementing compliant data governance practices is critical for organizations operating in multiple U.S. states.
How the Colorado Privacy Act (CPA) is used in practice
- Conducting data protection assessments for high-risk processing activities
- Updating privacy notices to disclose data categories, purposes, and consumer rights
- Enabling user rights requests, including deletion and correction workflows
- Managing consent and opt-out mechanisms for targeted advertising and data sharing
- Aligning internal data governance processes with other U.S. privacy laws such as the CCPA and CPRA
- Training staff on consumer rights handling and privacy-by-design principles
Related laws & standards
- California Consumer Privacy Act (CCPA)
- California Privacy Rights Act (CPRA)
- General Data Protection Regulation (GDPR)
- Digital Personal Data Protection Act (DPDPA)
- ISO/IEC 27001 (Information Security Management)
How OneTrust helps with Colorado Privacy Act (CPA) compliance
OneTrust enables organizations to operationalize compliance with the Colorado Privacy Act (CPA) by automating consumer rights requests, data protection assessments, and consent management. The platform centralizes compliance workflows and provides audit-ready evidence to ensure alignment with state and global privacy laws.
[Explore Solutions →]
FAQs about the Colorado Privacy Act (CPA)
The CPA applies to businesses operating in Colorado that process personal data of 100,000 or more consumers annually or derive revenue from the sale of personal data.
Consumers can access, correct, delete, and opt out of data processing for targeted advertising, data sales, or profiling.
While the Colorado Privacy Act (CPA) mirrors many requirements of the CCPA and GDPR, it emphasizes data protection assessments and opt-out mechanisms rather than universal consent models.
