Skip to main content

Manage opt-outs easily for Colorado Privacy Act compliance

Implement an opt-out mechanism and generate a privacy policy to get started on your compliance with the Colorado Privacy Act.

Become CPA Compliant

14-day free trial Cancel anytime

colorado privacy act opt-out notice

The #1 cookie consent solution, trusted by 1.5 Million+ websites

Brand logos of global companies that are CookieYes customers.
colorado privacy act effective date

Colorado Privacy Act (CPA) is a state-wide data privacy that places new obligations on how businesses process the personal data of consumers in Colorado and grants consumers’ rights including the right of a consumer to opt out of targeted advertising and sale of personal data. It is set to take effect on July 01, 2023.

CPA Compliance Checklist for Websites

  • Enable users to opt out of targeted advertising and the sale of personal data
  • Implement a universal opt-out mechanism by July 01, 2024
  • Review and update your privacy policy and cookie policy
  • Establish a method to help users make data subject access requests easily

Prepare for CPA Compliance with CookieYes

Implement opt-out requests

Colorado Privacy Act requires businesses to provide users with an easy mechanism to opt out of targeted advertising (including the use of third-party cookies), the sale of personal data and profiling.

With CookieYes you can

  • Display a clear and conspicuous opt-out notice on your website
  • Target the opt-out notice for US visitors alone.
  • Respect Global Privacy Control (GPC) signals from browsers

Automate consent management

Ensure that websites set third-party cookies only based on user preferences and secure continuous compliance with data privacy regulations.

With CookieYes you can

  • Scan your website for cookies against a 100,000+ cookie database
  • Schedule cookie scanning for up-to-date information on cookies
  • Record consent logs for proof of consent during audits

Generate a compliant privacy policy

Under the CPA, businesses should implement an accessible and clear privacy policy with disclosure on the data collected, the purpose of collection, how to exercise user rights and more.

With CookieYes you can

  • Use our pre-built, legally-compliant policy templates
  • Generate your privacy policy and cookie policy in minutes
  • Simply copy-paste the legal policies to your website

Start your compliance with 
Colorado Privacy Act

Become CPA Compliant

14-day free trial Cancel anytime

Learn more about CPA and take the next
step towards compliance

What is Colorado Privacy Act?

Colorado Privacy Act (CPA) is a new data privacy law that grants residents of Colorado rights over their personal data and regulates how businesses can process their personal data. Colorado is the third US state to pass a comprehensive consumer privacy law after California and Virginia. 

The Act shares similarities with the privacy laws like CCPA (California), CPRA (California) and CPA (Colorado). The CPA was signed into law on July 8, 2021, and will take effect on July 1, 2023.

Who does CPA apply to?

Colorado Privacy Act (CPA) applies to any entity that:

  • Conducts business in Colorado and produces products or services that intentionally target the residents of the state and that either
    • Process the personal data of more than 100,000 individuals in any calendar year or 
    • Derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals. 

Entities that are subject to HIPAA, the Gramm-Leach-Bliley Act, and the Family Educational Rights and Privacy Act (FERPA) are excluded from the CPA.

What are consumer rights under CPA?

Right to access

The right to access the personal data a business has collected about them.

Right to correct

The right to correct any inaccuracy in their personal data.

Right to delete

The right to delete personal information that a business has collected from them.

Right to opt-out

The right to opt out of the processing of personal data for targeted advertising and the sale to third parties.

Right to data portability

The right to obtain a copy of their personal data in a portable format.

What is the penalty for non-compliance?

The Colorado Attorney General (AG) and/or Colorado District Attorneys have the enforcement authority in CPA. Any business that violates Colorado Privacy Act will be subject to fines of up to $2000 per violation. Violations are “measured per consumer and per transaction,” and the total penalties may not exceed $500,000.

FAQ on CPA Compliance

Colorado has a new data privacy law, namely, the Colorado Privacy Act (CPA) which was officially enacted on July 8, 2021. Colorado became the third US state (after California and Virginia) to pass a data privacy law to protect its residents. The CPA will go into effect on July 1, 2023. 

Personal data under the Colorado Privacy Act (CPA) is any “information that is linked or reasonably could be linked to an identified or identifiable individual”.

This can include information such as names, email addresses, physical addresses, identification numbers, IP addresses, and credit card information. 

The regulation doesn’t consider de-identified data and publicly available data as personal data. Other exemptions include employee data such as job applicant data, and personal data collected for commercial or B2B purposes.

The Colorado Privacy Act protects sensitive data as a separate category of personal data. Sensitive data includes personal data that could reveal the traits of a consumer. It includes data like race, sexual orientation, religious belief, citizenship or citizenship status genetic or biometric data and personal data from a child under the age of 13.

Colorado Attorney General (AG) and District Attorneys have exclusive authority to enforce the CPA. In case of a potential violation, the AG’s office will send a notice to the business and gives them 60 days from receipt of the notification to correct the violation. 

The Colorado Privacy Act exempts a wide range of organizations such as:

  • Colorado government bodies
  • Airlines
  • Public utility organizations
  • Higher education institutions
  • Consumer reporting agencies
  • Entities that process de-identified personal data
  • Entities that collect/process data for the purpose of Colorado health insurance law or employment records

Personal data that is already governed by various state and federal laws also fall outside of the scope of the Colorado Privacy Act. These include organizations that are covered by:

  • Children’s Online Privacy Protection Act (COPPA)
  • Fair Credit Reporting Act (FCRA)
  • Family Educational Rights and Privacy Act (FERPA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)

Notably, Colorado Privacy Act does not exempt non-profits and charitable organizations from the scope of its application.

Here are some links you can refer to for additional reading:

Fast-track your CPA compliance in minutes

Set up a cookie consent banner in 3 simple steps and automate your compliance.

Become CPA Compliant

14-day free trial Cancel anytime