Colorado Privacy Act

On July 1, 2023 the Colorado Privacy Act is due to come into effect.

Laws relating to privacy and data are changing.

Don’t get caught out

Let us help you prepare

Who does it impact?

Businesses that are based in Colorado or produce products or services aimed at Colorado residents and either:

  • Control or process personal data of at least 100,000 consumers per calendar year; or
  • Derive revenue from the sale of personal data and control or process personal data of at least 25,000 consumers

Unlike the CCPA or the VCDPA there is no minimum dollar value of business revenue.


  • Financial institutions that are subject to the Gramm-Leach-Bliley Act
  • Air carriers
  • National securities association
  • Personal data maintained by a public utility or authority only if the personal data is processed as authorized by state or federal laws
  • Personal data maintained by a Colorado institution of higher education, the state of Colorado, the judicial department of the state of Colorado or a county or municipality provided that the personal data is processed only as authorized by state of federal laws.

Consumer Rights

Any data about them held or processed by a controller.

Inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of their personal data.

Personal data collected about them.

Consumers have the right to obtain their personal data in a portable and, to a technically feasible extent, readily usable format that allows the consumer to transmit the data to another entity with hindrance.

Of the processing of their personal data for purposes of: targeted advertising; sale of personal data; or, profiling in furtherance of decisions that produce legal or similarly significant effects.


An entity that, alone or jointly with others, determines the purposes and means of processing personal data.


An entity that processes personal data on behalf of a controller.


The Colorado Attorney General is responsible for enforcing the Colorado Privacy Act. Violations of the CPA could result in civil penalties of $2,000, reaching a maximum of $500,000 for related violations.

cure period

Until January 1st, 2025 if a breach is discovered a controller will have 60 days to fix it before any action can be taken against them, this is the so-called “cure period”. After this date the Attorney General will be able to act without notice.

Value Privacy are on hand to make sure your business is compliant with data and privacy regulations. Whether you need a privacy health check or you want help to make sure you and your business are ready for the arrival of the Colorado Privacy Act, we’re here to help. You can find out more about what we do or contact us and have a chat about your needs.

Colorado Attorney General Public Consultation on CPA Rules

The Colorado Attorney General's Office is asking for the public to provide feedback on the CPA rules and what they should look like.