Colorado CPA
Colorado Privacy Act
The Colorado Privacy Act is a comprehensive consumer privacy law effective 1 July 2023 that grants residents rights over their personal data and requires controllers to honor a universal opt-out mechanism for sale and targeted advertising. It treats biometric data used to identify a person as sensitive data requiring consent, and a 2024 amendment (HB 24-1130, effective 1 July 2025) added detailed obligations for biometric identifiers.
Who it applies to
Controllers that conduct business in Colorado or target its residents and control or process the personal data of at least 100,000 consumers per year, or at least 25,000 consumers while deriving revenue or discounts from selling personal data.
Identity requirements
- Obtain consent before processing sensitive data, including biometric data processed to uniquely identify an individual
- Recognize and honor a universal opt-out mechanism for sale and targeted advertising
- Under HB 24-1130, provide a biometric data policy and obtain consent before collecting biometric identifiers, with limits on selling or disclosing them
- Honor consumer rights to access, correct, delete, and port personal data, and to opt out of sale, targeted advertising, and certain profiling
- Conduct and document data protection assessments for processing that presents heightened risk, including sensitive data
- Provide a clear privacy notice and apply data minimization and reasonable security safeguards
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Customer identity & consent (CIAM) | Consent is required before processing biometric data used to identify a person, and HB 24-1130 adds explicit biometric consent and policy duties. |
| Identity verification (KYC/proofing) | Biometric identity proofing of Colorado residents falls within sensitive-data and biometric-identifier obligations. |
| Identity governance (IGA) | Access, correction, deletion, and universal opt-out rights require governed handling of consumer identity records and preferences. |
| Audit, logging & accountability | Controllers must perform and retain data protection assessments for heightened-risk and sensitive-data processing. |
Penalties
Violations are deceptive trade practices enforceable by the Attorney General or district attorneys, with civil penalties of up to 20,000 dollars per violation; there is no private right of action.
Colorado CPA: frequently asked questions
- Does the Colorado Privacy Act require honoring a universal opt-out?
- Yes. Controllers must recognize a universal opt-out mechanism that lets consumers opt out of the sale of personal data and targeted advertising through a single device-level signal.
- What did HB 24-1130 add for biometric data?
- Effective 1 July 2025, it added specific obligations for biometric identifiers, including a required biometric data policy, consent before collection, and limits on selling or disclosing them.
- Who enforces the Colorado Privacy Act?
- The Colorado Attorney General and district attorneys enforce the CPA. There is no private right of action.