Fast.  Secure.  Free.  Forever.
Colorado Privacy Law
Effective July 1, 2023

CPA — The Colorado
Privacy Act

Colorado has the strongest state privacy enforcement in the country. CPA mandates universal opt-out recognition, penalties reach $20,000 per violation, both the Attorney General and District Attorneys can enforce, and the cure period expired in January 2025.

$20,000
Max Per Violation
$500K
Related Violation Cap
45
Day Response
2023
Effective Year
What Is CPA

Colorado built the strongest state privacy framework.

The Colorado Privacy Act (CPA) became effective on July 1, 2023. It stands apart from other state privacy laws in three significant ways: the highest per-violation penalties in the country ($20,000), mandatory recognition of universal opt-out mechanisms (UOOM) like Global Privacy Control since July 1, 2024, and dual enforcement authority — both the Attorney General and District Attorneys can bring enforcement actions.

CPA also has something few other state laws can claim: active public enforcement. The Colorado AG has brought enforcement actions, conducted industry-wide sweeps, and issued public penalties. This isn't theoretical law — it's being enforced.

Your rights under CPA

Right to Access
Confirm whether a controller processes your personal data and obtain the data in a portable format.
Right to Correct
Fix inaccurate personal data that a controller holds about you.
Right to Delete
Request deletion of personal data a controller has collected about you.
Right to Portability
Receive your personal data in a readily usable format you can share with another controller.
Right to Opt Out
Opt out of processing for targeted advertising, data sales, or profiling for significant decisions.
Universal Opt-Out
Use GPC to broadcast your opt-out preference to every covered controller automatically.

Who has to comply with CPA

CPA applies to any controller conducting business in Colorado or targeting Colorado residents AND meeting one of these thresholds:

Unlike Virginia's 50% revenue threshold, Colorado's second threshold applies to any revenue or discount derived from data sales — a broader test that pulls more entities into compliance.

The Universal Opt-Out Mandate — Colorado's signature feature

Since July 1, 2024, controllers subject to CPA must recognize and honor universal opt-out signals like Global Privacy Control (GPC). The Colorado AG maintains a public list of recognized UOOMs, and GPC is currently the only mechanism on that list.

GPC is a browser-level signal that automatically communicates a consumer's opt-out preference to every website visited. For consumers, this eliminates the friction of clicking individual "Do Not Sell" links on thousands of sites. For businesses, it's a compliance obligation — ignoring GPC signals has become Colorado's top enforcement priority.

🛡️ Exercise your CPA rights
Let Shield handle it for you.
Shield submits deletion requests and UOOM signals to 500+ data brokers, re-submits every 45 days, and tracks compliance. $4.99/month or $49/year.
Join Colorado Waitlist →
Launching August 1, 2026
How It Compares

Colorado vs. California: the strictest two states

California and Colorado are widely regarded as the two strongest state privacy jurisdictions. California has more infrastructure (CPPA agency, DROP registry). Colorado has higher per-violation penalties and more immediate enforcement (no cure period since 2025).

Feature
Colorado (CPA)
California (CCPA + SB362)
Right to Delete
Yes, 45-day response
Yes, 45-day response
Centralized Delete Registry
No — per-controller requests
Yes — DROP (Aug 1, 2026)
Universal Opt-Out (GPC)
Required since July 2024
Required
Enforcement Authority
AG + District Attorneys
CPPA (dedicated agency)
Max Civil Penalty
$20,000 per violation
$7,500 per intentional
Series of Violations Cap
$500,000
None
Cure Period
Expired Jan 1, 2025
Removed Jan 2023
Private Right of Action
No
Limited (breach only)

The pattern is clear: Colorado front-loaded enforcement. California built a dedicated privacy agency and created the DROP registry infrastructure. Colorado used its existing consumer protection framework, added universal opt-out, and made penalties sharp enough to get attention. Both approaches work — but Colorado gets there with less bureaucracy.

Enforcement in Action

Colorado has actually enforced CPA.

Unlike many state privacy laws where enforcement is theoretical, Colorado has brought real actions with real consequences. A few highlights from 2024-2025 enforcement activity:

Case Study 2025

$250,000 Penalty Against AdTech Company

The Colorado AG's first post-cure-period enforcement action targeted an advertising technology company that had been ignoring GPC signals from 500,000+ Colorado users. The $250,000 civil penalty sent a clear message: universal opt-out signals are legally binding, and Colorado will enforce that.

Enforcement Sweep 2025

15+ Companies Notified in GPC Compliance Sweep

The Colorado AG conducted a proactive enforcement sweep in September 2025 focused on universal opt-out compliance. Over 15 companies received non-compliance notices. The sweep was timed months before the January 1, 2025 cure period expiration — giving non-compliant businesses one final chance to fix issues before direct penalties became possible.

Rule Updates 2026

Department of Law Rule Amendments Take Effect July 1, 2026

New CPA rule amendments will clarify requirements from SB 24-041 (children's data) and SB 25-276, update universal opt-out technical specifications, and finalize biometric data provisions added by HB 24-1130. Expected additions include explicit examples of noncompliant cookie-banner dark patterns and a safe-harbor cookie-banner template.

The Honest Version

What CPA still doesn't give you

CPA is the strongest state privacy law in terms of enforcement, but it shares gaps with every state except California. Here's what CPA does not give Colorado residents:

That said, the combination of universal opt-out mandates, active enforcement, and $20K per-violation penalties makes CPA uniquely effective. If you're a Colorado resident whose data got sold without your consent, CPA gives you more meaningful recourse than Virginia or Texas law provides.

🛡️ Put your CPA rights on autopilot
Shield for Colorado residents.
500+ data brokers, universal opt-out signals, re-submitted every 45 days. Dark web monitoring + monthly privacy reports included.
Join Colorado Waitlist →
Launching August 1, 2026
CPA · FAQ
Colorado privacy, explained.
Does CPA give me the right to delete my data? +
Yes. CPA, effective July 1, 2023, grants Colorado residents the right to request deletion of personal data that a controller has collected about them. Controllers must respond within 45 days with one possible 45-day extension for complex cases.
What is a Universal Opt-Out Mechanism (UOOM)? +
A UOOM is a browser-level or device-level signal that automatically communicates a consumer's opt-out preference to every website or app they interact with. Since July 1, 2024, CPA requires Colorado-covered controllers to honor UOOMs. Currently Global Privacy Control (GPC) is the only mechanism on the Colorado AG's recognized list. Install GPC via browser extension or native setting, and every covered site automatically treats you as opted-out from data sales and targeted advertising.
Who enforces CPA? +
Both the Colorado Attorney General AND individual District Attorneys can enforce CPA. This is unique among state privacy laws — Virginia, Texas, and Oregon all restrict enforcement to the AG only. Dual enforcement means more cases, more consistent application, and more opportunities for Colorado residents' complaints to result in action.
What are CPA penalties? +
Up to $20,000 per violation, with a $500,000 cap for a related series of violations. CPA violations are treated as deceptive trade practices under Colorado's Consumer Protection Act. The 2019 removal of the $500K total cap (via HB 19-1289) means there's no overall ceiling on penalties for widespread violations across many unrelated situations.
Why did Colorado's cure period expire? +
CPA originally included a 60-day "right to cure" — if the AG or DA notified a business of a violation, the business had 60 days to fix it before penalties applied. This provision was statutorily set to sunset on January 1, 2025. It did, as scheduled. Since then, Colorado regulators can pursue enforcement actions directly, without first offering the opportunity to cure. This fundamentally shifted the compliance landscape.
What's the Colorado AI Act (CAIA)? +
CAIA is Colorado's artificial intelligence law, signed May 17, 2024 and effective February 1, 2026 (with enforcement pushed to June 30, 2026 via SB 25-318). It's the first comprehensive state AI regulation in the U.S. and layers on top of CPA for "high-risk" AI systems, imposing new transparency, risk-assessment, and consumer notification duties. CAIA doesn't replace CPA — it adds additional obligations.
Can I opt out of targeted advertising AND data sales with one signal? +
Yes, via UOOM/GPC. A single GPC signal is treated as opting out of both targeted advertising and the sale of personal data across all covered controllers. You don't have to submit separate opt-out requests for each category. This is one of CPA's most consumer-friendly features.
Will CPA be updated? +
Yes. CPA continues to evolve. HB 24-1130 (effective July 1, 2025) expanded sensitive data to include biometric identifiers. SB 24-041 added stronger children's privacy protections. New rule amendments take effect July 1, 2026 covering cookie-banner dark patterns and universal opt-out technical specifications. Shield subscribers receive monthly updates on CPA enforcement and amendments.
Colorado Privacy Updates
Track CPA enforcement actions.

Monthly updates on Colorado AG and DA enforcement, GPC sweeps, new rule amendments, and privacy law evolution.

Monthly updates · No spam · Unsubscribe anytime