Colorado Privacy

Colorado Finalizes Consumer Privacy Act Regulations

States continue to move forward in promulgating consumer data privacy laws and accompanying regulations. Currently there are five states with comprehensive laws on their books, and Iowa is now poised to become the sixth. Both chambers of the Iowa State Legislature unanimously voted to approve Senate File 262. Businesses have wisely anticipated the various new regulations and are (or should be) making changes to their consumer data protection practices to comply with these laws. It is important to understand that each jurisdiction’s provisions are nuanced and do not necessarily impose the same or similar restrictions as those of other states. For example, in 2021, Governor Jared Polis signed Senate Bill 21-190: Protect Personal Data Privacy, establishing the Colorado Privacy Act (“CPA”). The CPA tasked the Colorado Attorney General with implementing and enforcing the CPA, including adopting new rules (“Rules”). These Rules have now been approved and will go into effect on July 1, 2023. Entities will be required to comply with the Rules as of the first of July.

Colorado Privacy Act Explained

Like other states, Colorado has enacted a comprehensive regulatory data privacy measure. The simplified purpose of the law is to protect the personal data privacy of Colorado State residents when they act in an individual or household context, but not in a commercial or employment context. The associated new rules operate to further this aim. The CPA enables consumers to better understand what personal data businesses collect, share, and sell, and how that data is used. Under the statute, Colorado consumers will have the following personal data privacy rights:

  • The right to opt-out from the sale of their personal data, or use of this data for targeted advertising and certain types of profiling;
  • The right to know whether a business is collecting personal data;
  • The right to access personal data that a business has collected about them;
  • The right to correct personal data;
  • The right to delete personal data; and
  • The right to download and remove personal data from a platform in a format that allows the transfer to another platform.

How Do the New Rules Impact Colorado Privacy Act Compliance?

Among many other provisions, the Rules include definitions of fundamental terms, such as: controller, data broker, opt-out purpose, and universal opt-out mechanism. Under the Rules, the purpose of a universal opt-out mechanism is to provide consumers with a simple and easy to-use method by which to automatically exercise their opt-out rights with all businesses that they interact with, without having to submit individualized requests to each one. The Rules include extensive provisions explaining how companies should comply with the required opt-out mechanisms. While these provisions are certainly helpful from a consumer’s point of view, they require businesses to pay close attention to how they manage opt-out requests. Another significant aspect of these Rules concerns privacy policy changes. Of note, companies are required to notify consumers of material changes to their privacy policies. There is no question that these Rules and other state privacy laws are specific and comprehensive in scope. 

Colorado Privacy Act: Who, How, and When?  

The law applies to entities, including nonprofits, that conduct business in Colorado or deliver commercial products or services targeted to residents of Colorado; AND either:

  • Process the personal data of more than 100,000 Colorado State residents in any calendar year; or
  • Derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more Colorado State residents.

The Colorado Attorney General’s Office and the State’s district attorneys have exclusive enforcement power granted by the CPA. The Attorney General’s Office also has rulemaking authority under the law. Please note that there is no private right of action under the CPA. As mentioned above, the CPA goes into effect on July 1, 2023

How to Make Sense of Colorado’s New Privacy Law

We cannot stress enough the importance of sorting through each states’ consumer data privacy laws to ensure that your business is compliant with these regulations. As a law firm with extensive experience in the industry, Klein Moynihan Turco is working to ensure that businesses are, and remain, compliant as data privacy laws continue to evolve. In order to make sense of the patchwork of state regulations, the best course of action is to reach out to an experienced data privacy attorney

If you need assistance with Colorado data privacy compliance, please email us at, or call us at (212) 246-0900.

The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.

Attorney Advertising

Photo by Markus Spiske on Unsplash

Related Blog Posts:

More Revisions To The Draft Rules Of The Colorado Privacy Act

State Privacy Laws In 2023: Are Your Privacy Practices Compliant?

How Does The Colorado Privacy Law Compare To The CCPA?


David Klein

David Klein is one of the most recognized attorneys in the technology, Internet marketing, sweepstakes, and telecommunications fields. Skilled at counseling clients on a broad range of technology-related matters, David Klein has substantial experience in negotiating and drafting complex licensing, marketing and Internet agreements.

Trending Topics

data CIPA law Swigert law consumer protection data on cumputer screen

Swigart Law Group CIPA Demands

Readers of this blog likely know about the wave of consumer privacy litigation directed at online companies’ collection of consumer data. A litany of these

Read More »