Skip to content
Use promo code: at checkout for 20% Off 💐 with Optery's Spring into Spring Sale!
Sign In
Sign Up Free

Home / State Laws / Colorado

Colorado

💡 Last Updated October 2025. Written with contributions from both human authors and LLMs. If you find incorrect or outdated information let us know at support@optery.com.

Colorado's CPA gives you the right to opt out of data brokers.

See which sites have your data →
Passed Date July 7, 2021
Effective Date July 1, 2023
Law Text URL View law
Right to Know in Colorado Yes
Right to Delete in Colorado Yes
Right to Opt Out of Sales in Colorado Yes
Right to Correct in Colorado Yes
Right to Non-Discrimination in Colorado Yes
Authorized Agent in Colorado Limited (opt-out only)

What the CPA does for you

Under the Colorado Privacy Act (CPA), you have the right to know what personal data companies collect about you, access and correct that data, request its deletion, and get a portable copy. You can also opt out of the sale of your data, targeted advertising, and certain automated decision-making. The CPA applies to many businesses operating in Colorado that handle large amounts of consumer data.

Your rights under the CPA

Right to Know

You have the right to confirm whether a company is processing your personal data and to access a copy of that personal data.

Exceptions: Does not apply to de-identified data where linking to you would be unreasonably burdensome; Does not apply to pseudonymous data where identifying information is kept separately and protected; Second or subsequent requests within 12 months may incur a fee.

Source: C.R.S. § 6-1-1306(1)(b)

Right to Delete

You have the right to request that a company delete the personal data it holds about you.

Exceptions: Does not apply where the controller cannot associate the request with your personal data; Does not apply to data processed under legal exemptions such as HIPAA, FCRA, or Gramm-Leach-Bliley; Does not apply where retention is required by law.

Source: C.R.S. § 6-1-1306(1)(d)

Right to Correct

You have the right to correct inaccuracies in the personal data a company holds about you, taking into account the nature of the data and the purposes for which it is processed.

Exceptions: Does not apply to de-identified data where the controller cannot reasonably link the request to you.

Source: C.R.S. § 6-1-1306(1)(c)

Right to Opt Out of Sales

You have the right to opt out of the sale of your personal data to third parties for monetary or other valuable consideration. As of July 1, 2024, companies must also honor opt-outs submitted through a universal opt-out mechanism.

Exceptions: Does not apply to disclosures to processors acting on the controller's behalf; Does not apply to disclosures made to provide a product or service you requested; Does not apply to transfers to affiliates of the controller; Does not apply to transfers in connection with a merger or acquisition.

Source: C.R.S. § 6-1-1306(1)(a)(I)(B)

Right to Opt Out of Processing

You have the right to opt out of your personal data being used for targeted advertising — ads selected based on your activity tracked across different websites and apps over time.

Exceptions: Does not apply to ads based on your activity within the same company's own website or app; Does not apply to ads based on your current search query or page visit; Does not apply to processing solely to measure or report advertising performance.

Source: C.R.S. § 6-1-1306(1)(a)(I)(A)

Right to Opt Out of Automated Decisions

You have the right to opt out of profiling used to make automated decisions that have legal or similarly significant effects on you — such as decisions about credit, employment, housing, insurance, or healthcare.

Exceptions: Only applies to profiling used for decisions with legal or similarly significant effects; Does not apply to all forms of automated processing, only those affecting significant decisions.

Source: C.R.S. § 6-1-1306(1)(a)(I)(C)

Right to Data Portability

When you request access to your personal data, you can ask to receive it in a portable, machine-readable format so you can transfer it to another company. You can exercise this right up to twice per calendar year.

Exceptions: Limited to two requests per calendar year; Does not require disclosure of the controller's trade secrets; Must be technically feasible to provide in a readily usable format.

Source: C.R.S. § 6-1-1306(1)(e)

Right to Non-Discrimination

A company cannot penalize you for exercising your privacy rights by increasing prices or reducing service quality solely because you made a privacy rights request. However, companies may offer different prices or services in connection with voluntary loyalty programs.

Exceptions: Companies may offer different pricing as part of a bona fide loyalty, rewards, or club card program if you voluntarily participate; Companies are not required to provide a service that depends on personal data they do not collect.

Source: C.R.S. § 6-1-1308(1)(c)-(d)

Right to Limit Sensitive Data

Companies must get your consent before processing your sensitive personal data — including data about your race, ethnicity, religion, health, sexual orientation, citizenship status, biometrics, or genetic data. For data about children, parental consent is required.

Exceptions: Applies only to data qualifying as 'sensitive data' under the statute; HIPAA-covered health information is separately exempt from the CPA.

Source: C.R.S. § 6-1-1308(7)

How to exercise your rights

  1. See which data brokers have your information. Optery scans 200+ brokers to show you what’s exposed. Start a free scan →
  2. Submit a CPA deletion or opt-out request. Covered businesses have 45 days to respond (C.R.S. § 6-1-1306(2)), with up to 45 additional days if they invoke the extension provision.
  3. Let Optery automate the whole process. We submit opt-out and deletion requests on your behalf, track compliance, and resubmit whenever brokers re-add your data. Sign up free →

Authorized agents

The CPA mentions authorized agents only in the context of opt-out requests (Colo. Rev. Stat. § 6-1-1301 et seq.). Data brokers may choose to — but are not required to — honor deletion requests submitted by an authorized agent. In practice, many brokers do accept agent-submitted deletion requests. Optery handles both types on your behalf where permitted.

Enforcement and penalties

The CPA is enforced by Colorado Attorney General and Colorado District Attorneys. Violations of the CPA are treated as deceptive trade practices. The Colorado Attorney General and district attorneys can bring enforcement actions, seek injunctions, and impose civil penalties. Before January 1, 2025, businesses had 60 days to cure a violation after receiving notice. After that date, there is no automatic cure period.

Who does the CPA apply to?

The CPA applies to businesses that conduct business in Colorado or target products/services to Colorado residents, and that either (1) control or process personal data of 100,000 or more consumers per year, or (2) earn revenue or receive discounts from selling personal data and process personal data of 25,000 or more consumers. Individuals acting in a personal or household context are not covered, nor are employees acting in their employment capacity. Several types of data are exempt, including HIPAA-protected health information, financial data governed by Gramm-Leach-Bliley, and data covered by FERPA.

Frequently asked questions

Who does the Colorado Privacy Act apply to?

The CPA applies to businesses that conduct business in Colorado or target their products or services to Colorado residents, and that either process personal data of 100,000 or more consumers per year, or earn revenue from selling personal data and process data of 25,000 or more consumers (C.R.S. § 6-1-1304(1)). It does not apply to individuals acting in a personal capacity or to employees acting in an employment context.

How do I submit a privacy rights request under the CPA?

You can submit a request using the methods described in the company's privacy notice (C.R.S. § 6-1-1306(1)). You do not need to create a new account, but a company may require you to use an existing account. The company must verify your identity using commercially reasonable means before fulfilling your request.

How long does a company have to respond to my request?

Companies must respond to your privacy rights request within 45 days of receiving it (C.R.S. § 6-1-1306(2)(a)). They may extend this by an additional 45 days if reasonably necessary, but must notify you of the extension and the reasons for it within the initial 45-day period.

Can I use someone else to make a privacy request on my behalf?

You can authorize another person — including through a browser setting or global device opt-out mechanism — to opt out of the sale of your personal data or targeted advertising on your behalf (C.R.S. § 6-1-1306(1)(a)(II)). However, the CPA's authorized agent right is expressly limited to opt-out requests; it does not explicitly extend to deletion or access requests submitted by an agent.

What happens if a company violates the Colorado Privacy Act?

Only the Colorado Attorney General and district attorneys can enforce the CPA — there is no private right of action, meaning you cannot personally sue a company for violations (C.R.S. § 6-1-1310(1)). Violations are treated as deceptive trade practices, and the AG or district attorneys can seek injunctions and civil penalties.

Official resources

Ready to safeguard your personal data?

Join the movement of people strengthening their privacy
Sign Up Free