Privacy Law Status

Your Rights as a Colorado Resident

The Colorado Privacy Act grants residents comprehensive rights over their personal data, providing significant control over how businesses collect, use, and share personal information[2][6].

• Right to know what data is collected: You have the right to access information about what personal data a business has collected about you, including the categories of data, sources of collection, purposes for processing, and any third parties with whom the data is shared[2][6][7].
• Right to delete personal information: You can request that businesses delete personal data they have collected about you, and companies must respond to these requests within 45 days[3][2][6].
• Right to opt out of data sales: You have the right to opt out of the sale of your personal data, targeted advertising, and profiling that could produce legal or similarly significant effects[2][6][7]. This includes the ability to use universal opt-out mechanisms like browser settings that automatically communicate your privacy preferences[6][7].
• Right to correct inaccurate data: If you discover that a business has incorrect information about you, you can request corrections to ensure your personal data is accurate[3][2][6].
• Right to data portability: You can request a copy of your personal data in a portable, readily usable format, allowing you to transfer your information to other services[3][6].
• Right to non-discrimination: Businesses cannot discriminate against you or deny services for exercising your privacy rights under the Colorado Privacy Act[1][7].
• Special protections for sensitive data: Companies must obtain your explicit consent before processing sensitive personal data, which includes information about health, ethnicity, or children’s data[1][6][7].

These rights apply to personal data processing activities including targeted advertising, data sales, and certain types of profiling, giving Colorado residents meaningful control over their digital privacy[2][6].

Business Requirements

The Colorado Privacy Act establishes specific obligations for businesses that meet the law’s applicability thresholds, creating a framework of accountability for data processing activities[1][2].

• Which companies must comply: The law applies to businesses that conduct business in Colorado or deliver products/services targeted to Colorado residents and either control or process personal data of 100,000 or more consumers per year, or derive revenue from selling personal data and process data of 25,000 or more consumers[1][2][5]. The law excludes certain entities such as financial institutions subject to the Gramm-Leach-Bliley Act, air carriers under FAA regulation, and data governed by specific federal privacy laws like HIPAA[2].
• Notice and transparency requirements: Companies must provide clear, accessible privacy notices that disclose categories of personal data collected, processing purposes, consumer rights information, data sharing practices, and opt-out procedures[1][7]. Businesses must also specify express purposes for data collection and processing and implement data minimization practices[1][7].
• Consumer request response procedures: Businesses must respond to consumer requests for access, correction, deletion, or portability within 45 days and provide processes for consumers to appeal company decisions[3][6]. They must implement reasonable security measures to protect personal data and avoid processing data for purposes incompatible with original collection purposes without consumer consent[1][7].
• Security and assessment requirements: Companies must conduct data protection assessments for high-risk processing activities such as targeted advertising, profiling, data sales, or processing sensitive data[1][6][5]. They must implement reasonable administrative, technical, and physical safeguards to protect personal data and avoid discrimination in data processing practices[1][7].
• Universal opt-out compliance: Since July 1, 2024, businesses must honor universal opt-out mechanisms and cannot use dark patterns or manipulative design practices to obtain consumer consent[6][7].

Practical Impact

• How these laws protect residents in daily life: The Colorado Privacy Act provides tangible benefits for residents’ digital privacy by requiring businesses to be transparent about data practices, limiting unnecessary data collection, and giving consumers control over targeted advertising and data sales[2][7]. The law’s data minimization requirements mean companies can only collect information that is reasonably necessary for specified purposes, reducing the overall amount of personal data in circulation[1][7]. The universal opt-out mechanism allows residents to easily signal their privacy preferences across multiple websites and services[6][7].
• What to do if rights are violated: If you believe a business has violated your rights under the Colorado Privacy Act, you can file a complaint with the Colorado Attorney General’s Office through their website[2]. The Attorney General and district attorneys are responsible for enforcing the law, and violations are treated as deceptive trade practices[1][5]. However, the law includes a 60-day cure period, meaning businesses have an opportunity to address violations before facing penalties[4]. Colorado residents cannot file private lawsuits against companies for CPA violations, as the law does not include a private right of action[1][4].
• Limitations and gaps in protection: The Colorado Privacy Act has several limitations that residents should understand. The law only applies to businesses meeting specific thresholds, meaning smaller companies may not be covered[1][2]. Employment data and business-to-business information are permanently exempted from the law’s protections[4][8]. The 60-day cure period means enforcement action may be delayed, and the lack of a private right of action limits individual recourse options[1][4]. Additionally, the law’s enforcement relies on state resources, and the actual effectiveness will depend on the Attorney General’s Office capacity and priorities[2].

Comparison Context

• How Colorado compares to leading privacy states: Colorado’s privacy law is closely modeled after Virginia’s Consumer Data Protection Act but incorporates some elements from California’s approach[1][4][8]. Like Virginia, Colorado does not include a private right of action, permanently exempts employment data, and requires data protection assessments for high-risk processing[4][8]. However, Colorado has a longer 60-day cure period compared to Virginia’s 30-day period and higher maximum penalties of $20,000 per violation compared to $7,500 in California and Virginia[4]. Colorado’s definition of “sensitive data” is more limited than some other states, providing narrower protections for certain types of personal information[8].
• What residents might be missing compared to other states: Colorado residents lack the private right of action available to California consumers, meaning they cannot directly sue companies for privacy violations[1][4]. The state’s applicability thresholds are similar to Virginia’s but may exclude some businesses that would be covered under California’s broader revenue-based threshold[4]. Colorado’s permanent exemption for employment data means workers have fewer protections compared to California, where these exemptions are subject to periodic review[4]. The state also does not have a dedicated privacy protection agency like California, instead relying on the Attorney General’s existing consumer protection resources for enforcement[4].

Action Steps for Residents

• Immediate steps to protect privacy: Start by reviewing the privacy policies of websites and services you use regularly to understand what data they collect and how it’s used. Enable universal opt-out mechanisms in your web browser, such as the Global Privacy Control, which businesses must honor under Colorado law as of July 2024[6][7]. Be selective about the personal information you share online and consider using privacy-focused alternatives for email, search engines, and social media when possible.
• How to exercise legal rights: When you want to exercise your rights under the Colorado Privacy Act, contact businesses directly through their designated privacy contact methods, which should be clearly listed in their privacy policies[7]. Submit specific requests for data access, correction, deletion, or portability in writing and keep records of your communications[3][6]. If a business doesn’t respond within 45 days or denies your request, you can appeal their decision through their internal process[3][6]. For violations or unresponsive companies, file a complaint with the Colorado Attorney General’s Office through their official website[2].
• Resources for staying informed: Monitor the Colorado Attorney General’s website for updates on privacy law enforcement and guidance documents[2]. Follow legislative activity through the Colorado General Assembly website to track any proposed amendments or new privacy legislation[9]. Sign up for consumer protection alerts from the Attorney General’s Office to receive notifications about privacy-related enforcement actions and consumer advisories. Consider joining privacy advocacy organizations that track state-level privacy legislation and provide updates on consumer rights developments.

Official Resources and Contact Information

Colorado Attorney General – Privacy Law Enforcement

The Colorado Attorney General’s Office is the primary enforcement agency for the Colorado Privacy Act and provides official guidance on the law’s requirements[2]. You can file complaints about privacy violations and access educational resources through their dedicated privacy law webpage.

Colorado Attorney General’s Office
Phone: 720-508-6000
Address: 1300 Broadway, 10th Floor, Denver, CO 80203
Website: https://coag.gov/resources/colorado-privacy-act/
Consumer Protection Hotline: 800-222-4444

Colorado General Assembly

The Colorado General Assembly website provides access to current and proposed privacy legislation, allowing residents to track legislative activity and contact their representatives about privacy issues[9].

Colorado General Assembly
Website: https://leg.colorado.gov/
Find Your Legislator: https://leg.colorado.gov/FindMyLegislator

Contacting Your State Representatives

Colorado residents can contact their state senators and representatives to express views on privacy legislation and advocate for stronger consumer protections[10]. Use the General Assembly’s legislator finder tool to identify your specific representatives based on your address.

The legislator finder allows you to search by street address, representative district number, or senator district number to find contact information for your specific elected officials[9]. This is the most direct way to provide input on privacy policy matters at the state level.

Consumer Protection and Fraud Reporting

For broader consumer protection issues beyond privacy law violations, Colorado residents can contact various agencies depending on the nature of their complaint[11][12].

Colorado Department of Regulatory Agencies (DORA)
Phone: 303-894-7855
Website: https://www.colorado.gov/dora

Denver District Attorney Consumer Fraud Hotline
Phone: 720-913-9179
Address: 370 17th Street, Suite 5300, Denver, CO 80202

Filing Official Complaints

To submit questions or complaints specifically about the Colorado Privacy Act, use the Attorney General’s official submission process[10]. Note that the Colorado Privacy Act became enforceable on July 1, 2023, and complaints about business practices under this law should be directed to the Attorney General’s Office.

For records requests under Colorado’s Open Records Act (CORA), send requests directly to: cora.request@coag.gov[10].

Sources and Citations

Last Updated August 2025. Written with contributions from both human authors and Perplexity AI. If you find incorrect or outdated information let us know at support@optery.com.