Skip to content
Fey LLC, Attorneys at Law
State Privacy Laws

Colorado Attorney General Launches Enforcement of Colorado Privacy Act

By Will Davis, Associate Attorney

The Colorado Privacy Act (CPA) became effective on July 1, 2023, and Attorney General Phil Weiser did not waste time. Within two weeks of the law’s effective date, the Colorado AG’s office sent enforcement letters to businesses, signaling that Colorado is prepared to actively enforce the state’s new comprehensive privacy law.

Overview of the Colorado Privacy Act

The CPA applies to controllers that:

  • During a calendar year, control or process the personal data of at least 100,000 Colorado consumers; or
  • Derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data of at least 25,000 Colorado consumers.

Key Consumer Rights Under the CPA

Colorado consumers have the right to:

  • Know: Access their personal data and obtain a list of the categories of third parties to whom data has been disclosed
  • Delete: Request deletion of their personal data
  • Correct: Request correction of inaccurate personal data
  • Portability: Obtain their data in a portable format
  • Opt-Out: Opt out of targeted advertising, the sale of personal data, and profiling

Sensitive Data

Controllers must obtain consent before processing sensitive personal data, which includes:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental/physical health conditions, sex life or sexual orientation, immigration status
  • Genetic or biometric data
  • Personal data from a known child

Enforcement

The Colorado AG has exclusive enforcement authority. There is a 60-day cure period: controllers have 60 days to cure alleged violations after receiving written notice from the AG. Civil penalties can reach up to $20,000 per violation.

Takeaways

The Colorado AG’s rapid enforcement action serves as a clear signal to businesses: compliance with state privacy laws is expected from day one. Organizations subject to the CPA that have not yet achieved compliance should prioritize doing so. For a step-by-step compliance framework applicable across multiple state privacy laws, see our earlier post, Winter Is Coming: 10 Steps Organizations Should Be Taking Now.

#Colorado#Colorado Privacy Act#CPA#enforcement#state privacy#data privacy

Need privacy guidance?

Fey LLC helps organizations navigate complex data privacy and cybersecurity challenges.

Contact Us
Back to Insights