Policy Briefing — Colorado Privacy Act Signed
Comprehensive update on Colorado’s Consumer Privacy Act and Attorney General rules, detailing scope, consumer rights, universal opt-out mechanics, assessments, processor contracts, and practical implementation steps for controllers subject to SB21-190.
Colorado’s Consumer Privacy Act (CPA) was signed as SB21-190 on 7 July 2021 and became enforceable on 1 July 2023, expanding comprehensive privacy obligations to controllers that target Colorado residents and meet statutory thresholds. The law sits alongside California and Virginia’s regimes but contains Colorado-specific mechanics, including Attorney General (AG) rulemaking that prescribes detailed data minimization, consent, profiling opt-out, and universal opt-out mechanism (UOOM) duties. This briefing consolidates the statute and the AG’s March 15, 2023 rules into practical steps for compliance teams preparing for audits or regulator engagement.
Regulatory summary
Scope is defined by two numerical triggers: processing personal data of 100,000 or more Colorado consumers in a calendar year, or 25,000 or more if any revenue or discount is derived from the sale of personal data. Nonprofits are covered beginning 1 July 2025 through later amendments, while higher education institutions and state entities remain exempt. Employee and business-to-business data are excluded only where it qualifies as “commercial employment records” or is collected purely for job-related administration; otherwise, the definition of “consumer” covers residents acting in an individual or household context. Controllers outside Colorado fall in scope if they conduct business in the state or intentionally target Colorado residents, mirroring the territorial reach defined in §6-1-1304 of the statute.
Colorado grants five core rights: access, correction, deletion, data portability, and opt-out of targeted advertising, sale, and certain profiling. Requests must be authenticated and answered within 45 days, with a single 45-day extension where reasonably necessary. Denials require a reason and must activate an internal appeals process that is conspicuously available and responds within 45 days. Appeal denials must direct consumers to the AG, consistent with §6-1-1306(3). Consent must be freely given, specific, informed, and unambiguous, and the rules bar dark patterns, defaulted toggles, and vague bundled consents.
Data minimization and purpose limitation are central. The rules require controllers to collect only what is reasonably necessary and proportionate to the purposes disclosed at collection and to maintain a documented retention schedule. Sensitive data—including precise geolocation within a radius of 1,750 feet, children’s data, health, genetic, biometric, sexual orientation, citizenship, and protected classifications—requires opt-in consent; if a controller “infers” sensitive data, explicit consent is still required before using those inferences. Secondary use that is incompatible with the original purpose triggers fresh consent. Profiling that produces “legal or similarly significant effects” requires risk assessments, disclosures, opt-out mechanisms, and an explanation of the logic used to reach a decision when responding to consumer requests.
Universal opt-out mechanisms are a distinguishing feature. The AG must maintain a public list of approved signals, and controllers must honor them by 1 July 2024. The rules mandate that UOOMs be frictionless, not tied to user accounts, and evaluated against objective criteria such as default settings, scope of the signal, and whether identifiers enable respectful implementation. Controllers may perform limited authentication before applying a UOOM but cannot require the consumer to create an account. These requirements flow directly from §6-1-1306(1)(a)(IV) and Rule 5.07.
Enforcement is vested in the Colorado AG and district attorneys; there is no private right of action. The statute provides a 60-day right to cure until 1 January 2025, after which cure is discretionary. Penalties track the Colorado Consumer Protection Act, permitting civil penalties of up to $20,000 per violation, injunctive relief, and restitution. The AG has indicated in rulemaking materials that readiness to honor UOOMs, maintain assessments, and demonstrate data minimization will be early focus areas.Colorado SB21-190Colorado Attorney General, Adopted CPA Rules
Required controls
Governance and data mapping. Controllers must maintain records sufficient to respond to consumer rights and to support data protection assessments. The rules expect a processing inventory that ties each processing purpose to collected data elements, legal bases (consent or opt-out), retention periods, and processor involvement. Inventory records should identify whether data is sensitive or used for profiling with significant effects, because those categories trigger heightened obligations.
Consumer request workflows. Controllers need at least two secure methods for submitting rights requests (web form and toll-free number are common). Identity verification must balance authentication with data minimization; controllers should avoid collecting additional sensitive identifiers unless necessary. Appeals processes must be clearly linked in initial denial responses, tracked, and result in written outcomes that include the ability to contact the AG. For data portability, controllers must provide a readily usable and transferable format once per year without charge.
Opt-out mechanisms. Controllers must provide a clear, easy-to-use opt-out interface for targeted advertising, sale, and profiling. Web-based toggles or “Your Privacy Choices” links are acceptable if prominent and persistent. Systems must detect and apply approved UOOM signals, respecting browser or device-level preferences without forcing account login. Where a controller believes a signal is fraudulent, it may conduct proportionate verification but cannot ignore the signal solely because it lacks full identity matching.
Consent management. Consent interfaces must avoid nudging and should separate unrelated purposes. Pre-checked boxes, vague statements such as “we may use your data to improve services,” and bundled consents are invalid. When relying on consent for processing children’s data (under 13) controllers must comply with the federal Children’s Online Privacy Protection Act, while for teenagers aged 13–15 the CPA requires opt-in for targeted advertising or sale. Controllers should log consent timestamps, purposes, and the interface version to evidence compliance.
Data protection assessments. Assessments are mandatory for processing that presents a heightened risk of harm, including targeted advertising, selling personal data, certain profiling, and processing sensitive data. The rules require assessments to describe processing operations, benefits, risks to consumers, mitigation measures, and safeguards. They must include a specific evaluation of how data minimization, secondary use restrictions, and deidentification are implemented. Assessments must be retained for at least three years after the completion of the high-risk processing or the conclusion of a product lifecycle, whichever is longer, and must be furnished to the AG upon request within 30 days.
Data minimization and retention schedules. Controllers must document retention periods for each category of personal data and justify those periods against the disclosed purposes. Sensitive data should default to the shortest feasible retention. The rules also require annual reviews of retention and deletion practices, along with role-based access controls and periodic access audits to ensure that only personnel with a need-to-know can view sensitive or inferred sensitive data.
Processor management. Contracts with processors must include instructions for processing, confidentiality obligations, deletion or return of data at the end of services, subprocessor approval and audit rights, and assistance with security and consumer request responses. Processors must flow down the same requirements to subprocessors, maintain records of processing activities, and notify controllers of any inability to comply. Controllers must exercise audit or assessment rights at least once annually or after material changes in processing.
Security controls. While the CPA does not prescribe specific technical measures, the AG rules incorporate generally accepted security principles: risk-based administrative, technical, and physical safeguards; encryption of personal data in transit and at rest where appropriate; vulnerability and patch management; intrusion detection; and incident response plans that include containment, notification, and remediation steps. Where profiling or automated decision-making is used, controllers should implement model governance controls, validation, and human review pathways to mitigate unfair outcomes.
Deidentified and pseudonymous data. Data that is deidentified must include technical measures to prevent reidentification, public commitments not to reidentify, and contractual controls prohibiting downstream recipients from attempting reidentification. Pseudonymous data can reduce obligations for certain requests, but only if controllers maintain technical and organizational controls that keep identifiers separate and avoid unauthorized linkage.
Implementation guidance
Prioritize universal opt-out readiness. Build or procure client-side and server-side detection for approved UOOM signals published by the AG. Map identifiers (cookies, device IDs, IP ranges, and account IDs) so that opt-out signals persist across sessions and devices. Document how conflicts between authenticated preferences and UOOMs are resolved, and test against the AG’s published technical evaluation criteria.
Strengthen consent and notice design. Update privacy notices to match the rule requirements for specificity: list each processing purpose, categories of personal data, categories of sensitive data, sources, categories of recipients, retention periods, profiling activities with significant effects, and links to appeals instructions. When refreshing consent, use layered notices with concise just-in-time prompts for sensitive or unexpected processing. Run usability testing to ensure the absence of dark patterns.
Operationalize assessments. Integrate data protection assessments into product and vendor onboarding. Use structured templates aligned with Rule 8.06 to capture benefits, risks, safeguards, and residual risk rationales. Maintain a calendar to review assessments annually or upon material changes, and ensure the inventory of processing activities references the corresponding assessment IDs. Prepare executive summaries so they can be furnished rapidly if the AG requests them.
Embed retention and deletion controls. Configure systems to enforce the documented retention schedule, using lifecycle rules for cloud storage, database TTLs, and archival policies. Automate deletion or deidentification after the purpose is fulfilled. Maintain logs demonstrating deletion actions and periodic reviews, and include exceptions for litigation holds or regulatory retention where justified.
Enhance processor oversight. Standardize data processing agreement clauses to match CPA and rule requirements, including audit rights, subprocessor controls, and security expectations. Create a risk-tiering model for vendors, with enhanced assessments for processors handling sensitive data, profiling inputs, or large volumes. Document verification of corrective actions when audits or penetration tests reveal issues.
Train and test. Deliver role-specific training that covers Colorado-specific duties, including how to recognize UOOM signals, handle appeals, and flag incompatible secondary uses that require fresh consent. Conduct tabletop exercises that simulate AG inquiries about UOOM implementation, assessment production, or appeal handling to validate readiness.
Monitor regulatory updates. Track the AG’s periodic updates to the UOOM approval list and any guidance or enforcement actions. The AG’s rulemaking record notes that evidence of good-faith efforts and documented decision-making may mitigate penalties, so maintain version-controlled documentation of interpretations, design decisions, and remediation timelines.Colorado SB21-190Colorado Attorney General, Adopted CPA Rules
Continue in the Compliance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Third-Party Risk Oversight Playbook — Zeph Tech
Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.
-
Compliance Operations Control Room — Zeph Tech
Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.
-
SOX Modernization Control Playbook — Zeph Tech
Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.