Colorado Privacy Act (CPA)

Overview

The Colorado Privacy Act (CPA), codified at C.R.S. § 6-1-1301 et seq., became effective July 1, 2023. Enacted as SB 21-190, it made Colorado the third state to pass a comprehensive privacy law. The CPA is more protective than the VCDPA template it partially inherits: it requires recognition of Universal Opt-Out Mechanisms (UOOM), grants the Colorado AG robust rulemaking authority, and — together with the Colorado AI Act (SB 205, effective February 2026) — forms the most integrated privacy-plus-AI regulatory bundle in the country.

Applicability: the CPA covers entities that conduct business in Colorado or target products/services at Colorado residents and either (a) process data of 100,000+ consumers per year, or (b) process data of 25,000+ consumers AND derive any revenue from selling or licensing personal data (a lower bar than Virginia's 50% threshold).

Exemptions largely mirror VCDPA: HIPAA entities, GLBA-covered financial institutions, non-profits, higher-ed institutions, FCRA/DPPA/FERPA/Farm Credit Act data, employee and B2B data.

Consumer Rights

• Right to access — confirm processing and obtain copies
• Right to correct inaccuracies
• Right to delete personal data
• Right to data portability in a portable, usable, machine-readable format
• Right to opt out of sale, targeted advertising, and profiling producing legal or similarly significant effects
• Right to appeal a controller's denial

Sensitive data processing (race, religion, health diagnosis, sexual orientation, citizenship, genetic/biometric identifiers, minors under 13, and neural data per a 2024 amendment unique to Colorado and Minnesota) requires opt-in consent.

Compliance Requirements

Controllers must publish a conspicuous privacy notice, honor GPC-based opt-outs across the three Colorado-scoped purposes (sale, targeted advertising, profiling), execute processor contracts meeting § 6-1-1305, and conduct data protection assessments for any processing that presents heightened risk. The Colorado AG has published detailed DPIA regulations — templates and specific guidance — via rulemaking, which is unique among state AGs.

District Attorneys have concurrent enforcement authority with the AG, expanding the enforcement surface.

Cure Period + Enforcement

The Colorado AG and local DAs share enforcement authority. Penalties reach $20,000 per violation under the Colorado Consumer Protection Act — the highest penalty ceiling among non-California state privacy laws except Florida's. The original 60-day cure period expired on January 1, 2025. Cure is now discretionary; controllers cannot rely on it as safe harbor.

How Inori Addresses This

• Notice: src/content/legal/privacy.mdx v1.2 enumerates purposes and third parties and explicitly adopts a most-restrictive-default posture across states.
• GPC (mandatory in CO): middleware.ts:respectGpc reads Sec-GPC: 1, persists the preference for 12 months, disables PostHog and Sentry for the session, and echoes X-GPC-Honored: true back to the browser for verification.
• DSAR: /api/dsar handles access, correction, deletion, portability, and appeal intake within 30 days — well inside the 45-day CPA baseline.
• Hard purge: 90-day cron deletes tenant data after account closure, with a cryptographic audit-ledger entry remaining for record-of-processing purposes (Art. 30-style).
• Sensitive data: Inori does not collect sensitive categories, including neural data.
• Deferred: Formal CPA-scoped DPIA register and integration with the Colorado AI Act's impact-assessment obligations ship in a later sprint.

Related Concepts

See CCPA/CPRA for the Californian baseline, VCDPA for the template Colorado extended, GPC for the UOOM signal Colorado formally approved, and sister laws CTDPA, OCPA, and MCDPA. DSAR describes the unified request pipeline.