Global Data Protection Law Guide  USA - Colorado

Polsinelli PC

 

What law(s) specifically govern personal data / information?

Yes.

The Colorado Privacy Act (“CPA”) is Colorado’s comprehensive data privacy law that was signed into law on July 7, 2021 and became effective on July 1, 2023.

Colorado’s Consumer Protection Act (Colo. Rev. Stat. §§6-1-101 to 6-1-1214) contains a number of key privacy protections focused on the confidentiality of Social Security numbers and protection/security of “personal identifying information.”
Colorado also has statutes that address:

• wiretapping and eavesdropping;
• confidentiality of medical records and health information;
• employee access to personnel files;
• employer access to employee social media accounts;
• sending spam e-mail communications and unsolicited advertisements via fax;
• making unsolicited telemarketing calls; and
• security breach notification

 

What are the key data protection principles in this jurisdiction?:

The CPA provides a comprehensive consumer privacy law with key principals focusing on transparency, data minimization, and consumer rights over their personal data.

 

What is the supervisory authority / regulator in charge of data protection?

The Colorado Attorney General.

 

Is there a requirement to register with a supervisory authority / regulator?

Commercial telesales operators that conduct business in Colorado must register with the Colorado Attorney General at least ten (10) days prior to conducting business in Colorado. The registration must include the conduct of the commercial telephone seller’s business and the personnel conducting the business. The registration is annual, and the fee shall not exceed USD$250.00.

 

Is there a requirement to notify the supervisory authority / regulator?

No.

 

Is it possible to register with / notify the supervisory authority / regulator online?

For commercial telesales registration:

https://coag.gov/licensing/telemarketing/#:~:text=This%20applies%20to%20any%20commercial,initial%20%24200%20telemarketing%20registration%20fee.

 

What are the key data subject rights under the data protection laws of this jurisdiction?

Under the CPA, individuals have the following rights:

• Right of access – the right to confirm whether a data controller is processing their personal data and to access such personal data.
• Right of data portability – the right to obtain personal data in a portable and readily usable format that allows the consumer to transmit the data to another entity without hindrance.
• Right of deletion – the right to delete their personal data.
• Right to opt out – the right to opt out of processing personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
• Non-discrimination – the right not to be discriminated against for exercising their rights.
• For children under 13, businesses must obtain verifiable parental consent before collecting, using, or sharing children’s personal data. Parents have the right to access, delete, or correct their child’s personal data and opt out of processing for marketing or profiling.

 

Does your jurisdiction specifically restrict the transfer of personal data out of the jurisdiction? If so, please provide an overview of the restrictions and what transfer tools / mechanisms can be utilised to allow a lawful transfer of personal data.

No.

 

Do the data protection laws in this jurisdiction have 'extra-territorial effect' (i.e. do they apply to organisations outside this jurisdiction)?

Yes, in certain circumstances including if processing activities involve personal data that present a heightened risk of harm to consumers, including processing for purposes of targeted advertising, profiling, selling personal data, or processing sensitive data.

 

Data Breach Response Requirements

Yes. In the event of a breach, data subjects must be notified within thirty (30) days of the determination of the breach. If over five hundred (500) Colorado residents require notification, the Colorado Attorney General must also be notified within thirty (30) days of determination that a breach occurred.

 

Does your jurisdiction have specific circumstances where a data protection impact assessment is required?

No.

 

Does your jurisdiction have any specific data breach notification requirements? If so, please provide further details (for example, who needs to be notified (the supervisory authority / regulator and/or the data subject) and what is the time frame for doing so).

Yes. The CPA applies to organisations that conduct business in Colorado OR intentionally target their products / services to Colorado individuals or households and that either (i) control or process personal data of more than 100,000 consumers per calendar year, or (ii) derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.  Other statutes impacting data protection apply to businesses operating in Colorado.

 

Does your jurisdiction have any rules specifically dealing with marketing (including electronic marketing via emails and text messages)?

Yes, the Colorado Consumer Protection Act, No-Call List Act, and Spam Reduction Act protects consumers from a wide range of deceptive and unfair practices, including telemarketing fraud, unsolicited facsimiles, unsolicited telemarketing calls, and spam e-mails.

 

Do different rules apply to business-to-business and business-to-consumer marketing?

No.

 

Does your jurisdiction have any rules specifically dealing with cookies? If so, please provide further details (for example, is there a need to differentiate between the types of cookies used).

Yes. Data collected through cookies and similar tracking technologies are considered personal data under CPA, and collection of cookies must be disclosed in privacy notices. See also requirement above for data protection impact assessments where processing involves profiling or use of personal data for targeted advertising.

 

What are the consequences of non compliance with data protections laws (including marketing laws) within your jurisdiction? Please provide an overview of the level of fines that may be imposed by a supervisory authority/regulator.

Under the breach notification statute, the Colorado Attorney General may bring an action for direct economic damages or in equity for violations of the statute.

Under the CPA, violations can incur a fine of USD$20,000 per violation.

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

Multinational companies doing business in Colorado may be subject to the territorial reach of the CPA and could also be subject to Colorado’s breach notification statute in the event of a data breach incident.

 

What upcoming data protection developments should multinational organisations be aware of?

No.

 

Search by:

Need more information?
Contact a member firm:

Elizabeth (Liz) Harding

Polsinelli

USA - Colorado

Emily Tichenor

Polsinelli

USA - Colorado

Disclaimer:

© 2025, Polsinelli PC. All rights reserved by Polsinelli PC as author and the owner of the copyright in this chapter. Polsinelli PC has granted to Multilaw non-exclusive worldwide license to use and include this chapter in this guide and to sublicense Lexis Nexis, a division of RELX Inc. and its affiliates certain rights to use and distribute this Guide.

The information in the International Data Protection Laws Guide provides a general overview at the time of publication and is not intended to be a comprehensive review of all legal developments nor should it be taken as opinion or legal advice on the matters covered. It is for general information purposes only and readers should take legal advice from a Multilaw member firm.

Publication Date: 2025