Polsinelli PC


The following law(s) specifically govern personal data / information:

The Colorado Privacy Act (“CPA”) was signed into law on July 7, 2021 but will not be effective until July 1, 2023.


The key data protection principles in this jurisdiction are:

CPA provides a comprehensive consumer privacy law with key principals focusing on transparency, data minimization, and consumer rights over their data.


The supervisory authority / regulator in charge of data protection is:

Not under CPA, but note commercial telesales operators that conduct business in Colorado must register with the Colorado Attorney general at least ten (10) days prior to conducting business in Colorado. The registration must include the conduct of the commercial telephone seller’s business and the personnel conducting the business. The registration is annual, and the fee shall not exceed $250.00.


Is there a requirement to register with a supervisory authority / regulator?

The Colorado Attorney General.


Is there a requirement to notify the supervisory authority / regulator?



Is it possible to register with / notify the supervisory authority / regulator online?

For commercial telesales registration: https://coag.gov/licensing/telemarketing/#:~:text=This%20applies%20to%20any%20commercial,initial%20%24200%20telemarketing%20registration%20fee.


The key data subject rights under the data protection laws of this jurisdiction are:

  • Information and access rights
  • Data portability rights
  • Deletion rights
  • Opt out of sale of personal data and, in some cases, ability to opt out of all processing of personal data.
  • Non-discrimination rights


Is there a requirement to appoint a data protection officer (or equivalent)?



Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

Yes, in certain circumstances including if processing activities involve personal data that present a heightened risk of harm to Consumers, including processing for purposes of targeted advertising, profiling, selling personal data, or processing sensitive data.


Does this jurisdiction have any specific data breach notification requirements?

Yes. In the event of a breach, data subjects must be notified within thirty (30) days of the determination of the breach. If over five hundred (500) Colorado residents require notification, the Colorado Attorney General must also be notified within thirty (30) days of determination that a breach occurred.


The following restrictions apply to the international transfer of personal data / information:



Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?


CPA applies to organizations that conduct business in Colorado OR intentionally target their products / services to Colorado individuals or households (“Consumers”) and that either (i) control or process personal data of more than 100,000 Consumers per calendar year, or (ii) derive revenue from the sale of personal data and control or process the personal data of at least 25,000 Consumers.


The following rules specifically deal with marketing:

Yes, the Colorado Consumer Protection Act protects consumers from a wide range of deceptive and unfair practices, including: telemarketing fraud, unsolicited facsimiles, spam e-mails, and the “do-not-call” list.


Do different rules apply to business-to-business and business-to-consumer marketing?



The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):

Yes, the Colorado Consumer Protection Act protects consumers from a wide range of deceptive and unfair practices, including: telemarketing fraud, unsolicited facsimiles, spam e-mails, and the “do-not-call” list.


The following rules specifically deal with cookies:

Cookies are personal data under CPA, and collection of cookies must be disclosed in privacy notices. See also requirement above for data protection impact assessment where processing involves profiling or use of personal data for targeted advertising.


The consequences of non compliance with data protections laws (including marketing laws) are:

Under the breach notification statute, the Colorado Attorney General may bring an action for direct economic damages or in equity for violations of the statute.

Under CPA, violations can incur a fine of $20,000 per violation.


In broad terms, are there any factors unique to your jurisdiction that you would advise a multinational to consider if it is processing personal data from individuals within your jurisdictions, without being located there?

Multinational companies doing business in Colorado may be subject to the territorial reach of CPA and could also be subject to Colorado’s breach notification statute in the event of a data breach incident.


Multinational organisations should be aware of the following upcoming data protection developments:



Search by:

Need more information?
Contact a member firm:
Elizabeth (Liz) Harding