Colorado Data Privacy Laws
In 2021, Colorado became the third state to pass broad consumer privacy legislation, aiming to protect consumers’ personal information from unauthorized access, use, and sales. The state enacted the Colorado Privacy Act (CPA) as part of Colorado’s Consumer Protection Act, and it went into effect on July 1, 2023. This act grants Colorado consumers new rights regarding personal data, including the right to access, delete, or correct collected data, as well as the right to opt out of the sale of their data or its use for targeted advertising and profiling.
- April 28, 2026
Colorado data privacy laws also protect consumers and their data from data breaches, which involve the unauthorized access of personal or sensitive information. The law regulates when and how companies and other entities must notify users of a breach.
- Understanding Your Rights Under Colorado Data Privacy Laws
- Colorado Data Privacy Laws
- Data Breach Notification Requirements in Colorado
- Biometric Privacy for Colorado Residents
- Taking Legal Action: When to Sue for a Privacy Violation
- Frequently Asked Questions About Colorado Privacy Laws
- Protect Your Personal Information and Fight for Fairness
Understanding Your Rights Under Colorado Data Privacy Laws
Colorado has become a national leader in consumer protection with the passage of the Colorado Privacy Act in 2021, joining California and Virginia as states with broad privacy protections. In 2025, new amendments to the CPA gave minors in the state even further protections.
Under the Colorado Privacy Act (CPA), covered entities must give Colorado residents meaningful information about the collection and use of their data, conduct data protection assessments, and obtain consent before processing sensitive personal data. The CPA protects residents’ personal data when acting in an individual or household context, like when browsing
Colorado Data Privacy Laws
Modern privacy protections in Colorado give consumers the right to “opt out” of data collection, sales, and usage for advertising. On July 1, 2024, data controllers were required to begin accepting opt-out requests through universal opt-out mechanisms and must respond to consumer requests within 45 days.
The Colorado Privacy Act (CPA) Explained
The Colorado Privacy Act applies to all entities that conduct business in Colorado and process the personal data of at least 100,000 individuals per year, or derive revenue from the sale of personal data of at least 25,000 individuals. The act does not apply to certain entities, such as state and local governments and state universities. Under the CPA, users have the right to access, correct, and delete their personal data.
New Protections for 2025 and 2026
Recent updates to the Colorado Privacy Act went into effect in late 2025 to enhance protections for minors by raising the protection age to 18, requiring opt-in consent for data processing, and limiting algorithmic engagement design. Before, a minor was defined as someone under 13 years old. Additionally, HB24-1130 added strict rules for biometric data in July 2025.
Data Breach Notification Requirements in Colorado
Colorado’s data breach notification law, C.R.S. § 6-1-716, requires “covered entities” to notify affected individuals and other entities if they experience a security breach.
What Qualifies as a Reportable Data Breach in Colorado?
Under Colorado law, a “security breach” is defined as the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity. “Personal information” includes a resident’s first and last name in combination with their Social Security Number, ID number, medical information, health insurance identification number, or biometric data. It also includes usernames or email addresses in combination with passwords or security answers.
Colorado separates “sensitive data” from “personal data.” Sensitive data is any personal data regarding a minor, any data that reveals race, ethnicity, religion, health, sexual information, citizenship status, or biometric information.
The 30-Day Notification Rule
Unless an exception applies, Colorado law requires covered entities to notify affected individuals within 30 days and provide the required information under the statute. If the entity notifies 500 or more Colorado residents, it also must notify the Colorado Attorney General’s office. Failure to meet this timeline strengthens a consumer’s legal standing in a mass arbitration or lawsuit.
Biometric Privacy for Colorado Residents
The 2025 amendments to the Colorado Privacy Act prohibit the unauthorized collection of fingerprints, facial recognition data, and “neural data,” positioning this as a major area for litigation. Under HB24-1130, companies must obtain “clear, affirmative consent” before processing biometric identifiers—a high bar that many corporations currently fail to meet. Additionally, the CPA now protects employees from forced biometric tracking as a condition of employment, opening the door for workplace privacy lawsuits.
Taking Legal Action: When to Sue for a Privacy Violation
Though there is no private right of action for data privacy violations under the Colorado Privacy Act, users whose data was breached have other options for taking legal action under various state and federal laws. These actions may be brought under theories of negligence, invasion of privacy, and unjust enrichment in federal court or under the broader Colorado Consumer Protection Act for deceptive practices.
Class action lawsuits play a large role in holding corporations accountable when the Attorney General cannot. Though individual damages might be small, collective action can force multi-million dollar settlements from negligent companies.
Recent Colorado Data Breach Settlements
The Rodriguez v. Professional Finance Co. Inc. class action settlement was a $2.5 million class action involving a major February 2022 data breach of Professional Finance Company, Inc. An unauthorized third party gained access to files containing the sensitive personal information of some customers and clients. The case was federal, so not filed under the Colorado Privacy Act, and involved claims of negligence, breach of contract, unjust enrichment, invasion of privacy, and various state fraud and consumer protection laws.
New cases and investigations, settlement deadlines, and news straight to your inbox.
Frequently Asked Questions About Colorado Privacy Laws
Does Colorado Have a "Private Right of Action" for Data Privacy?
There is no private right of action under the Colorado Privacy Act, meaning private citizens cannot file lawsuits under its authority. Only the Attorney General and District Attorneys can enforce the CPA. However, victims of data privacy violations may have rights of action under other state or federal laws.
Can I Opt Out of Data Sales in Colorado?
The Colorado Privacy Act allows residents to opt out of the sale of their personal data, as well as its use for targeted advertising and certain types of profiling.
How Do I Know If My Data Was Part of a Colorado Breach?
If your data was breached in Colorado, the company, nonprofit, or other entity that was breached must notify you within 30 days, typically via mail or email. You may also be able to tell if your data was breached by unusual activity on your credit accounts.
Protect Your Personal Information and Fight for Fairness
Colorado’s data privacy laws are broader than most states’ and protect consumers from data privacy violations while allowing them to opt out of data collection and sales. If your personal information was accessed in a Colorado data breach, Class Action U can help.
Class Action U simplifies the process for individuals to join ongoing lawsuits by connecting them with our law firm partners who are ready to handle their cases. If you have been affected by an issue that could potentially lead to a class action lawsuit but hasn’t yet, we encourage you to share your information with us. We’ll evaluate the situation to see if it warrants a class action filing. For eligible participants in a class action, our site offers a straightforward way to sign up.
New cases and investigations, settlement deadlines, and news straight to your inbox.