Privacy Laws in Colorado: What You Need to Know in 2026

Colorado was one of the first states in the country to pass comprehensive consumer privacy legislation. The Colorado Privacy Act (CPA), signed into law on July 7, 2021, and effective since July 1, 2023, gives Colorado residents meaningful control over their personal data. With significant amendments taking effect in 2025 and 2026, the law is now one of the strongest in the nation. Here is everything you need to know.

What Is the Colorado Privacy Act?

The CPA is a broad consumer privacy law that applies to businesses operating in Colorado or targeting Colorado residents. Specifically, it covers companies that either control or process the personal data of at least 100,000 Colorado consumers per year, or control or process the data of at least 25,000 consumers while also earning revenue from the sale of personal data.

Unlike some narrower state laws, the CPA covers a wide range of industries. If a business meets the threshold and isn't specifically exempt, the law applies. The CPA is enforced by the Colorado Attorney General and district attorneys. There is no private right of action, meaning individual consumers cannot file lawsuits under the statute, but you can file complaints with the AG's office to trigger enforcement.

Your Rights Under the CPA

The Colorado Privacy Act grants residents a strong set of data rights. These are the core protections you can exercise today:

• Right to access: You can request confirmation of whether a business is processing your personal data, and obtain a copy of that data.
• Right to correct: You can ask businesses to fix inaccurate personal data they hold about you.
• Right to delete: You can request that a business delete the personal data it has collected from you.
• Right to data portability: You can obtain your data in a portable, readily usable format so you can transfer it to another service.
• Right to opt out: You can opt out of the sale of your personal data, targeted advertising, and profiling that produces legal or similarly significant effects.

Businesses must respond to your request within 45 days. They may extend the deadline by an additional 45 days for complex requests, but they must notify you of the extension and the reason for it.

Sensitive Data: Extra Protections

The CPA treats certain categories of personal data as sensitive and requires businesses to obtain your explicit, opt-in consent before processing them. Sensitive data under the law includes:

• Racial or ethnic origin
• Religious beliefs
• Health conditions or diagnoses
• Sex life or sexual orientation
• Citizenship or immigration status
• Genetic data
• Biometric data used for identification
• Data from a known child

The 2025 amendments expanded this list further. Senate Bill 25-276 added precise geolocation data to the definition of sensitive data, meaning businesses now need your consent before tracking your exact physical location. This is a meaningful addition given how many apps quietly harvest location data in the background.

2025 Amendments: Stronger Youth Protections

Colorado has also moved to protect younger residents. Senate Bill 24-041, which took effect in 2025, introduced an age-appropriate design code covering consumers between the ages of 13 and 17. Under this code, businesses that offer online products or services likely to be accessed by teens must default to high-privacy settings, limit data collection, and avoid using design features that manipulate young users into giving up more information than necessary.

This positions Colorado alongside California as one of the few states that specifically addresses the digital privacy of minors beyond the federal COPPA baseline for children under 13.

What This Means for Families

If you have teenagers in Colorado, the age-appropriate design code means that apps and websites they use must provide stronger default privacy settings. Companies cannot use dark patterns, such as repeated prompts or confusing language, to pressure teens into consenting to data collection. If you notice a service violating these requirements, you can report it to the Colorado Attorney General's office.

Universal Opt-Out Mechanism: GPC Signals in 2026

One of the most impactful provisions of the CPA is the requirement for businesses to honor universal opt-out mechanisms. As of 2026, all covered businesses must recognize Global Privacy Control (GPC) signals sent by your browser. This means you can enable a single setting in a supported browser, such as Firefox, Brave, or DuckDuckGo, and automatically opt out of data sales and targeted advertising across every site you visit.

If you use Chrome, you can install a GPC extension to get the same benefit. Once enabled, every covered business operating in Colorado must treat your GPC signal as a valid opt-out request. No more clicking through dozens of individual privacy settings.

How to Exercise Your CPA Rights

1. Check the company's privacy policy. Every covered business must publish a clear, accessible privacy notice describing what data they collect, why they collect it, what categories of third parties receive it, and how you can submit rights requests.
2. Submit a request. Most companies provide a web form, email address, or toll-free number for privacy requests. Specify whether you want to access, correct, delete, or port your data, or opt out of sales and targeted advertising.
3. Verify your identity. The business will ask you to confirm your identity before fulfilling your request, which protects against unauthorized access to your data.
4. Wait for a response. The business has 45 days to act, with a possible 45-day extension.
5. Appeal if necessary. If the business denies your request, you have the right to appeal. If the appeal fails, file a complaint with the Colorado Attorney General.

What the CPA Does Not Cover

The CPA includes several exemptions. It does not apply to state and local government entities, institutions of higher education, or nonprofits. Data regulated under HIPAA, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act is also excluded. Employment data and B2B contact information fall outside the law's scope as well.

Importantly, the CPA does not create a centralized data broker registry or a single opt-out portal the way California's Delete Act does. Colorado residents still need to deal with each data broker individually.

Removing Your Data From People-Search Sites

The CPA gives you rights against businesses that process your data, but hundreds of people-search sites like Spokeo, BeenVerified, and Whitepages will continue publishing your name, home address, phone number, and family members unless you opt out from each one separately. These brokers constantly re-scrape public records, so removals rarely stick without ongoing monitoring.

PrivacyOn handles this entire process for Colorado residents. We submit opt-out requests to more than 100 data brokers, continuously monitor for your information reappearing, and re-file removals whenever it does. Combined with exercising your CPA rights against the companies that hold your data directly, this gives you comprehensive protection across both the public records ecosystem and private data collection.

Looking Ahead

Colorado's privacy law continues to evolve. The 2025 amendments around geolocation data and youth protections demonstrate that the state legislature is willing to strengthen the CPA over time. With universal opt-out enforcement now in full effect in 2026, Colorado residents have more tools than ever to control their personal information. The key is to actually use them: enable GPC in your browser, exercise your rights with the companies that hold your data, and keep your presence on people-search sites to a minimum.