CPA (Colorado Privacy Act): Guide to Requirements + Website Compliance

TL;DR

• What is the CPA? The Colorado Privacy Act (CPA) is a comprehensive state privacy law (the third in the nation after California and Virginia) that grants Colorado residents rights over their personal data and mandates opt-in consent for sensitive information.
• Who does the CPA apply to? CPA applies to entities (including nonprofits) doing business in Colorado or targeting Colorado residents that process data of over 100,000 consumers annually, or collect revenue from data sales and process data of over 25,000 consumers. There’s no revenue threshold.
• What makes the CPA different from other state laws? Colorado was the first state to require businesses to honor universal opt-out mechanisms like Global Privacy Control. It also sets data protection assessments in stone and has GDPR-style consent standards that reject shady consent patterns.
• Why does the client-side matter for CPA? Under the CPA, opt-out compliance and sensitive data handling are enforcement priorities. Third-party scripts running on your website are a privacy and security risk that can lead to CPA non compliance.
• Why does the CPA matter for businesses? Eligible companies under the Colorado Privacy Act that fail to fulfill requirements may face financial penalties up to $20,000 or legal action from state regulators. The CPA reflects a consumer shift towards valuing privacy. Ignoring this expectation risks losing consumer loyalty and trust.

Colorado didn't wait to see how privacy regulation would turn out elsewhere. In July 2021, the state became the third in the US to enact a comprehensive privacy law. And in some respects, it went further than California or Virginia.

The law makes it compulsory for businesses to recognize universal opt-out signals, which is a first among U.S. states when passed. It demands GDPR-like consent that explicitly bans dark patterns. And unlike most state privacy laws, it covers nonprofits.

Consequently, these requirements create a challenge for website operators. Visibility into how data is processed when users visit your website.

Third-party scripts, tracking pixels and analytics tools operate outside your control. Yet under the CPA, you remain responsible for what they collect and whether they respect opt-out requests.

This guide covers who the CPA applies to, what it demands, where and how client-side visibility fits into compliance.

What is the Colorado Privacy Act?

The Colorado Privacy Act [SB 21-190] establishes privacy rights for Colorado residents and corresponding obligations for businesses that collect their data. Governor Jared Polis signed it into law on July 7, 2021, though most provisions took effect on July 1, 2023.

The law gives consumers five main rights

1. Access - Confirm whether a business holds its data and obtain a copy
2. Correction - Fix inaccurate personal data
3. Deletion - Request removal of their personal data
4. Portability - Receive their data in a usable format
5. Opt-out - Decline targeted advertising, data sales, and certain profiling

Like all other privacy frameworks, the CPA expects businesses to show transparency, data minimization, purpose limitation and security around personal data processing. That includes displaying clear privacy notices, get valid consent before processing sensitive data, performing risk assessments for sensitive data processing, and honoring opt-out requests such as those that come from universal browser signals. 

Violations can be enforced through deceptive trade practices under Colorado law. Penalties reach up to $20,000 per violation and much more if the case includes a series of violations.

How Do I Know If the CPA Applies to My Organization?

The CPA applies to any entity (for-profit or nonprofit) that meets both of the following conditions:

1) Nexus to Colorado

You conduct business in Colorado or you produce or deliver commercial products or services intentionally targeted to Colorado residents.

2) Data volume threshold (meet either)

• You process personal data of 100,000 or more Colorado consumers per year
• You collect revenue (or receive discounts) from selling personal data and process data of 25,000 or more consumers

A few things to note.

• There is no revenue threshold. Unlike California's CCPA, which exempts businesses under $25 million in annual revenue, the CPA has no such floor. A small company processing enough consumer data falls within scope.
• Nonprofits are covered. Most state privacy laws exempt nonprofits; Colorado does not.
• The Consumer is narrowly defined. The CPA protects Colorado residents acting in a personal or household capacity; not employees, job applicants or B2B contacts.

Exemptions to the CPA

• Government agencies or higher education institutions like universities
• Entities already regulated under GLBA (financial institutions), HIPAA (healthcare) or the Fair Credit Reporting Act
• Air carriers who are under FAA regulation
• Data already governed by COPPA, FERPA or certain federal research protections

The exemptions apply at the data level if your organization handles data across multiple regulatory regimes. You might still have CPA obligations for consumer data that isn’t covered under other regulatory frameworks.

What are the CPA Key Requirements?

1. Clear and informative privacy notices

The CPA requires a "reasonably accessible, clear, and meaningful" privacy notice. Boilerplate language won't be enough.

Your notice must include

• Categories of personal data you collect
• Purposes for processing
• How consumers can exercise their rights (and appeal denials)
• Categories of data shared with third parties
• Who those third parties are, by category

You must disclose clearly if you sell data or use it for targeted advertising, as well as explain how consumers can opt out.

2. Explicit consent for collecting sensitive data

Before processing sensitive data, you need opt-in consent. The CPA counts data as “sensitive” if it reveals:

• Racial or ethnic origin,
• Religious beliefs,
• Mental or physical health conditions,
• Sex life or sexual orientation,
• Citizenship or immigration status,
• Genetic data,
• Biometric identifiers for identification, and
• Data from children under 13.

Consent under the CPA must be “freely given, specific, informed and unambiguous.” This language is borrowed from the GDPR. 

Accepting the general terms of service does not constitute consent. Neither does hovering over, muting or closing content.

This is stricter than most U.S. state laws. Under the CPA, pre-checked boxes, confusing interfaces or buried disclosures will not provide a legal basis for processing sensitive information.

3. Universal opt-out systems

Since July 1, 2024, controllers must honor universal opt-out signals like Global Privacy Control (GPC).

When a user's browser sends a GPC signal, you must treat it as a valid opt-out request for targeted advertising or the sale of personal data.

The Colorado Department of Law maintains a list of recognized opt-out mechanisms. Companies are required to explain how they handle these signals in their privacy notice.

4. Data protection assessments

You must conduct and document a data protection assessment for processing activities that are considered high risk. Assessment must be done before any processing begins. 

The assessment should weigh benefits against potential harms and document safeguards in place. These records must be retained and may be requested by the Attorney General during an investigation.

5. Processor contracts

Most modern websites use vendors (processors) to handle personal data. These include chatbots, analytics tools, advertising tools, and even development libraries that developers add to a website. For these processors you need written contracts that specify:

• The nature and purpose of processing
• The type of data involved
• The duration of processing
• Obligations for confidentiality, security and sub-processor management

Most website tools (Meta, Google Analytics, Cloudflare) have standardized “DPAs” or Data Processing Agreements that you can access without having to create individual contracts for them. It is still your responsibility to ensure that those website tools are actually behaving the way they claim, which is not always the case due to malicious code injections or misconfigurations.

The Client-Side is a Modern Risk Surface for CPA

The client-side is a primary risk surface for Colorado Privacy Act (CPA) violations, as most personal data collection now occurs directly within the user’s browser, outside of the view of traditional privacy management software.

Third-party scripts are CPA privacy compliance risk: 

Under the CPA, you are the Controller for scripts on your site. This places liability on you over all the tools you add to your website. You are expected to demonstrate understanding and control over how these scripts interact with personal data.

• Modern websites serve several third party scripts to their users: Chatbots, analytics tools, development libraries that load in browsers, and more.
• These scripts usually run without any privacy or security review, collecting IP addresses, identifiers, form inputs, or behavioral signals that count as personal data.
• Under the CPA, the organization is the “controller” because it decides to use those scripts and benefits from them.
• If scripts collect data beyond what is disclosed in the privacy notice, your organization is violating the CPAs purpose limitation and transparency rules, including unintended “targeted advertising” or “data sale”.

Client-side attacks are a CPA data breach risk

• Client-side attacks (like Magecart or JavaScript code injection) directly threaten CPA compliance as they steal personal data.
• The CPA explicitly requires "reasonable administrative, technical, and physical data security practices." Failing to monitor the client-side fails this statutory requirement.
• Major privacy violation fines such as the British Airways £20 million GDPR fine were handed out as a result of a website data breach.
• Your server security, encryption, and internal access controls do not protect you from client-side attacks. This attack vector involves an injection of code onto your website that exfiltrates data to attacker servers without traditional security tools noticing.

Are cookie banners enough for Colorado Privacy Act compliance?

No. Banners are an important piece in website privacy compliance but alone do not satisfy all requirements. Cookie banners don’t monitor how third-party scripts act at runtime and have limited enforcement abilities. Moreover, consent management tools were not built to defend against client-side attacks or serve as technical safeguards against data breaches.

Where CPA Compliance Failures Typically Happen 

Ignoring browser-based opt-outs

The most common failure amongst privacy frameworks like the CPA is when websites offer opt-out options but don't actually stop data collection when those options are exercised.

This is more likely to occur due to technical misconfiguration rather than mal intention by the website owner.

When a user enables GPC, your cookie banner may detect and log it but your ad pixels and third-party scripts keep running anyway because they weren't configured to respect the signal.

This counts as a violation under the CPA. 

An example to look at is California's $1.2 million settlement with Sephora in 2022 centered on just this issue. This was under the CPRA (a different California law) but the underlying legal expectations are the same. Sephora told users they could opt out of data sales but continued sharing data with advertising partners regardless. Colorado is enforcing the same principle.

Leakage of sensitive data through scripts

Health information, location data and other sensitive categories often end up in places they shouldn't. Mostly not because someone intentionally shared them, but often because a tracking pixel captured form inputs or a third-party script accessed page content it wasn't meant to.

The FTC's actions against GoodRx and BetterHelp show the pattern. Both companies used standard advertising pixels on their platforms, but those pixels captured health-related information and transmitted it to ad networks. Neither company intended this, but both faced enforcement actions and significant penalties.

Under the CPA, processing sensitive data without consent is a violation regardless of intent. You’re responsible if scripts on your site are capturing sensitive information.

Incomplete or misleading privacy notices

You don’t want your privacy notice to say you collect only data for necessary analytics while your tag manager loads dozens of scripts that track users across the web.

This disconnect creates two problems

1. Your notice doesn't accurately describe your data practices (transparency violation)
2. You may be processing data for purposes consumers never agreed to (purpose limitation violation)

The CPA requires your disclosures to match reality. Most website teams do not know which third-party scripts have access to data or how they behave behind the scenes. 

Third-party scripts change their behavior frequently as vendors update code. Unfortunately, you don’t see those changes directly. Data processing scope on your website may change rendering your privacy disclosures inaccurate without your team noticing.

Official CPA Resources and Government Links

• Colorado Attorney General - CPA Main Page - Overview, FAQs, enforcement letters, and recognized universal opt-out mechanisms
• Colorado Revised Statutes § 6-1-1301 et seq. - Full statutory text
• CPA Rules (4 CCR 904-3) - Implementing regulations with technical specifications

Universal Opt-Out Mechanism List - Recognized mechanisms controllers must honor

How cside Helps Organizations Comply with the Colorado Privacy Act

cside Privacy Watch watches over a risk surface that traditional privacy management software misses: what actually executes in the user’s browser. Data collection from third-party vendors is monitored closely and your team is alerted the moment there is a change that could lead to a privacy violation or data breach exposure.

Oversight of Third-Party Tools

Many compliance failures originate with third-party vendors. cside validates that third party scripts behave the way they were intended within your privacy expectations.

Visibility Into Website Data Collection

• cside provides a clear view into which scripts operate on your website, what data they access, and where that data is sent. This helps teams maintain accurate records of data collection and supports clear, up-to-date privacy disclosures.

Data Minimization & Purpose Limitation

• As third-party tools change over time, they can begin collecting more data than originally intended. Vendor code is updated without your team noticing. cside picks up these changes, allowing you to identify unnecessary data collection.

Proof of Reasonable Security Safeguards

• CPA requires organizations to implement reasonable measures to protect personal data. cside monitors for suspicious script behavior, unauthorized changes, and data exfiltration patterns to prevent data leaks from client-side attacks.

AI-Assisted Documentation Prep 

• cside maintains detailed records of script activity, configuration changes, and data handling behavior. AI is used to reduce manual documentation for compliance teams by shaping this data into regulation-specific formats. 

You can start with our free plan or book a demo to see how client-side visibility supports your CPA compliance program.

How cside Helps Organizations Comply with the Colorado Privacy Act

cside Privacy Watch watches over a risk surface that traditional privacy management software misses: what actually executes in the user’s browser. Data collection from third-party vendors is monitored closely and your team is alerted the moment there is a change that could lead to a privacy violation or data breach exposure.

Oversight of Third-Party Tools

• Many compliance failures originate with third-party vendors. cside validates that third party scripts behave the way they were intended within your privacy expectations.

Visibility Into Website Data Collection

• cside provides a clear view into which scripts operate on your website, what data they access, and where that data is sent. This helps teams maintain accurate records of data collection and supports clear, up-to-date privacy disclosures.

Data Minimization & Purpose Limitation

• As third-party tools change over time, they can begin collecting more data than originally intended. Vendor code is updated without your team noticing. cside picks up these changes, allowing you to identify unnecessary data collection.

Proof of Reasonable Security Safeguards

• CPA requires organizations to implement reasonable measures to protect personal data. cside monitors for suspicious script behavior, unauthorized changes, and data exfiltration patterns to prevent data leaks from client-side attacks.

AI-Assisted Documentation Prep 

• cside maintains detailed records of script activity, configuration changes, and data handling behavior. AI is used to reduce manual documentation for compliance teams by shaping this data into regulation-specific formats. 

Automated Website Privacy Compliance with cside

You can start with our free plan or book a demo to see how client-side visibility supports your CPA compliance program.