Colorado Privacy Act ("CPA")
Colo. Rev. Stat. § 6-1-1301 — 6-1-1314
SUMMARY:
The act establishes personal data privacy rights for Colorado residents, specifically targeting legal entities that handle data for at least 100,000 consumers annually or derive revenue from selling personal data while processing at least 25,000 consumers' data. It defines "controllers" and "processors" and grants consumers rights to opt out of data processing, as well as to access, correct, delete, or obtain their personal data. Controllers are required to adhere to transparency and data protection measures, including conducting risk assessments for high-risk data processing. Violations of the law are considered deceptive trade practices and can be enforced by the attorney general or district attorneys. Local governments are prohibited from regulating personal data processing, and the attorney general is tasked with establishing rules for a universal opt-out mechanism.
In addition, the law was amended in 2024 to introduce specific protections for individuals' biometric data. Entities that control or process biometric identifiers must adopt a written policy outlining a retention schedule for biometric data, a response protocol for data security incidents, and guidelines for deleting biometric identifiers by specified dates. With certain exceptions, this policy must be made publicly available. The law also imposes new disclosure and consent requirements for collecting biometric data, restricts employers' ability to obtain employee consent for biometric data collection, and mandates that controllers inform consumers about the use of their biometric identifiers. The attorney general is authorized to create additional rules to enforce these provisions. The update was approved by the Governor on May 31, 2024.
CITATION:
Colorado Revised Statutes Annotated
Title 6. Consumer and Commercial Affairs (§§ 6-1-101 — 6-28-102)
Fair Trade and Restraint of Trade (Arts. 1 — 6.5)
Article 1. Colorado Consumer Protection Act (Pts. 1 — 15)
Part 13 Colorado Privacy Act (§§ 6-1-1301 — 6-1-1313)
6-1-1301. Short title.
6-1-1302. Legislative declaration.
6-1-1303. Definitions.
6-1-1304. Applicability of part.
6-1-1305. Responsibility according to role.
6-1-1305.5. Responsibility according to role - processing data of minors.
6-1-1306. Consumer personal data rights - repeal.
6-1-1307. Processing de-identified data.
6-1-1308. Duties of controllers.
6-1-1308.5. Duties of controllers - duty of care - rebuttable presumption.
6-1-1309. Data protection assessments - attorney general access and evaluation - definition.
6-1-1309.5. Data protection assessments - heightened risk of harm to minors.
6-1-1310. Liability.
6-1-1311. Enforcement - penalties - repeal.
6-1-1312. Preemption - local governments.
6-1-1313. Rules - opt-out mechanism.
6-1-1314. Biometric data and biometric identifiers - controllers - duties and requirements - written policy - prohibited acts - right to correct biometric identifiers - right to access biometric identifiers - remedies and civil actions - rules - definitions.
6-1-1301. Short title.
The short title of this part 13 is the “Colorado Privacy Act”.
History
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3445, § 1, effective July 1, 2023.
6-1-1302. Legislative declaration.
(1) The general assembly hereby:
(a) Finds that:
(I) The people of Colorado regard their privacy as a fundamental right and an essential element of their individual freedom;
(II) Colorado’s constitution explicitly provides the right to privacy under section 7 of article II, and fundamental privacy rights have long been, and continue to be, integral to protecting Coloradans and to safeguarding our democratic republic;
(III) [Editor’s note: This version of subsection (1)(a)(III) is effective until October 1, 2025.] Ongoing advances in technology have produced exponential growth in the volume and variety of personal data being generated, collected, stored, and analyzed, and these advances present both promise and potential peril;
(III) [Editor’s note: This version of subsection (1)(a)(III) is effective October 1, 2025.] Ongoing advances in technology have produced exponential growth in the volume and variety of personal data from individuals, including minors, being generated, collected, stored, and analyzed, and these advances present both promise and potential peril;
(IV) The ability to harness and use data in positive ways is driving innovation and brings beneficial technologies to society, but it has also created risks to privacy and freedom; and
(V) [Editor’s note: This version of subsection (1)(a)(V) is effective until October 1, 2025.] The unauthorized disclosure of personal information and loss of privacy can have devastating impacts ranging from financial fraud, identity theft, and unnecessary costs in personal time and finances to destruction of property, harassment, reputational damage, emotional distress, and physical harm;
(V) [Editor’s note: This version of subsection (1)(a)(V) is effective October 1, 2025.] The unauthorized disclosure of personal information, including a minor’s personal information, and loss of privacy can have devastating impacts ranging from financial fraud, identity theft, and unnecessary costs in personal time and finances to destruction of property, harassment, reputational damage, emotional distress, and physical harm;
(b) Determines that:
(I) Technological innovation and new uses of data can help solve societal problems and improve lives, and it is possible to build a world where technological innovation and privacy can coexist; and
(II) [Editor’s note: This version of subsection (1)(b)(II) is effective until October 1, 2025.] States across the United States are looking to this part 13 and similar models to enact state-based data privacy requirements and to exercise the leadership that is lacking at the national level; and
(II) [Editor’s note: This version of subsection (1)(b)(II) is effective October 1, 2025.] States across the United States are looking to this part 13 and similar models to enact state-based data privacy requirements, including data privacy requirements specifically targeted at minors’ data, and to exercise the leadership that is lacking at the national level; and
(c) Declares that:
(I) [Editor’s note: This version of subsection (1)(c)(I) is effective until October 1, 2025.] By enacting this part 13, Colorado will be among the states that empower consumers to protect their privacy and require companies to be responsible custodians of data as they continue to innovate;
(I) [Editor’s note: This version of subsection (1)(c)(I) is effective October 1, 2025.] By enacting this part 13, Colorado will be among the states that empower consumers, including minors, to protect their privacy and require companies to be responsible custodians of data as they continue to innovate;
(II) This part 13 addresses issues of statewide concern and:
(A) Provides consumers the right to access, correct, and delete personal data and the right to opt out not only of the sale of personal data but also of the collection and use of personal data;
(A.5) [Editor’s note: Subsection (1)(c)(II)(A.5) is effective October 1, 2025.] Provides minors the right to control their personal data;
(B) Imposes an affirmative obligation upon companies to safeguard personal data; to provide clear, understandable, and transparent information to consumers about how their personal data are used; and to strengthen compliance and accountability by requiring data protection assessments in the collection and use of personal data; and
(C) Empowers the attorney general and district attorneys to access and evaluate a company’s data protection assessments, to impose penalties where violations occur, and to prevent future violations.
History
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3445, § 1, effective July 1, 2023. L. 2024:(1)(a)(III), (1)(a)(V), (1)(b)(II), and (1)(c)(I) amended and (1)(c)(II)(A.5) added, (SB 24-041), ch. 296, p. 2018, § 1, effective October 1, 2025.
6-1-1303. Definitions.
As used in this part 13, unless the context otherwise requires:
(1) [Editor’s note: This version of subsection (1) is effective until October 1, 2025.] “Affiliate” means a legal entity that controls, is controlled by, or is under common control with another legal entity. As used in this subsection (1), “control” means:
(a) Ownership of, control of, or power to vote twenty-five percent or more of the outstanding shares of any class of voting security of the entity, directly or indirectly, or acting through one or more other persons;
(b) Control in any manner over the election of a majority of the directors, trustees, or general partners of the entity or of individuals exercising similar functions; or
(c) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the entity as determined by the applicable prudential regulator, as that term is defined in 12 U.S.C. sec. 5481 (24), if any.
(1) [Editor’s note: This version of subsection (1) is effective October 1, 2025.] “Adult” means an individual who is eighteen years of age or older.
(1.5)
(a) [Editor’s note: Subsection (1.5) is effective October 1, 2025.] “Affiliate” means a legal entity that controls, is controlled by, or is under common control with another legal entity.
(b) As used in subsection (1.5)(a) of this section, “control” means:
(I) Ownership of, control of, or power to vote twenty-five percent or more of the outstanding shares of any class of voting security of the entity, directly or indirectly, or acting through one or more other persons;
(II) Control in any manner over the election of a majority of the directors, trustees, or general partners of the entity or of individuals exercising similar functions; or
(III) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the entity as determined by the applicable prudential regulator, as that term is defined in 12 U.S.C. sec. 5481 (24), if any.
(2) “Authenticate” means to use reasonable means to determine that a request to exercise any of the rights in section 6-1-1306 (1) is being made by or on behalf of the consumer who is entitled to exercise the rights.
(2.2) “Biological data” means data generated by the technological processing, measurement, or analysis of an individual’s biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual’s body or bodily functions, which data is used or intended to be used, singly or in combination with other personal data, for identification purposes. “Biological data” includes neural data.
(2.4)
(a) [Editor’s note: Subsection (2.4) is effective July 1, 2025.] “Biometric data” means one or more biometric identifiers that are used or intended to be used, singly or in combination with each other or with other personal data, for identification purposes.
(b) “Biometric data” does not include the following unless the biometric data is used for identification purposes:
(I) A digital or physical photograph;
(II) An audio or voice recording; or
(III) Any data generated from a digital or physical photograph or an audio or video recording.
(2.5) [Editor’s note: Subsection (2.5) is effective July 1, 2025.] “Biometric identifier” means data generated by the technological processing, measurement, or analysis of a consumer’s biological, physical, or behavioral characteristics, which data can be processed for the purpose of uniquely identifying an individual. “Biometric identifier” includes:
(a) A fingerprint;
(b) A voiceprint;
(c) A scan or record of an eye retina or iris;
(d) A facial map, facial geometry, or facial template; or
(e) Other unique biological, physical, or behavioral patterns or characteristics.
(3) “Business associate” has the meaning established in 45 CFR 160.103.
(4) “Child” means an individual under thirteen years of age.
(5) “Consent” means a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data. The following does not constitute consent:
(a) Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;
(b) Hovering over, muting, pausing, or closing a given piece of content; and
(c) Agreement obtained through dark patterns.
(6) “Consumer”:
(a) Means an individual who is a Colorado resident acting only in an individual or household context; and
(b) Does not include an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.
(7) “Controller” means a person that, alone or jointly with others, determines the purposes for and means of processing personal data.
(8) “Covered entity” has the meaning established in 45 CFR 160.103.
(9) “Dark pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.
(10) “Decisions that produce legal or similarly significant effects concerning a consumer” means a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.
(11) “De-identified data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data:
(a) Takes reasonable measures to ensure that the data cannot be associated with an individual;
(b) Publicly commits to maintain and use the data only in a de-identified fashion and not attempt to re-identify the data; and
(c) Contractually obligates any recipients of the information to comply with the requirements of this subsection (11).
(12) “Health-care facility” means any entity that is licensed, certified, or otherwise authorized or permitted by law to administer medical treatment in this state.
(13) “Health-care information” means individually identifiable information relating to the past, present, or future health status of an individual.
(14) “Health-care provider” means a person licensed, certified, or registered in this state to practice medicine, pharmacy, chiropractic, nursing, physical therapy, podiatry, dentistry, optometry, occupational therapy, or other healing arts under title 12.
(14.5) [Editor’s note: Subsection (14.5) is effective October 1, 2025.] “Heightened risk of harm to minors” means processing the personal data of minors in a manner that presents a reasonably foreseeable risk that could cause:
(a) Unfair or deceptive treatment of, or unlawful disparate impact on, minors;
(b) Financial, physical, or reputational injury to minors;
(c) Unauthorized disclosure of the personal data of minors as a result of a security breach, as defined in section 6-1-716 (1)(h); or
(d) Physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of minors if the intrusion would be offensive to a reasonable person.
(15) “HIPAA” means the federal “Health Insurance Portability and Accountability Act of 1996”, as amended, 42 U.S.C. secs. 1320d to 1320d-9.
(16) “Identified or identifiable individual” means an individual who can be readily identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, specific geolocation data, or an online identifier.
(16.5) [Editor’s note: Subsection (16.5) is effective October 1, 2025.] “Minor” means any consumer who is under eighteen years of age.
(16.7) “Neural data” means information that is generated by the measurement of the activity of an individual’s central or peripheral nervous systems and that can be processed by or with the assistance of a device.
(16.8) [Editor’s note: Subsection (16.8) is effective October 1, 2025.] “Online service, product, or feature”:
(a) Means any service, product, or feature that is provided online; and
(b) Does not include:
(I) Telecommunications service, as defined in 47 U.S.C. sec. 153 (53), as amended;
(II) Broadband internet access service, as defined in 47 CFR 54.400 (l), as amended; or
(III) The delivery or use of a physical product.
(17) “Personal data”:
(a) Means information that is linked or reasonably linkable to an identified or identifiable individual; and
(b) Does not include de-identified data or publicly available information. As used in this subsection (17)(b), “publicly available information” means information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.
(17.5) [Editor’s note: Subsection (17.5) is effective October 1, 2025.] “Precise geolocation data”:
(a) Means information derived from technology, including global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of one thousand seven hundred fifty feet; and
(b) Does not include:
(I) The content of communications regarding location; or
(II) Any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.
(18) “Process” or “processing” means the collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data and includes the actions of a controller directing a processor to process personal data.
(19) “Processor” means a person that processes personal data on behalf of a controller.
(20) “Profiling” means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
(21) “Protected health information” has the meaning established in 45 CFR 160.103.
(22) “Pseudonymous data” means personal data that can no longer be attributed to a specific individual without the use of additional information if the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to a specific individual.
(23)
(a) “Sale”, “sell”, or “sold” means the exchange of personal data for monetary or other valuable consideration by a controller to a third party.
(b) “Sale”, “sell”, or “sold” does not include the following:
(I) The disclosure of personal data to a processor that processes the personal data on behalf of a controller;
(II) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
(III) The disclosure or transfer of personal data to an affiliate of the controller;
(IV) The disclosure or transfer to a third party of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets; or
(V) The disclosure of personal data:
(A) That a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party; or
(B) Intentionally made available by a consumer to the general public via a channel of mass media.
(24) “Sensitive data” means:
(a) Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status;
(b) Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual;
(c) Personal data from a known child; or
(d) Biological data.
(25) “Targeted advertising”:
(a) Means displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer’s activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests; and
(b) Does not include:
(I) Advertising to a consumer in response to the consumer’s request for information or feedback;
(II) Advertisements based on activities within a controller’s own websites or online applications;
(III) Advertisements based on the context of a consumer’s current search query, visit to a website, or online application; or
(IV) Processing personal data solely for measuring or reporting advertising performance, reach, or frequency.
(26) “Third party” means a person, public authority, agency, or body other than a consumer, controller, processor, or affiliate of the processor or the controller.
History
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3446, § 1, effective July 1, 2023. L. 2024: (2.5), (16.7), and (24)(d) added and (24)(b) and (24)(c) amended, (HB 1058), ch. 68, p. 224, § 2, effective August 7; (2.2) and (2.4) added, (HB 24-1130), ch. 313, p. 2107, § 3, effective July 1, 2025; (1) amended and (1.5), (14.5), (16.5), (16.8), and (17.5) added, (SB 24-041), ch. 296, p. 2019, § 1, effective October 1, 2025.
6-1-1304. Applicability of part.
(1) [Editor’s note: This version of subsection (1) is effective until July 1, 2025.] Except as specified in subsection (2) of this section, this part 13 applies to a controller that:
(a) Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and
(b) Satisfies one or both of the following thresholds:
(I) Controls or processes the personal data of one hundred thousand consumers or more during a calendar year; or
(II) Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of twenty-five thousand consumers or more.
(1) [Editor’s note: This version of subsection (1) is effective July 1, 2025, until October 1, 2025.] Except as specified in subsection (2) of this section, this part 13 applies to a controller that:
(a)
(I) Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and
(II) Satisfies one or both of the following thresholds:
(A) Controls or processes the personal data of one hundred thousand consumers or more during a calendar year; or
(B) Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of twenty-five thousand consumers or more; or
(b) Controls or processes any amount of biometric identifiers or biometric data regardless of the amount of biometric identifiers or biometric data controlled or processed annually; except that a controller that meets the qualifications of this subsection (1)(b) but does not meet the qualifications of subsection (1)(a) of this section shall comply with this part 13 only for the purposes of a biometric identifier or biometric data that the controller collects and processes.
(a) [Editor’s note: This version of subsection (1) is effective October 1, 2025.] Except as specified in subsection (2) of this section:
This part 13, other than sections 6-1-1305.5, 6-1-1308.5, and 6-1-1309.5, applies to a controller that:
(I)
(A) Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and
(B) Satisfies one or both of the following thresholds: controls or processes the personal data of one hundred thousand consumers or more during a calendar year; or derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of twenty-five thousand consumers or more; or
(II) Controls or processes any amount of biometric identifiers or biometric data regardless of the amount of biometric identifiers or biometric data controlled or processed annually; except that a controller that meets the qualifications of this subsection (1)(b) but does not meet the qualifications of subsection (1)(a) of this section shall comply with this part 13 only for the purposes of a biometric identifier or biometric data that the controller collects and processes;
(b) Sections 6-1-1305.5, 6-1-1308.5, and 6-1-1309.5 to 6-1-1313 apply to a controller that conducts business in Colorado or delivers commercial products or services that are intentionally targeted to residents of Colorado.
(2) This part 13 does not apply to:
(a) Protected health information that is collected, stored, and processed by a covered entity or its business associates;
(b) Health-care information that is governed by part 8 of article 1 of title 25 solely for the purpose of access to medical records;
(c) Patient identifying information, as defined in 42 CFR 2.11, that are governed by and collected and processed pursuant to 42 CFR 2, established pursuant to 42 U.S.C. sec. 290dd-2;
(d) Identifiable private information, as defined in 45 CFR 46.102, for purposes of the federal policy for the protection of human subjects pursuant to 45 CFR 46; identifiable private information that is collected as part of human subjects research pursuant to the ICH E6 Good Clinical Practice Guideline issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or the protection of human subjects under 21 CFR 50 and 56; or personal data used or shared in research conducted in accordance with one or more of the categories set forth in this subsection (2)(d);
(e) Information and documents created by a covered entity for purposes of complying with HIPAA and its implementing regulations;
(f) Patient safety work product, as defined in 42 CFR 3.20, that is created for purposes of patient safety improvement pursuant to 42 CFR 3, established pursuant to 42 U.S.C. secs. 299b-21 to 299b-26;
(g) Information that is:
(I) De-identified in accordance with the requirements for de-identification set forth in 45 CFR 164; and
(II) Derived from any of the health-care-related information described in this section;
(h) Information maintained in the same manner as information under subsections (2)(a) to (2)(g) of this section by:
(I) A covered entity or business associate;
(II) A health-care facility or health-care provider; or
(III) A program of a qualified service organization as defined in 42 CFR 2.11;
(i)
(I) Except as provided in subsection (2)(i)(II) of this section, an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by:
(A) A consumer reporting agency as defined in 15 U.S.C. sec. 1681a (f);
(B) A furnisher of information as set forth in 15 U.S.C. sec. 1681s-2 that provides information for use in a consumer report, as defined in 15 U.S.C. sec. 1681a (d); or
(C) A user of a consumer report as set forth in 15 U.S.C. sec. 1681b.
(II) This subsection (2)(i) applies only to the extent that the activity is regulated by the federal “Fair Credit Reporting Act”, 15 U.S.C. sec. 1681 et seq., as amended, and the personal data are not collected, maintained, disclosed, sold, communicated, or used except as authorized by the federal “Fair Credit Reporting Act”, as amended.
(j) Personal data:
(I) Collected and maintained for purposes of article 22 of title 10;
(II) Collected, processed, sold, or disclosed pursuant to the federal “Gramm-Leach-Bliley Act”, 15 U.S.C. sec. 6801 et seq., as amended, and implementing regulations, if the collection, processing, sale, or disclosure is in compliance with that law;
(III) Collected, processed, sold, or disclosed pursuant to the federal “Driver’s Privacy Protection Act of 1994”, 18 U.S.C. sec. 2721 et seq., as amended, if the collection, processing, sale, or disclosure is regulated by that law, including implementing rules, regulations, or exemptions;
(IV) Regulated by the federal “Children’s Online Privacy Protection Act of 1998”, 15 U.S.C. secs. 6501 to 6506, as amended, if collected, processed, and maintained in compliance with that law; or
(V) Regulated by the federal “Family Educational Rights and Privacy Act of 1974”, 20 U.S.C. sec. 1232g et seq., as amended, and its implementing regulations;
(k) Data maintained for employment records purposes;
(l) An air carrier as defined in and regulated under 49 U.S.C. sec. 40101 et seq., as amended, and 49 U.S.C. sec. 41713, as amended;
(m) A national securities association registered pursuant to the federal “Securities Exchange Act of 1934”, 15 U.S.C. sec. 78o-3, as amended, or implementing regulations;
(n) Customer data maintained by a public utility as defined in section 40-1-103 (1)(a)(I) or an authority as defined in section 43-4-503 (1), if the data are not collected, maintained, disclosed, sold, communicated, or used except as authorized by state and federal law;
(o) Data maintained by a state institution of higher education, as defined in section 23-18-102 (10), the state, the judicial department of the state, or a county, city and county, or municipality if the data is collected, maintained, disclosed, communicated, and used as authorized by state and federal law for noncommercial purposes. This subsection (2)(o) does not effect any other exemption available under this part 13.
(p) Information used and disclosed in compliance with 45 CFR 164.512; or
(q) A financial institution or an affiliate of a financial institution as defined by and that is subject to the federal “Gramm-Leach-Bliley Act”, 15 U.S.C. sec. 6801 et seq., as amended, and implementing regulations, including Regulation P, 12 CFR 1016.
(3) The obligations imposed on controllers or processors under this part 13 do not:
(a) Restrict a controller’s or processor’s ability to:
(I) Comply with federal, state, or local laws, rules, or regulations;
(II) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
(III) Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local law;
(IV) Investigate, exercise, prepare for, or defend actual or anticipated legal claims;
(V) Conduct internal research to improve, repair, or develop products, services, or technology;
(VI) Identify and repair technical errors that impair existing or intended functionality;
(VII) Perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship with the controller;
(VIII) Provide a product or service specifically requested by a consumer or the parent or guardian of a child, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract;
(IX) Protect the vital interests of the consumer or of another individual;
(X) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;
(XI) Process personal data for reasons of public interest in the area of public health, but solely to the extent that the processing:
(A) Is subject to suitable and specific measures to safeguard the rights of the consumer whose personal data are processed; and
(B) Is under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law; or
(XII) Assist another person with any of the activities set forth in this subsection (3);
(b) Apply where compliance by the controller or processor with this part 13 would violate an evidentiary privilege under Colorado law;
(c) Prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Colorado law as part of a privileged communication;
(d) [Editor’s note: This version of subsection (3)(d) is effective until October 1, 2025.] Apply to information made available by a third party that the controller has a reasonable basis to believe is protected speech pursuant to applicable law; and
(d) [Editor’s note: This version of subsection (3)(d) is effective October 1, 2025.] Apply to information made available by a third party that the controller has a reasonable basis to believe is protected speech pursuant to applicable law;
(e) [Editor’s note: This version of subsection (3)(e) is effective until October 1, 2025.] Apply to the processing of personal data by an individual in the course of a purely personal or household activity.
(e) [Editor’s note: This version of subsection (3)(e) is effective October 1, 2025.] Apply to the processing of personal data by an individual in the course of a purely personal or household activity;
(f) [Editor’s note: Subsection (3)(f) is effective October 1, 2025.] Require a controller or processor to implement an age verification or age-gating system or otherwise affirmatively collect the age of consumers, but a controller that chooses to conduct commercially reasonable age estimation to determine which consumers are minors is not liable for an erroneous age estimation; and
(g) [Editor’s note: Subsection (3)(g) is effective October 1, 2025.] Impose any obligation on a controller or processor that adversely affects the rights of any person to freedom of speech or freedom of the press guaranteed by the first amendment to the United States constitution.
(4) Personal data that are processed by a controller pursuant to an exception provided by this section:
(a) Shall not be processed for any purpose other than a purpose expressly listed in this section or as otherwise authorized by this part 13; and
(b) Shall be processed solely to the extent that the processing is necessary, reasonable, and proportionate to the specific purpose or purposes listed in this section or as otherwise authorized by this part 13.
(5) If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that the processing qualifies for the exemption and complies with the requirements in subsection (4) of this section.
History
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3450, § 1, effective July 1, 2023. L. 2024: (1) amended, (HB 24-1130), ch. 313, p. 2108, § 4, effective July 1, 2025; (1), (3)(d), and (3)(e) amended and (3)(f) and (3)(g) added, (SB 24-041), ch. 296, p. 2021, § 3, effective October 1, 2025.
6-1-1305. Responsibility according to role.
(1) Controllers and processors shall meet their respective obligations established under this part 13.
(2) Processors shall adhere to the instructions of the controller and assist the controller to meet its obligations under this part 13. Taking into account the nature of processing and the information available to the processor, the processor shall assist the controller by:
(a) Taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller’s obligation to respond to consumer requests to exercise their rights pursuant to section 6-1-1306;
(b) Helping to meet the controller’s obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 6-1-716; and
(c) Providing information to the controller necessary to enable the controller to conduct and document any data protection assessments required by section 6-1-1309. The controller and processor are each responsible for only the measures allocated to them.
(3) Notwithstanding the instructions of the controller, a processor shall:
(a) Ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and
(b) Engage a subcontractor only after providing the controller with an opportunity to object and pursuant to a written contract in accordance with subsection (5) of this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data.
(4) Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.
(5) Processing by a processor must be governed by a contract between the controller and the processor that is binding on both parties and that sets out:
(a) The processing instructions to which the processor is bound, including the nature and purpose of the processing;
(b) The type of personal data subject to the processing, and the duration of the processing;
(c) The requirements imposed by this subsection (5) and subsections (3) and (4) of this section; and
(d) The following requirements:
(I) At the choice of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
(II)
(A) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations in this part 13; and
(B) The processor shall allow for, and contribute to, reasonable audits and inspections by the controller or the controller’s designated auditor. Alternatively, the processor may, with the controller’s consent, arrange for a qualified and independent auditor to conduct, at least annually and at the processor’s expense, an audit of the processor’s policies and technical and organizational measures in support of the obligations under this part 13 using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable. The processor shall provide a report of the audit to the controller upon request.
(6) In no event may a contract relieve a controller or a processor from the liabilities imposed on them by virtue of its role in the processing relationship as defined by this part 13.
(7) Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data are to be processed. A person that is not limited in its processing of personal data pursuant to a controller’s instructions, or that fails to adhere to the instructions, is a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller’s instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, it is a controller with respect to the processing.
(8)
(a) A controller or processor that discloses personal data to another controller or processor in compliance with this part 13 does not violate this part 13 if the recipient processes the personal data in violation of this part 13, and, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation.
(b) A controller or processor receiving personal data from a controller or processor in compliance with this part 13 as specified in subsection (8)(a) of this section does not violate this part 13 if the controller or processor from which it receives the personal data fails to comply with applicable obligations under this part 13.
History
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3455, § 1, effective July 1, 2023.
6-1-1305.5. Responsibility according to role - processing data of minors.
[Editor’s note: This section is effective October 1, 2025.]
(1) A processor shall adhere to the instructions of a controller and shall assist the controller to meet the controller’s obligations under sections 6-1-1308.5 and 6-1-1309.5, taking into account the nature of the processing and the information available to the processor. The processor shall assist the controller by:
(a) Taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller’s obligations under section 6-1-1308.5; and
(b) Providing information to enable the controller to conduct and document data protection assessments pursuant to section 6-1-1309.5.
(2) A contract between a controller and a processor must satisfy the requirements in section 6-1-1305 (5).
(3) Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of the controller’s or processor’s role in the processing relationship as described in sections 6-1-1308.5 and 6-1-1309.5.
(4) Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. A person that is not limited in the person’s processing of personal data pursuant to a controller’s instructions, or that fails to adhere to the instructions, is a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller’s instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to the processing and may be subject to an enforcement action under section 6-1-1311.
History
Source: L. 2024: Entire section added, (SB 24-041), ch. 296, p. 2021, § 4, effective October 1, 2025.
6-1-1306. Consumer personal data rights - repeal.
(1) Consumers may exercise the following rights by submitting a request using the methods specified by the controller in the privacy notice required under section 6-1-1308 (1)(a). The method must take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication relating to the request, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to this section but may require a consumer to use an existing account. A consumer may submit a request at any time to a controller specifying which of the following rights the consumer wishes to exercise:
(a) Right to opt out.
(I) A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of:
(A) Targeted advertising;
(B) The sale of personal data; or
(C) Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
(II) A consumer may authorize another person, acting on the consumer’s behalf, to opt out of the processing of the consumer’s personal data for one or more of the purposes specified in subsection (1)(a)(I) of this section, including through a technology indicating the consumer’s intent to opt out such as a web link indicating a preference or browser setting, browser extension, or global device setting. A controller shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer’s behalf if the controller is able to authenticate, with commercially reasonable effort, the identity of the consumer and the authorized agent’s authority to act on the consumer’s behalf.
(III) A controller that processes personal data for purposes of targeted advertising or the sale of personal data shall provide a clear and conspicuous method to exercise the right to opt out of the processing of personal data concerning the consumer pursuant to subsection (1)(a)(I) of this section. The controller shall provide the opt-out method clearly and conspicuously in any privacy notice required to be provided to consumers under this part 13, and in a clear, conspicuous, and readily accessible location outside the privacy notice.
(IV)
(A) A controller that processes personal data for purposes of targeted advertising or the sale of personal data may allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6-1-1313. This subsection (1)(a)(IV)(A) is repealed, effective July 1, 2024.
(B) Effective July 1, 2024, a controller that processes personal data for purposes of targeted advertising or the sale of personal data shall allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6-1-1313.
(C) Notwithstanding a consumer’s decision to exercise the right to opt out of the processing of personal data through a universal opt-out mechanism pursuant to subsection (1)(a)(IV)(B) of this section, a controller may enable the consumer to consent, through a web page, application, or a similar method, to the processing of the consumer’s personal data for purposes of targeted advertising or the sale of personal data, and the consent takes precedence over any choice reflected through the universal opt-out mechanism. Before obtaining a consumer’s consent to process personal data for purposes of targeted advertising or the sale of personal data pursuant to this subsection (1)(a)(IV)(C), a controller shall provide the consumer with a clear and conspicuous notice informing the consumer about the choices available under this section, describing the categories of personal data to be processed and the purposes for which they will be processed, and explaining how and where the consumer may withdraw consent. The web page, application, or other means by which a controller obtains a consumer’s consent to process personal data for purposes of targeted advertising or the sale of personal data must also allow the consumer to revoke the consent as easily as it is affirmatively provided.
(b) Right of access. A consumer has the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data.
(c) Right to correction. A consumer has the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.
(d) Right to deletion. A consumer has the right to delete personal data concerning the consumer.
(e) Right to data portability. When exercising the right to access personal data pursuant to subsection (1)(b) of this section, a consumer has the right to obtain the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance. A consumer may exercise this right no more than two times per calendar year. Nothing in this subsection (1)(e) requires a controller to provide the data to the consumer in a manner that would disclose the controller’s trade secrets.
(2) Responding to consumer requests.
(a) A controller shall inform a consumer of any action taken on a request under subsection (1) of this section without undue delay and, in any event, within forty-five days after receipt of the request. The controller may extend the forty-five-day period by forty-five additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller shall inform the consumer of an extension within forty-five days after receipt of the request, together with the reasons for the delay.
(b) If a controller does not take action on the request of a consumer, the controller shall inform the consumer, without undue delay and, at the latest, within forty-five days after receipt of the request, of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subsection (3) of this section.
(c) Upon request, a controller shall provide to the consumer the information specified in this section free of charge; except that, for a second or subsequent request within a twelve-month period, the controller may charge an amount calculated in the manner specified in section 24-72-205 (5)(a).
(d) A controller is not required to comply with a request to exercise any of the rights under subsection (1) of this section if the controller is unable to authenticate the request using commercially reasonable efforts, in which case the controller may request the provision of additional information reasonably necessary to authenticate the request.
(3)
(a) A controller shall establish an internal process whereby consumers may appeal a refusal to take action on a request to exercise any of the rights under subsection (1) of this section within a reasonable period after the consumer’s receipt of the notice sent by the controller under subsection (2)(b) of this section. The appeal process must be conspicuously available and as easy to use as the process for submitting a request under this section.
(b) Within forty-five days after receipt of an appeal, a controller shall inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support of the response. The controller may extend the forty-five-day period by sixty additional days where reasonably necessary, taking into account the complexity and number of requests serving as the basis for the appeal. The controller shall inform the consumer of an extension within forty-five days after receipt of the appeal, together with the reasons for the delay.
(c) The controller shall inform the consumer of the consumer’s ability to contact the attorney general if the consumer has concerns about the result of the appeal.
History
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3457, § 1, effective July 1, 2023.
6-1-1307. Processing de-identified data.
(1) This part 13 does not require a controller or processor to do any of the following solely for purposes of complying with this part 13:
(a) Reidentify de-identified data;
(b) Comply with an authenticated consumer request to access, correct, delete, or provide personal data in a portable format pursuant to section 6-1-1306 (1), if all of the following are true:
(I)
(A) The controller is not reasonably capable of associating the request with the personal data; or
(B) It would be unreasonably burdensome for the controller to associate the request with the personal data;
(II) The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer; and
(III) The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party, except as otherwise authorized by the consumer; or
(c) Maintain data in identifiable form or collect, obtain, retain, or access any data or technology in order to enable the controller to associate an authenticated consumer request with personal data.
(2) A controller that uses de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the de-identified data are subject and shall take appropriate steps to address any breaches of contractual commitments.
(3) The rights contained in section 6-1-1306 (1)(b) to (1)(e) do not apply to pseudonymous data if the controller can demonstrate that the information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.
History
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3460, § 1, effective July 1, 2023.
6-1-1308. Duties of controllers.
(1)
(a) Duty of transparency. A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
(I) The categories of personal data collected or processed by the controller or a processor;
(II) The purposes for which the categories of personal data are processed;
(III) How and where consumers may exercise the rights pursuant to section 6-1-1306, including the controller’s contact information and how a consumer may appeal a controller’s action with regard to the consumer’s request;
(IV) The categories of personal data that the controller shares with third parties, if any; and
(V) The categories of third parties, if any, with whom the controller shares personal data.
(b) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.
(c) A controller shall not:
(I) Require a consumer to create a new account in order to exercise a right; or
(II) Based solely on the exercise of a right and unrelated to feasibility or the value of a service, increase the cost of, or decrease the availability of, the product or service.
(d) Nothing in this part 13 shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discount, or club card program.
(2) Duty of purpose specification. A controller shall specify the express purposes for which personal data are collected and processed.
(3) Duty of data minimization. A controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.
(4) Duty to avoid secondary use. A controller shall not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, unless the controller first obtains the consumer’s consent.
(5) Duty of care. A controller shall take reasonable measures to secure personal data during both storage and use from unauthorized acquisition. The data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.
(6) Duty to avoid unlawful discrimination. A controller shall not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.
(7) Duty regarding sensitive data. A controller shall not process a consumer’s sensitive data without first obtaining the consumer’s consent or, in the case of the processing of personal data concerning a known child, without first obtaining consent from the child’s parent or lawful guardian.
History
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3460, § 1, effective July 1, 2023.
6-1-1308.5. Duties of controllers - duty of care - rebuttable presumption.
(1)
(a) [Editor’s note: This section is effective October 1, 2025.] A controller that offers any online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor shall use reasonable care to avoid any heightened risk of harm to minors caused by the online service, product, or feature.
(b) In any enforcement action brought by the attorney general or a district attorney pursuant to section 6-1-1311, there is a rebuttable presumption that a controller used reasonable care as required under this section if the controller complied with this section.
(2) Unless a controller has obtained consent in accordance with subsection (3) of this section, a controller that offers any online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor shall not:
(a) Process a minor’s personal data:
(I) For the purposes of:
(A) Targeted advertising;
(B) The sale of personal data; or
(C) Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer;
(II) For any processing purpose other than the processing purpose that the controller disclosed at the time the controller collected the minor’s personal data or that is reasonably necessary for, and compatible with, the processing purpose that the controller disclosed at the time the controller collected the minor’s personal data; or
(III) For longer than is reasonably necessary to provide the online service, product, or feature;
(b) Use any system design feature to significantly increase, sustain, or extend a minor’s use of the online service, product, or feature; or
(c) Collect a minor’s precise geolocation data unless:
(I) The minor’s precise geolocation data is reasonably necessary for the controller to provide the online service, product, or feature;
(II) The controller only collects and retains the minor’s precise geolocation data for the time necessary to provide the online service, product, or feature; and
(III) The controller provides to the minor a signal indicating that the controller is collecting the minor’s precise geolocation data and makes the signal available to the minor for the entire duration of the collection of the minor’s precise geolocation data; except that this subsection (2)(c)(III) does not apply to any service or application that is used by and under the direction of a ski area operator, as defined in section 33-44-103 (7).
(3)
(a) A controller shall not engage in the activities described in subsection (2) of this section unless the controller obtains:
(I) The minor’s consent; or
(II)
(A) If the minor is a child, the consent of the minor’s parent or legal guardian.
(B) A controller that complies with the verifiable parental consent requirements established in the “Children’s Online Privacy Protection Act of 1998”, 15 U.S.C. sec. 6501 et seq., as amended, and the regulations, rules, guidance, and exemptions adopted pursuant to said act, as amended, is deemed to have satisfied any requirement to obtain parental consent under this subsection (3)(a)(II).
(b)
(I) A controller that offers any online service, product, or feature to a consumer whom that controller actually knows or willfully disregards is a minor shall not:
(A) Provide any consent mechanism that is designed to substantially subvert or impair, or is manipulated with the effect of substantially subverting or impairing, user autonomy, decision-making, or choice; or
(B) Except as provided in subsection (3)(b)(II) of this section, offer any direct messaging apparatus for use by a minor without providing readily accessible and easy-to-use safeguards to limit the ability of an adult to send unsolicited communications to the minor with whom the adult is not connected.
(II) Subsection (3)(b)(I)(B) of this section does not apply to an online service, product, or feature of which the predominant or exclusive function is:
(A) Electronic mail; or
(B) Direct messaging consisting of text, photos, or videos that are sent between devices by electronic means, where messages are shared between the sender and the recipient, only visible to the sender and the recipient, and not posted publicly.
(4) Subsections (2)(a) and (2)(b) of this section do not apply to any service or application that is used by and under the direction of an educational entity, including a learning management system or a student engagement program.
History
Source: L. 2024: Entire section added, (SB 24-041), ch. 296, p. 2022, § 4, effective October 1, 2025.
6-1-1309. Data protection assessments - attorney general access and evaluation - definition.
(1) A controller shall not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities that involve personal data acquired on or after July 1, 2023, that present a heightened risk of harm to a consumer.
(2) For purposes of this section, “processing that presents a heightened risk of harm to a consumer” includes the following:
(a) Processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of:
(I) Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
(II) Financial or physical injury to consumers;
(III) A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or
(IV) Other substantial injury to consumers;
(b) Selling personal data; and
(c) Processing sensitive data.
(3) Data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks. The controller shall factor into this assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.
(4) A controller shall make the data protection assessment available to the attorney general upon request. The attorney general may evaluate the data protection assessment for compliance with the duties contained in section 6-1-1308 and with other laws, including this article 1. Data protection assessments are confidential and exempt from public inspection and copying under the “Colorado Open Records Act”, part 2 of article 72 of title 24. The disclosure of a data protection assessment pursuant to a request from the attorney general under this subsection (4) does not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise exist with respect to the assessment and any information contained in the assessment.
(5) A single data protection assessment may address a comparable set of processing operations that include similar activities.
(6) Data protection assessment requirements apply to processing activities created or generated after July 1, 2023, and are not retroactive.
History
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3462, § 1, effective July 1, 2023.
6-1-1309.5. Data protection assessments - heightened risk of harm to minors.
[Editor’s note: This section is effective October 1, 2025.]
(1) A controller that, on or after October 1, 2025, offers any online service, product, or feature to a consumer whom such controller actually knows or willfully disregards is a minor shall conduct a data protection assessment for the online service, product, or feature if there is a heightened risk of harm to minors. The controller shall conduct the data protection assessment:
(a) In a manner that is consistent with the requirements established in section 6-1-1309; and
(b) That addresses:
(I) The purpose of the online service, product, or feature;
(II) The categories of a minor’s personal data that the online service, product, or feature processes;
(III) The purposes for which the controller processes a minor’s personal data with respect to the online service, product, or feature; and
(IV) Any heightened risk of harm to minors that is a reasonably foreseeable result of offering the online service, product, or feature to minors.
(2) A controller that conducts a data protection assessment pursuant to subsection (1) of this section shall:
(a) Review the data protection assessment as necessary to account for any material change to the processing operations of the online service, product, or feature that is the subject of the data protection assessment; and
(b) Maintain documentation concerning the data protection assessment for the longer of:
(I) Three years after the date on which the processing operations cease; or
(II) The date the controller ceases offering the online service, product, or feature.
(3) A single data protection assessment may address a comparable set of processing operations that include similar activities.
(4) If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment is deemed to satisfy the requirements established in this section if the data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section.
(5) If a controller conducts a data protection assessment pursuant to subsection (1) of this section or a data protection assessment review pursuant to subsection (2)(a) of this section and determines that the online service, product, or feature that is the subject of the assessment poses a heightened risk of harm to minors, the controller shall establish and implement a plan to mitigate or eliminate the heightened risk.
(6)
(a) A data protection assessment conducted pursuant to this section:
(I) Is confidential, except as provided in subsection (6)(b) of this section; and
(II) Is not a public record, and is exempt from public inspection and copying, under the “Colorado Open Records Act”, part 2 of article 72 of title 24.
(b)
(I) A controller shall make a data protection assessment conducted pursuant to this section available to the attorney general upon request. The attorney general may evaluate the data protection assessment for compliance with section 6-1-1308.5 and with other laws, including this article 1.
(II) The disclosure of a data protection assessment pursuant to a request from the attorney general does not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise exist with respect to the assessment and any information in the assessment.
(7) Data protection assessment requirements apply to processing activities created or generated after October 1, 2025, and are not retroactive.
History
Source: L. 2024: Entire section added, (SB 24-041), ch. 296, p. 2024, § 4, effective October 1, 2025.
6-1-1310. Liability.
(1) Notwithstanding any provision in part 1 of this article 1, this part 13 does not authorize a private right of action for a violation of this part 13 or any other provision of law. This subsection (1) neither relieves any party from any duties or obligations imposed, nor alters any independent rights that consumers have, under other laws, including this article 1, the state constitution, or the United States constitution.
(2) Where more than one controller or processor, or both a controller and a processor, involved in the same processing violates this part 13, the liability shall be allocated among the parties according to principles of comparative fault.
History
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3463, § 1, effective July 1, 2023.
6-1-1311. Enforcement - penalties - repeal.
(1)
(a) Notwithstanding any other provision of this article 1, the attorney general and district attorneys have exclusive authority to enforce this part 13 by bringing an action in the name of the state or as parens patriae on behalf of persons residing in the state to enforce this part 13 as provided in this article 1, including seeking an injunction to enjoin a violation of this part 13.
(b) Notwithstanding any other provision of this article 1, nothing in this part 13 shall be construed as providing the basis for, or being subject to, a private right of action for violations of this part 13 or any other law.
(c) For purposes only of enforcement of this part 13 by the attorney general or a district attorney, a violation of this part 13 is a deceptive trade practice.
(d) [Editor’s note: This version of subsection (1)(d) is effective until January 1, 2025.] Prior to any enforcement action pursuant to subsection (1)(a) of this section, the attorney general or district attorney must issue a notice of violation to the controller if a cure is deemed possible. If the controller fails to cure the violation within sixty days after receipt of the notice of violation, an action may be brought pursuant to this section. This subsection (1)(d) is repealed, effective January 1, 2025.
(I) [Editor’s note: This version of subsection (1)(d) is effective (see the editor’s note following this section).] Prior to any enforcement action pursuant to subsection (1)(a) of this section, other than an enforcement action described in subsection (1)(d)(II) of this section, the attorney general or district attorney must issue a notice of violation to the controller if a cure is deemed possible. If the controller fails to cure the violation within sixty days after receipt of the notice of violation, an action may be brought pursuant to this section. This subsection (1)(d)(I) is repealed, effective January 1, 2025.
(II) Prior to any enforcement action pursuant to subsection (1)(a) of this section to enforce section 6-1-1305.5, 6-1-1308.5, or 6-1-1309.5, the attorney general or district attorney must issue a notice of violation to the controller if a cure is deemed possible. If the controller fails to cure the violation within sixty days after receipt of the notice of violation, an action may be brought pursuant to this section. This subsection (1)(d)(II) is repealed, effective December 31, 2026.
(2) The state treasurer shall credit all receipts from the imposition of civil penalties under this part 13 pursuant to section 24-31-108.
History
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3463, § 1, effective July 1, 2023. L. 2024: (1)(d) amended(SB 24-041), ch. 296, p. 2026, § 5, effective October 1, 2025 (see editor’s note).
6-1-1312. Preemption - local governments.
This part 13 supersedes and preempts laws, ordinances, resolutions, regulations, or the equivalent adopted by any statutory or home rule municipality, county, or city and county regarding the processing of personal data by controllers or processors.
History
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3464, § 1, effective July 1, 2023.
6-1-1313. Rules - opt-out mechanism.
(1) The attorney general may promulgate rules for the purpose of carrying out this part 13.
(2) By July 1, 2023, the attorney general shall adopt rules that detail the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data pursuant to section 6-1-1306 (1)(a)(I)(A) or (1)(a)(I)(B). The attorney general may update the rules that detail the technical specifications for the mechanisms from time to time to reflect the means by which consumers interact with controllers. The rules must:
(a) Not permit the manufacturer of a platform, browser, device, or any other product offering a universal opt-out mechanism to unfairly disadvantage another controller;
(b) Require controllers to inform consumers about the opt-out choices available under section 6-1-1306 (1)(a)(I);
(c) Not adopt a mechanism that is a default setting, but rather clearly represents the consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data pursuant to section 6-1-1306 (1)(a)(I)(A) or (1)(a)(I)(B);
(d) Adopt a mechanism that is consumer-friendly, clearly described, and easy to use by the average consumer;
(e) Adopt a mechanism that is as consistent as possible with any other similar mechanism required by law or regulation in the United States; and
(f) Permit the controller to accurately authenticate the consumer as a resident of this state and determine that the mechanism represents a legitimate request to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data pursuant to section 6-1-1306 (1)(a)(I)(A) or (1)(a)(I)(B).
(3) By January 1, 2025, the attorney general may adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for business that includes a good faith reliance defense of an action that may otherwise constitute a violation of this part 13. The rules must become effective by July 1, 2025.
History
Source: L. 2021: Entire part added, (SB 21-190), ch. 483 p. 3464, § 1, effective July 1, 2023.
6-1-1314. Biometric data and biometric identifiers - controllers - duties and requirements - written policy - prohibited acts - right to correct biometric identifiers - right to access biometric identifiers - remedies and civil actions - rules - definitions.
(1) [Editor’s note: This section is effective July 1, 2025.] As used in this section, unless the context otherwise requires:
(a) “Collect”, “collection”, or “collecting” means to access, assemble, buy, rent, gather, procure, receive, capture, or otherwise obtain any biometric identifier or biometric data pertaining to a consumer by any means, online or offline, including:
(I) Actively or passively receiving a biometric identifier or biometric data from the consumer or from a third party; and
(II) Obtaining biometric data by observing the consumer’s behavior.
(b) “Employee” means an individual who is employed full-time, part-time, or on-call or who is hired as a contractor, subcontractor, intern, or fellow.
(c) “Legally authorized representative” means a parent or legal guardian of a minor or a legal guardian of an adult.
(2) Written policy required.
(a) A controller that controls or processes one or more biometric identifiers shall adopt a written policy that:
(I) Establishes a retention schedule for biometric identifiers and biometric data;
(II) Includes a protocol for responding to a data security incident that may compromise the security of biometric identifiers or biometric data, including a process for notifying a consumer when the security of the consumer’s biometric identifier or biometric data has been breached, pursuant to section 6-1-716; and
(III) Includes guidelines that require the deletion of a biometric identifier on or before the earliest of the following dates:
(A) The date upon which the initial purpose for collecting the biometric identifier has been satisfied;
(B) Twenty-four months after the consumer last interacted with the controller; or
(C) The earliest reasonably feasible date, which date must be no more than forty-five days after a controller determines that storage of the biometric identifier is no longer necessary, adequate, or relevant to the express processing purpose identified by a review conducted by the controller at least once annually. The controller may extend the forty-five-day period described in this subsection (2)(a)(III)(C) by up to forty-five additional days if such an extension is reasonably necessary, taking into account the complexity and number of biometric identifiers required to be deleted.
(b) A controller shall make its policy adopted pursuant to subsection (2)(a) of this section available to the public; except that a controller is not required to make available to the public:
(I) A written policy that applies only to current employees of the controller;
(II) A written policy that is used solely by employees and agents of the controller for the operation of the controller; or
(III) The internal protocol for responding to a data security incident that may compromise the security of biometric identifiers or biometric data.
(3) Processors - security breach protocols. A processor of biometric identifiers or biometric data must have a protocol for responding to a data security incident that may compromise the security of biometric identifiers or biometric data, including a process for notifying the controller when the security of a consumer’s biometric identifier or biometric data has been breached, pursuant to section 6-1-716.
(4) Collection and retention of biometric identifiers - requirements - prohibited acts.
(a) A controller shall not collect or process a biometric identifier of a consumer unless the controller first:
(I) Satisfies all duties required by section 6-1-1308;
(II) Informs the consumer or the consumer’s legally authorized representative in a clear, reasonably accessible, and understandable manner that a biometric identifier is being collected;
(III) Informs the consumer or the consumer’s legally authorized representative in a clear, reasonably accessible, and understandable manner of the specific purpose for which a biometric identifier is being collected and the length of time that the controller will retain the biometric identifier; and
(IV) Informs the consumer or the consumer’s legally authorized representative in a clear, reasonably accessible, and understandable manner if the biometric identifier will be disclosed, redisclosed, or otherwise disseminated to a processor and the specific purpose for which the biometric identifier is being shared with a processor.
(b) A controller that processes a consumer’s biometric identifier shall not:
(I) Sell, lease, or trade the biometric identifier with any entity; or
(II) Disclose, redisclose, or otherwise disseminate the biometric identifier unless:
(A) The consumer or the consumer’s legally authorized representative consents to the disclosure, redisclosure, or other dissemination;
(B) The disclosure, redisclosure, or other dissemination is requested or authorized by the consumer or the consumer’s legally authorized representative for the purpose of completing a financial transaction;
(C) The disclosure, redisclosure, or other dissemination is to a processor and is necessary for the purpose for which the biometric identifier was collected and to which the consumer or the consumer’s legally authorized representative consented; or
(D) The disclosure, redisclosure, or other dissemination is required by state or federal law.
(c) A controller shall not:
(I) Refuse to provide a good or service to a consumer based on the consumer’s refusal to consent to the controller’s collection, use, disclosure, transfer, sale, retention, or processing of a biometric identifier unless the collection, use, disclosure, transfer, sale, retention, or processing of the biometric identifier is necessary to provide the good or service;
(II) Charge a different price or rate for a good or service or provide a different level of quality of a good or service to any consumer who exercises the consumer’s rights under this part 13; or
(III) Purchase a biometric identifier unless the controller pays the consumer for the collection of the consumer’s biometric identifier, the purchase is unrelated to the provision of a product or service to the consumer, and the controller has obtained consent as described in subsection (4)(a) of this section.
(d) A controller or processor shall store, transmit, and protect from disclosure all biometric identifiers using the standard of care within the controller’s industry and in accordance with sections 6-1-1305 (4) and 6-1-1308 (5).
(e) A controller shall obtain consent from a consumer or from the consumer’s legally authorized representative before collecting the consumer’s biometric data, as required by section 6-1-1308 (7).
(5) Right to access biometric data - applicability - definition.
(a) Except as described in subsection (5)(b) of this section, at the request of a consumer or a consumer’s legally authorized representative, a controller that collects the consumer’s biometric data shall disclose to the consumer, free of charge, the category or description of the consumer’s biometric data and the following information:
(I) The source from which the controller collected the biometric data;
(II) The purpose for which the controller collected or processed the biometric data and any associated personal data;
(III) The identity of any third party with which the controller disclosed or discloses the biometric data and the purposes for disclosing; and
(IV) The category or a description of the specific biometric data that the controller discloses to third parties.
(b) The requirements of subsection (5)(a) of this section apply only to:
(I) A sole proprietorship, a partnership, a limited liability company, a corporation, an association, or another legal entity that:
(A) Conducts business in Colorado or produces or delivers commercial products or services that are marketed to Colorado residents;
(B) Collects biometric data or has biometric data collected on its behalf; and
(C) Either collects or processes the personal data of one hundred thousand individuals or more during a calendar year or collects and processes the personal data of twenty-five thousand individuals or more and derives revenue from, or receives a discount on the price of goods or services from, the sale of personal data;
(II) A controller that controls or is controlled by another controller and that shares common branding with the other controller. As used in this subsection (5)(b)(II), “common branding” means a shared name, service mark, or trademark that a consumer would reasonably understand to indicate that two or more entities are commonly owned.
(III) A joint venture or partnership consisting of no more than two businesses that share consumers’ personal data with each other.
(6) Use of consent by employers.
(a) An employer may require as a condition of employment that an employee or a prospective employee consent to allowing the employer to collect and process the employee’s or the prospective employee’s biometric identifier only to:
(I) Permit access to secure physical locations and secure electronic hardware and software applications; except that an employer shall not obtain the employee’s or prospective employee’s consent to retain biometric data that is used for current employee location tracking or the tracking of how much time the employee spends using a hardware or software application;
(II) Record the commencement and conclusion of the employee’s full work day, including meal breaks and rest breaks in excess of thirty minutes;
(III) Improve or monitor workplace safety or security or ensure the safety or security of employees; or
(IV) Improve or monitor the safety or security of the public in the event of an emergency or crisis situation.
(b) An employer and its processor may collect and process an employee’s or prospective employee’s biometric identifier for uses other than those described in subsection (6)(a) of this section only with the employee’s or prospective employee’s consent. An employer may not require that an employee or prospective employee consent to such collection or processing as a condition of employment or retaliate against an employee or prospective employee who does not consent to such collection or processing.
(c) So long as consent that is obtained for collection and processing as described in this section satisfies the definition of consent provided in section 6-1-1303 (5), consent is considered to be freely given and valid for the purposes described in subsection (6)(a) of this section.
(d) Nothing in this section restricts an employer’s or its processor’s ability to collect and process an employee’s or prospective employee’s biometric identifier for uses aligned with the reasonable expectations of:
(I) An employee based on the employee’s job description or role; or
(II) A prospective employee based on a reasonable background check, an application, or identification requirements in accordance with this section.
(7) Rules. The department of law may promulgate rules for the implementation of this section, including rules promulgated in consultation with the office of information technology and the department of regulatory agencies establishing appropriate security standards for biometric identifiers and biometric data that are more stringent than the requirements described in this section.
History
Source: L. 2024: Entire section added,(HB 24-1130), ch. 313, p. 2102, § 2, effective July 1, 2025.
Stay Ahead of the Curve! Explore our comprehensive CLIClaw Colorado Privacy Compliance Library for in-depth resources and insights.
For more information, see here: https://leg.colorado.gov/colorado-revised-statutes
AND
https://leg.colorado.gov/sites/default/files/2021a_190_signed.pdf
AND
https://advance.lexis.com/container/?pdmfid=1000516&crid=ea46f1e5-1d17-401d-a538-cd28b426d788&config=0345494EJAA5ZjE0MDIyYy1kNzZkLTRkNzktYTkxMS04YmJhNjBlNWUwYzYKAFBvZENhdGFsb2e4CaPI4cak6laXLCWyLBO9&pdtocnodeid=AAGAABAABAAC&ecomp=g2vckkk&prid=809b16eb-5adb-4791-8252-8e7695c42fee
These materials were obtained directly from the State Government public websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.