Press "Enter" to skip to content

Colorado Enacts Comprehensive Consumer Data Privacy Legislation

colorado privacy actOn July 6, Colorado Gov. Jared Polis signed into law Senate Bill 21-190, the Colorado Privacy Act.  This makes Colorado the third state, behind California and Virginia, to enact comprehensive consumer data privacy legislation.  The act becomes effective July 1, 2023.


The Colorado Privacy Act applies to a controller that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado,” and:

  1. Controls or processes the personal data of 100,000 or more consumers per calendar year; and/or
  2. Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 or more consumers.


Among other things, the act does not apply to information that is processed in compliance with the Health Insurance Portability and Accountability Act of 1996 Privacy Rule, the Fair Credit Reporting Act, or the Gramm-Leach-Bliley Act.  In fact, financial institutions and affiliates that are subject to the GLBA are themselves exempt. Data maintained for “employment records purposes” is also exempt.

Consumer Rights

The act provides consumers the right to:

  1. Opt-out of the processing of their personal data if related to targeted advertising, sale of personal data or certain profiling activities;
  2. Access their personal data;
  3. Correct inaccurate personal data;
  4. Delete personal data, in certain circumstances;
  5. Obtain a copy of their personal data in a readily usable format;
  6. Appeal a controller’s refusal to act on a request to exercise a right;
  7. Contact the attorney general with concerns about an appeal.

Sensitive data, which includes genetic or biometric data, personal data from a child and data that reveals certain personal characteristics, cannot be processed without first obtaining consent.

Security Standards/Risk Assessment

If the processing presents a “heightened risk of harm to a consumer,” a controller must conduct and document data processing assessments that “weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks.”

Processing presents a “heightened risk of harm” if it is related to: 1) targeted advertising or profiling in certain circumstances; 2) selling personal data; or 3) processing sensitive data.


The act preempts local laws that would seek to regulate the processing of personal data.


The act does not provide a private right of action.  If an alleged violation is not cured within 60 days of notice, the attorney general may bring an action under the Colorado Deceptive Trade Practices Act which allows for injunctive relief and civil penalties “of not more than twenty thousand dollars for each violation.”  Colo. Rev. Stat. § 6-1-112(1)(a).


The state attorney general is tasked with promulgating rules related to a “universal opt-out mechanism” and may also adopt rules governing the issuance of opinion letters and interpretative guidance.


The Colorado Privacy Act is similar in many ways to the Virginia Consumer Data Protection Act by staying the course in terms of basic consumer data privacy principles while maintaining a generally industry friendly stance. For more information about state data privacy law and compliance click here.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.