What the Colorado Privacy Act Covers
The Colorado Privacy Act (CPA), codified as SB 21-190, took effect on 1 July 2023. It applies to any entity that conducts business in Colorado or deliberately targets Colorado residents with products or services, provided the entity meets one of two thresholds: processing personal data of at least 100,000 consumers per calendar year, or processing personal data of at least 25,000 consumers while also deriving revenue from selling that data.
Unlike the CCPA, Colorado does not impose a separate revenue threshold. The law defines a "consumer" as a Colorado resident acting in an individual or household context, excluding employees and business contacts.
The CPA grants Colorado residents four core rights: the right to access, correct, and delete their personal data, and the right to opt out of targeted advertising, the sale of personal data, and certain profiling activities.
Cookie Consent Under the CPA: Opt-Out, Not Opt-In
The CPA follows an opt-out model for most cookie-based tracking. Businesses are not required to obtain prior consent before setting cookies that collect personal data for analytics or advertising. This contrasts sharply with the GDPR's opt-in requirement, where cookies may not fire until a visitor actively consents.
There is one significant exception. Cookies or tracking technologies that collect sensitive personal data require opt-in consent before processing. Sensitive data under the CPA includes racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sex life or sexual orientation, citizenship status, genetic or biometric identifiers, and data from a known child.
If your website sets cookies that collect any of these categories, you must obtain affirmative consent before those cookies fire.
The Universal Opt-Out Mechanism Requirement
Since 1 July 2024, controllers subject to the CPA that process personal data for targeted advertising or the sale of personal data must recognise and honour a universal opt-out mechanism (UOOM). The Colorado Attorney General designated Global Privacy Control (GPC) as the first - and currently only - valid UOOM under the CPA.
GPC is a browser-level signal transmitted via the Sec-GPC HTTP header. When a visitor's browser sends Sec-GPC: 1, your website must treat this as a valid opt-out request for both targeted advertising and data sales. You cannot require the visitor to take additional steps, such as filling in a form or clicking through a separate opt-out page.
This requirement aligns Colorado with California's CCPA opt-out rules, which also mandate GPC recognition. Several other states have followed suit, including Connecticut and Montana.
What Happens If You Ignore GPC Signals
Failing to honour GPC signals is treated as a violation of the CPA. The Colorado Attorney General's office has indicated that UOOM compliance is a priority enforcement area. Since January 2025, the 60-day cure period has expired, meaning the AG can pursue penalties immediately without first offering a chance to fix the problem.
CPA Applicability and Threshold Details
The two applicability thresholds deserve careful attention. The 100,000-consumer threshold counts all Colorado residents whose personal data you process, not just those who interact with cookies or tracking. The 25,000-consumer threshold applies only if you also derive revenue from selling personal data.
One detail that catches many organisations off guard: the threshold includes data gathered in previous years but still stored. If you collected data from 80,000 Colorado consumers last year and 30,000 this year, you have crossed the 100,000 mark if last year's records remain in your systems.
| Requirement | Details |
|---|---|
| Effective date | 1 July 2023 |
| UOOM requirement date | 1 July 2024 |
| Cure period expiry | 1 January 2025 |
| Threshold A | 100,000+ Colorado consumers' data processed per year |
| Threshold B | 25,000+ consumers' data processed, plus revenue from data sales |
| Recognised UOOM | Global Privacy Control (GPC) |
| Consent model (general) | Opt-out |
| Consent model (sensitive data) | Opt-in |
| Maximum penalty | $2,000 per violation per consumer, up to $500,000 |
| Enforced by | Colorado Attorney General and District Attorneys |
How to Detect and Honour GPC on Your Website
Implementing GPC signal detection involves checking for the Sec-GPC header on the server side or the navigator.globalPrivacyControl property in JavaScript. When either returns a truthy value, your site must suppress cookies used for targeted advertising and data sales.
Practically, this means your cookie consent management platform should:
- Detect the GPC signal before loading any tracking scripts
- Automatically set the visitor's opt-out preference for advertising and sale categories
- Continue to allow strictly necessary cookies (session identifiers, shopping cart tokens) regardless of GPC status
- Log the GPC-based opt-out for your records
A common mistake is treating GPC as a blanket rejection of all cookies. GPC specifically covers targeted advertising and data sales. Functional cookies and strictly necessary cookies are unaffected.
CPA vs CCPA vs GDPR: Key Differences for Cookie Compliance
Website owners operating across multiple jurisdictions need to understand where the CPA sits relative to other major frameworks.
| Feature | CPA (Colorado) | CCPA/CPRA (California) | GDPR (EU/EEA) |
|---|---|---|---|
| Cookie consent model | Opt-out | Opt-out | Opt-in |
| GPC recognition required | Yes (since July 2024) | Yes | No (but some DPAs supportive) |
| Sensitive data | Opt-in consent | Right to limit use | Opt-in consent (Article 9) |
| Revenue threshold | None | $25 million | None |
| Cure period | Expired January 2025 | None since July 2023 | None |
| Enforcement body | AG and District Attorneys | AG and CPPA | National DPAs |
The practical takeaway: if your site already honours GPC and provides a clear opt-out mechanism, CPA compliance for cookies is relatively straightforward. The harder work comes from sensitive data handling and data subject rights fulfilment.
Enforcement Landscape Since 2025
The Colorado Attorney General's office has been sending enforcement letters to businesses suspected of non-compliance, particularly around GPC recognition. While specific enforcement actions with publicly disclosed fines have not yet been widely reported, the expiry of the cure period on 1 January 2025 signals a shift toward stricter consequences.
Violations of the CPA are treated as deceptive trade practices under Colorado's Consumer Protection Act. Each violation can result in penalties of up to $2,000 per violation per consumer, with a maximum cap of $500,000. For a website with significant Colorado traffic, a systematic failure to honour GPC signals could accumulate substantial liability quickly.
The AG's office has made clear that UOOM compliance sits at the top of its priority list. Businesses that process personal data for targeted advertising should treat GPC support as non-optional.
Practical Steps to Comply with the CPA
Start with a cookie audit. Identify every cookie and tracker your site sets, classify them by purpose, and determine which ones fall under "targeted advertising" or "sale of personal data" as defined by the CPA.
Configure your consent management platform to detect GPC signals automatically. When Sec-GPC: 1 is present, the platform should suppress all non-essential advertising and sale-related cookies without requiring visitor interaction.
Review your data inventory for sensitive categories. If any cookies collect health information, biometric data, or data about children, switch those to an opt-in model with affirmative consent before the cookie fires.
Update your privacy policy to disclose CPA-specific rights, including the right to opt out via universal opt-out mechanisms. Provide a clear description of how your site recognises GPC.
Document your compliance measures. If the AG sends an inquiry, having a clear record of your GPC implementation, cookie categories, and consent processes will make the response far simpler.
How the CPA Fits into the Broader US Privacy Picture
Colorado was the third US state to pass a comprehensive privacy law, following California and Virginia. Since then, over a dozen states have enacted similar legislation. Many of these laws - including Connecticut's CTDPA, Montana's MCDPA, and Oregon's OCPA - also require GPC recognition.
For a full breakdown of how these frameworks compare, see the US state privacy laws comparison guide.
The trend is clear: universal opt-out signals are becoming a baseline requirement across US jurisdictions. Implementing GPC support now satisfies multiple state laws simultaneously.
Frequently Asked Questions
Does the Colorado Privacy Act require cookie consent banners?
The CPA does not mandate a traditional opt-in cookie banner like the GDPR. It requires an opt-out mechanism and recognition of GPC signals. A cookie banner offering opt-out choices is still recommended for transparency and to handle sensitive data consent.
What is Global Privacy Control and how does it work with the CPA?
Global Privacy Control is a browser signal sent via the Sec-GPC header. Under the CPA, businesses must treat this signal as a valid opt-out request for targeted advertising and data sales. It is the only universal opt-out mechanism currently recognised by the Colorado Attorney General.
Can I still use Google Analytics under the Colorado Privacy Act?
Yes, but if a visitor sends a GPC signal, you must suppress any analytics cookies used for targeted advertising or cross-site tracking. Standard analytics for aggregate measurement may continue, provided the data is not sold or used for targeted ads.
What are the penalties for violating the Colorado Privacy Act?
Violations are treated as deceptive trade practices, carrying fines of up to $2,000 per violation per consumer, capped at $500,000. Since January 2025, the 60-day cure period no longer applies, allowing immediate enforcement.
Does the CPA apply to small businesses?
The CPA applies based on data processing volume, not company size. If your website processes personal data of 100,000 or more Colorado consumers annually, or 25,000 consumers while generating revenue from data sales, the law applies regardless of your revenue.
How does the CPA handle children's data?
Data from a known child is classified as sensitive personal data under the CPA. This means you need opt-in consent - typically from a parent or guardian - before any cookies processing such data may fire.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets or whether your GPC implementation meets the CPA's requirements, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - including automatic GPC signal recognition - so your visitors get a clear choice, and you stay on the right side of the law.
