Colorado Privacy Act
The Colorado Privacy Act (CPA) grants Colorado residents rights over their personal data, including the right to access, correct, delete, and opt‑out of processing for targeted advertising, profiling, or other discriminatory purposes. It applies to controllers and processors that (a) conduct business in Colorado or target Colorado residents, (b) process personal data of at least 100,000 Colorado residents annually, or (c) derive revenue of $25 million or more from the personal data of Colorado residents. The CPA also requires covered entities to implement data minimization, purpose limitation, reasonable security measures, and to appoint a data protection officer (or designate a responsible individual).
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (5)
Colorado Privacy Act: Consumer Rights (6-1-1306)
| Code | Title |
|---|---|
| COPA-1306-ACCESS | Right of Access |
| COPA-1306-APPEAL | Right to Appeal |
| COPA-1306-CORRECT | Right to Correction |
| COPA-1306-DELETE | Right to Deletion |
| COPA-1306-OPTOUT | Right to Opt Out |
| COPA-1306-PORTABILITY | Right to Data Portability |
Colorado Privacy Act: Controller Duties (6-1-1308)
| Code | Title |
|---|---|
| COPA-1308-CARE | Duty of Care (Security) |
| COPA-1308-CONSENT | Valid Consent and Dark Patterns |
| COPA-1308-MINIMIZATION | Duty of Data Minimization |
| COPA-1308-NONDISCRIM | Duty to Avoid Unlawful Discrimination |
| COPA-1308-PURPOSE | Duty of Purpose Specification |
| COPA-1308-SECONDARY | Duty to Avoid Secondary Use |
| COPA-1308-SENSITIVE | Duty Regarding Sensitive Data |
| COPA-1308-TRANSPARENCY | Duty of Transparency (Privacy Notice) |
Colorado Privacy Act: Enforcement and Rules (6-1-1310 to 1313)
| Code | Title |
|---|---|
| COPA-1310-LIABILITY | Liability and Processor Allocation |
| COPA-1311-ENFORCE | Enforcement by the Attorney General and District Attorneys |
| COPA-1313-RULES | Rules and Universal Opt-Out Mechanism |
Colorado Privacy Act: Processor and Assessments (6-1-1305/1309)
| Code | Title |
|---|---|
| COPA-1305-PROCESSOR | Processor Contracts and Role Responsibility |
| COPA-1309-DPA | Data Protection Assessments |
Colorado Privacy Act: Scope and Definitions (6-1-1303/1304/1307)
| Code | Title |
|---|---|
| COPA-1303-DEF | Definitions |
| COPA-1304-SCOPE | Applicability and Thresholds |
| COPA-1307-DEIDENT | De-identified and Pseudonymous Data |
Maps to 2 other frameworks
Frequently Asked Questions
What is Colorado Privacy Act?
Colorado Privacy Act is a compliance framework from United States - Colorado with 5 domains and 22 controls. The Colorado Privacy Act (CPA) grants Colorado residents rights over their personal data, including the right to access, correct, delete, and opt‑out of processing for targeted advertising, profiling, or other discriminatory purposes. It applies to controllers and processors that (a) conduct business in Colorado or target Colorado residents, (b) process personal data of at least 100,000 Colorado residents annually, or (c) derive revenue of $25 million or more from the personal data of Colorado residents. The CPA also requires covered entities to implement data minimization, purpose limitation, reasonable security measures, and to appoint a data protection officer (or designate a responsible individual). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does Colorado Privacy Act have?
Colorado Privacy Act has 22 controls organised across 5 domains. The largest domains are Colorado Privacy Act: Controller Duties (6-1-1308) (8 controls), Colorado Privacy Act: Consumer Rights (6-1-1306) (6 controls), Colorado Privacy Act: Enforcement and Rules (6-1-1310 to 1313) (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does Colorado Privacy Act map to?
Colorado Privacy Act maps to 2 other compliance frameworks. The top mapping partners are CCPA/CPRA (41% coverage), GDPR (36% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with Colorado Privacy Act compliance?
Start your Colorado Privacy Act compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Colorado Privacy Act requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 22 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required