Skip to content
What are requirements of the CPA?

What are the requirements of the CPA?

Consumers in Colorado grant consumers data subject rights and consent rights your business needs to fulfill. This section will go over these rights in more detail.

Data Subject Requests

Data subject requests (DSRs) are requests that users can make to exercise control over the personal information businesses collect on them.

Under CPA, Colorado residents have the following consumer rights:

Right to Know and Access Consumers are allowed to request to know if a company is collecting and processing their personal information, and access what personal data that company has on them.
Right to Correct Consumers are allowed to request that a company correct inaccurate information about them.
Right to Delete Consumers are allowed to request the deletion of all of the personal data a company has on them. This also extends to the personal data held by data processors, third-party vendors, or subcontractors.
Right to Data Portability Consumers are allowed to request a copy of the data a company holds on them in a machine-readable format.
Right to Appeal Consumers are allowed to challenge a company’s refusal to process a data subject request.

Colorado’s privacy law mandates that businesses respond to consumers' requests within 45 days. They can also extend for an additional 45 days if needed to process complicated requests.

Consent Requirements

Colorado’s privacy law also grants specific consent rights for consumers to exercise control over how their personal data is processed by businesses. Under CPA, businesses must enable consumers to submit their consent preferences online. Here are the opt-out and opt-in consent rights Colorado residents have:

Targeted Advertising Displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests.
Sale of Personal Data The exchange of personal data for monetary consideration by the controller to a third party
Profiling Any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
The Processing of Sensitive Data
  • Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
  • The processing of genetic or biometric data for the purpose of uniquely identifying a natural person.
  • The personal data collected from a known child (under 13 years old).
  • Precise geolocation data.

Businesses need to communicate how users can exercise their consent options through Privacy Notices on their websites.

Universal Opt-Out Mechanism

Under CPA, businesses must allow consumers to opt out via “a technology indicating the consumer’s intent to opt out such as a web link indicating a preference or browser setting, browser extension, or global device setting.” One of these technologies is a Universal Opt-Out Mechanism.

The Colorado Privacy Act Rules gives technical specifications for Universal Opt-Out Mechanisms, which include sending an opt-out signal “in a format commonly used and recognized by Controllers. An example would be an HTTP header field or JavaScript object.”

The Colorado Department of Law will release a list of approved Universal Opt-Out Mechanisms by January 1, 2024. Companies will then have until July 1, 2024 to prepare to recognize this list of Universal Opt-Out Mechanisms on their websites.


The Attorney General of Colorado and District Attorneys have exclusive authority over enforcing CPA. That means Coloradans do not have a private right of action and cannot directly sue a company for privacy violations.

If the AG sends your business a notice of a privacy violation, your business has a 60-day cure period to correct infractions. Take note that cure periods in Colorado will sunset by January 1, 2025, so businesses will need to make sure their privacy operations meet CPA standards by then.