← Back to Blog

Colorado Privacy Act (CPA): What Online Sellers Need to Know

The Colorado Privacy Act requires universal opt-out support and data protection assessments. Here's what it means for your e-commerce business.

2026-03-02

The Colorado Privacy Act (CPA) took effect on July 1, 2023, and stands out from other state privacy laws because of its strong universal opt-out mechanism requirement. Colorado was one of the first states to mandate that businesses honor browser-based opt-out signals like Global Privacy Control (GPC).

Who Does the CPA Apply To?

The CPA applies to businesses that conduct business in Colorado or target Colorado residents and meet either threshold:

  • Control or process personal data of at least 100,000 Colorado consumers per year, OR
  • Control or process personal data of at least 25,000 Colorado consumers and derive revenue or receive a discount from selling personal data

There is no minimum revenue threshold. If you meet the consumer count, the CPA applies regardless of your business size.

What Makes Colorado Different?

Universal Opt-Out Requirement

As of July 1, 2024, Colorado requires businesses to honor universal opt-out mechanisms — technical signals sent by a consumer's browser or device indicating they want to opt out of:

  • Sale of personal data
  • Targeted advertising
  • Certain types of profiling

In practice, this means your website must detect and respect Global Privacy Control (GPC) signals. If a visitor's browser sends a GPC signal, you must treat it as a valid opt-out request — no pop-ups, no confirmation pages, no friction.

Bona Fide Loyalty Programs

Colorado specifically addresses loyalty and rewards programs. You can offer financial incentives for data collection, but you must clearly disclose the terms and get opt-in consent.

Consumer Rights Under the CPA

Colorado residents have the right to:

  • Access their personal data
  • Correct inaccurate data
  • Delete their personal data
  • Data portability — obtain a copy in a usable format
  • Opt out of sale, targeted advertising, and profiling

You must respond within 45 days, with a possible 45-day extension.

CPA Compliance Checklist for E-Commerce

  • Privacy policy covering all required disclosures — data categories, purposes, third parties, consumer rights
  • GPC support — your site must detect and honor Global Privacy Control signals
  • Cookie consent banner with clear opt-out for non-essential cookies
  • "Do Not Sell" link if you use advertising trackers
  • Data protection assessments for targeted advertising, data sales, sensitive data processing, or any high-risk processing
  • Sensitive data consent — explicit opt-in before processing sensitive categories (health, biometric, precise geolocation, racial/ethnic origin, children's data)
  • Consumer request process — documented workflow for handling access, delete, correct, and portability requests within 45 days
  • Vendor contracts — written agreements with processors who handle personal data on your behalf

Penalties

The CPA is enforced by the Colorado Attorney General and district attorneys. There is no private right of action. Penalties can reach $20,000 per violation, which is higher than many other state privacy laws.

How to Check Your Compliance

ClearConsent scans your website against all 19 active US state privacy laws including the Colorado Privacy Act. It detects whether your site honors GPC signals, identifies trackers and cookies, checks for privacy policy presence, and tells you exactly what's missing.

Scan your site free — no signup required.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free