Sec. 6-1-1301.
Short title. The short title of this part 13 is the "Colorado Privacy Act".
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3445, § 1, effective July 1,
2023.
Sec. 6-1-1302.
Legislative declaration. (1) The general assembly hereby:
(a)Finds that:
(I)The people of Colorado regard their privacy as a fundamental right and an essential
element of their individual freedom;
(II)Colorado's constitution explicitly provides the right to privacy under section 7 of
article II, and fundamental privacy rights have long been, and continue to be, integral to
protecting Coloradans and to safeguarding our democratic republic;
(III)[Editor's note: This version of subsection (1)(a)(III) is effective until October 1,
2025.] Ongoing advances in technology have produced exponential growth in the volume and
variety of personal data being generated, collected, stored, and analyzed, and these advances
present both promise and potential peril;
(III)[Editor's note: This version of subsection (1)(a)(III) is effective October 1, 2025.]
Ongoing advances in technology have produced exponential growth in the volume and variety of
personal data from individuals, including minors, being generated, collected, stored, and
analyzed, and these advances present both promise and potential peril;
(IV)The ability to harness and use data in positive ways is driving innovation and brings
beneficial technologies to society, but it has also created risks to privacy and freedom; and
(V)[Editor's note: This version of subsection (1)(a)(V) is effective until October 1,
2025.] The unauthorized disclosure of personal information and loss of privacy can have
devastating impacts ranging from financial fraud, identity theft, and unnecessary costs in
personal time and finances to destruction of property, harassment, reputational damage,
emotional distress, and physical harm;
Colorado Revised Statutes 2024 Page 136 of 320 Uncertified Printout
(V)[Editor's note: This version of subsection (1)(a)(V) is effective October 1, 2025.]
The unauthorized disclosure of personal information, including a minor's personal information,
and loss of privacy can have devastating impacts ranging from financial fraud, identity theft, and
unnecessary costs in personal time and finances to destruction of property, harassment,
reputational damage, emotional distress, and physical harm;
(b)Determines that:
(I)Technological innovation and new uses of data can help solve societal problems and
improve lives, and it is possible to build a world where technological innovation and privacy can
coexist; and
(II)[Editor's note: This version of subsection (1)(b)(II) is effective until October 1,
2025.] States across the United States are looking to this part 13 and similar models to enact
state-based data privacy requirements and to exercise the leadership that is lacking at the
national level; and
(II)[Editor's note: This version of subsection (1)(b)(II) is effective October 1, 2025.]
States across the United States are looking to this part 13 and similar models to enact state-based
data privacy requirements, including data privacy requirements specifically targeted at minors'
data, and to exercise the leadership that is lacking at the national level; and
(c)Declares that:
(I)[Editor's note: This version of subsection (1)(c)(I) is effective until October 1,
2025.] By enacting this part 13, Colorado will be among the states that empower consumers to
protect their privacy and require companies to be responsible custodians of data as they continue
to innovate;
(I)[Editor's note: This version of subsection (1)(c)(I) is effective October 1, 2025.] By
enacting this part 13, Colorado will be among the states that empower consumers, including
minors, to protect their privacy and require companies to be responsible custodians of data as
they continue to innovate;
(II)This part 13 addresses issues of statewide concern and:
(A)Provides consumers the right to access, correct, and delete personal data and the
right to opt out not only of the sale of personal data but also of the collection and use of personal
data;
(A.5)[Editor's note: Subsection (1)(c)(II)(A.5) is effective October 1, 2025.] Provides
minors the right to control their personal data;
(B)Imposes an affirmative obligation upon companies to safeguard personal data; to
provide clear, understandable, and transparent information to consumers about how their
personal data are used; and to strengthen compliance and accountability by requiring data
protection assessments in the collection and use of personal data; and
(C)Empowers the attorney general and district attorneys to access and evaluate a
company's data protection assessments, to impose penalties where violations occur, and to
prevent future violations.
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3445, § 1, effective July 1,
2023. L. 2024: (1)(a)(III), (1)(a)(V), (1)(b)(II), and (1)(c)(I) amended and (1)(c)(II)(A.5) added,
(SB 24-041), ch. 296, p. 2018, § 1, effective October 1, 2025.
Colorado Revised Statutes 2024 Page 137 of 320 Uncertified Printout
Editor's note: Section 6(2) of chapter 296 (SB 24-041), Session Laws of Colorado 2024,
provides that the act changing this section applies to conduct occurring on or after October 1,
2025.
Sec. 6-1-1303.
Definitions. As used in this part 13, unless the context otherwise requires:
(1)[Editor's note: This version of subsection (1) is effective until October 1, 2025.]
"Affiliate" means a legal entity that controls, is controlled by, or is under common control with
another legal entity. As used in this subsection (1), "control" means:
(a)Ownership of, control of, or power to vote twenty-five percent or more of the
outstanding shares of any class of voting security of the entity, directly or indirectly, or acting
through one or more other persons;
(b)Control in any manner over the election of a majority of the directors, trustees, or
general partners of the entity or of individuals exercising similar functions; or
(c)The power to exercise, directly or indirectly, a controlling influence over the
management or policies of the entity as determined by the applicable prudential regulator, as that
term is defined in 12 U.S.C. sec. 5481 (24), if any.
(1)[Editor's note: This version of subsection (1) is effective October 1, 2025.] "Adult"
means an individual who is eighteen years of age or older.
(1.5)[Editor's note: Subsection (1.5) is effective October 1, 2025.] (a) "Affiliate"
means a legal entity that controls, is controlled by, or is under common control with another
legal entity.
(b)As used in subsection (1.5)(a) of this section, "control" means:
(I)Ownership of, control of, or power to vote twenty-five percent or more of the
outstanding shares of any class of voting security of the entity, directly or indirectly, or acting
through one or more other persons;
(II)Control in any manner over the election of a majority of the directors, trustees, or
general partners of the entity or of individuals exercising similar functions; or
(III)The power to exercise, directly or indirectly, a controlling influence over the
management or policies of the entity as determined by the applicable prudential regulator, as that
term is defined in 12 U.S.C. sec. 5481 (24), if any.
(2)"Authenticate" means to use reasonable means to determine that a request to exercise
any of the rights in section 6-1-1306 (1) is being made by or on behalf of the consumer who is
entitled to exercise the rights.
(2.2)"Biological data" means data generated by the technological processing,
measurement, or analysis of an individual's biological, genetic, biochemical, physiological, or
neural properties, compositions, or activities or of an individual's body or bodily functions,
which data is used or intended to be used, singly or in combination with other personal data, for
identification purposes. "Biological data" includes neural data.
(2.4)[Editor's note: Subsection (2.4) is effective July 1, 2025.] (a) "Biometric data"
means one or more biometric identifiers that are used or intended to be used, singly or in
combination with each other or with other personal data, for identification purposes.
(b)"Biometric data" does not include the following unless the biometric data is used for
identification purposes:
(I)A digital or physical photograph;
(II)An audio or voice recording; or
Colorado Revised Statutes 2024 Page 138 of 320 Uncertified Printout
(III)Any data generated from a digital or physical photograph or an audio or video
recording.
(2.5)[Editor's note: Subsection (2.5) is effective July 1, 2025.] "Biometric identifier"
means data generated by the technological processing, measurement, or analysis of a consumer's
biological, physical, or behavioral characteristics, which data can be processed for the purpose of
uniquely identifying an individual. "Biometric identifier" includes:
(a)A fingerprint;
(b)A voiceprint;
(c)A scan or record of an eye retina or iris;
(d)A facial map, facial geometry, or facial template; or
(e)Other unique biological, physical, or behavioral patterns or characteristics.
(3)"Business associate" has the meaning established in 45 CFR 160.103.
(4)"Child" means an individual under thirteen years of age.
(5)"Consent" means a clear, affirmative act signifying a consumer's freely given,
specific, informed, and unambiguous agreement, such as by a written statement, including by
electronic means, or other clear, affirmative action by which the consumer signifies agreement to
the processing of personal data. The following does not constitute consent:
(a)Acceptance of a general or broad terms of use or similar document that contains
descriptions of personal data processing along with other, unrelated information;
(b)Hovering over, muting, pausing, or closing a given piece of content; and
(c)Agreement obtained through dark patterns.
(6)"Consumer":
(a)Means an individual who is a Colorado resident acting only in an individual or
household context; and
(b)Does not include an individual acting in a commercial or employment context, as a
job applicant, or as a beneficiary of someone acting in an employment context.
(7)"Controller" means a person that, alone or jointly with others, determines the
purposes for and means of processing personal data.
(8)"Covered entity" has the meaning established in 45 CFR 160.103.
(9)"Dark pattern" means a user interface designed or manipulated with the substantial
effect of subverting or impairing user autonomy, decision-making, or choice.
(10)"Decisions that produce legal or similarly significant effects concerning a
consumer" means a decision that results in the provision or denial of financial or lending
services, housing, insurance, education enrollment or opportunity, criminal justice, employment
opportunities, health-care services, or access to essential goods or services.
(11)"De-identified data" means data that cannot reasonably be used to infer information
about, or otherwise be linked to, an identified or identifiable individual, or a device linked to
such an individual, if the controller that possesses the data:
(a)Takes reasonable measures to ensure that the data cannot be associated with an
individual;
(b)Publicly commits to maintain and use the data only in a de-identified fashion and not
attempt to re-identify the data; and
(c)Contractually obligates any recipients of the information to comply with the
requirements of this subsection (11).
Colorado Revised Statutes 2024 Page 139 of 320 Uncertified Printout
(12)"Health-care facility" means any entity that is licensed, certified, or otherwise
authorized or permitted by law to administer medical treatment in this state.
(13)"Health-care information" means individually identifiable information relating to
the past, present, or future health status of an individual.
(14)"Health-care provider" means a person licensed, certified, or registered in this state
to practice medicine, pharmacy, chiropractic, nursing, physical therapy, podiatry, dentistry,
optometry, occupational therapy, or other healing arts under title 12.
(14.5)[Editor's note: Subsection (14.5) is effective October 1, 2025.] "Heightened risk
of harm to minors" means processing the personal data of minors in a manner that presents a
reasonably foreseeable risk that could cause:
(a)Unfair or deceptive treatment of, or unlawful disparate impact on, minors;
(b)Financial, physical, or reputational injury to minors;
(c)Unauthorized disclosure of the personal data of minors as a result of a security
breach, as defined in section 6-1-716 (1)(h); or
(d)Physical or other intrusion upon the solitude or seclusion, or the private affairs or
concerns, of minors if the intrusion would be offensive to a reasonable person.
(15)"HIPAA" means the federal "Health Insurance Portability and Accountability Act of
1996", as amended, 42 U.S.C. secs. 1320d to 1320d-9.
(16)"Identified or identifiable individual" means an individual who can be readily
identified, directly or indirectly, in particular by reference to an identifier such as a name, an
identification number, specific geolocation data, or an online identifier.
(16.5)[Editor's note: Subsection (16.5) is effective October 1, 2025.] "Minor" means
any consumer who is under eighteen years of age.
(16.7)"Neural data" means information that is generated by the measurement of the
activity of an individual's central or peripheral nervous systems and that can be processed by or
with the assistance of a device.
(16.8)[Editor's note: Subsection (16.8) is effective October 1, 2025.] "Online service,
product, or feature":
(a)Means any service, product, or feature that is provided online; and
(b)Does not include:
(I)Telecommunications service, as defined in 47 U.S.C. sec. 153 (53), as amended;
(II)Broadband internet access service, as defined in 47 CFR 54.400 (l), as amended; or
(III)The delivery or use of a physical product.
(17)"Personal data":
(a)Means information that is linked or reasonably linkable to an identified or
identifiable individual; and
(b)Does not include de-identified data or publicly available information. As used in this
subsection (17)(b), "publicly available information" means information that is lawfully made
available from federal, state, or local government records and information that a controller has a
reasonable basis to believe the consumer has lawfully made available to the general public.
(17.5)[Editor's note: Subsection (17.5) is effective October 1, 2025.] "Precise
geolocation data":
(a)Means information derived from technology, including global positioning system
level latitude and longitude coordinates or other mechanisms, that directly identifies the specific
Colorado Revised Statutes 2024 Page 140 of 320 Uncertified Printout
location of an individual with precision and accuracy within a radius of one thousand seven
hundred fifty feet; and
(b)Does not include:
(I)The content of communications regarding location; or
(II)Any data generated by or connected to advanced utility metering infrastructure
systems or equipment for use by a utility.
(18)"Process" or "processing" means the collection, use, sale, storage, disclosure,
analysis, deletion, or modification of personal data and includes the actions of a controller
directing a processor to process personal data.
(19)"Processor" means a person that processes personal data on behalf of a controller.
(20)"Profiling" means any form of automated processing of personal data to evaluate,
analyze, or predict personal aspects concerning an identified or identifiable individual's
economic situation, health, personal preferences, interests, reliability, behavior, location, or
movements.
(21)"Protected health information" has the meaning established in 45 CFR 160.103.
(22)"Pseudonymous data" means personal data that can no longer be attributed to a
specific individual without the use of additional information if the additional information is kept
separately and is subject to technical and organizational measures to ensure that the personal
data are not attributed to a specific individual.
(23)(a) "Sale", "sell", or "sold" means the exchange of personal data for monetary or
other valuable consideration by a controller to a third party.
(b)"Sale", "sell", or "sold" does not include the following:
(I)The disclosure of personal data to a processor that processes the personal data on
behalf of a controller;
(II)The disclosure of personal data to a third party for purposes of providing a product
or service requested by the consumer;
(III)The disclosure or transfer of personal data to an affiliate of the controller;
(IV)The disclosure or transfer to a third party of personal data as an asset that is part of
a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third
party assumes control of all or part of the controller's assets; or
(V)The disclosure of personal data:
(A)That a consumer directs the controller to disclose or intentionally discloses by using
the controller to interact with a third party; or
(B)Intentionally made available by a consumer to the general public via a channel of
mass media.
(24)"Sensitive data" means:
(a)Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical
health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status;
(b)Genetic or biometric data that may be processed for the purpose of uniquely
identifying an individual;
(c)Personal data from a known child; or
(d)Biological data.
(25)"Targeted advertising":
Colorado Revised Statutes 2024 Page 141 of 320 Uncertified Printout
(a)Means displaying to a consumer an advertisement that is selected based on personal
data obtained or inferred over time from the consumer's activities across nonaffiliated websites,
applications, or online services to predict consumer preferences or interests; and
(b)Does not include:
(I)Advertising to a consumer in response to the consumer's request for information or
feedback;
(II)Advertisements based on activities within a controller's own websites or online
applications;
(III)Advertisements based on the context of a consumer's current search query, visit to a
website, or online application; or
(IV)Processing personal data solely for measuring or reporting advertising performance,
reach, or frequency.
(26)"Third party" means a person, public authority, agency, or body other than a
consumer, controller, processor, or affiliate of the processor or the controller.
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3446, § 1, effective July 1,
2023. L. 2024: (2.5), (16.7), and (24)(d) added and (24)(b) and (24)(c) amended, (HB 1058), ch.
68, p. 224, § 2, effective August 7; (2.2) and (2.4) added, (HB 24-1130), ch. 313, p. 2107, § 3,
effective July 1, 2025; (1) amended and (1.5), (14.5), (16.5), (16.8), and (17.5) added, (SB 24-
041), ch. 296, p. 2019, § 1, effective October 1, 2025.
Editor's note: (1) Subsection (2.2) was numbered as (2.5) in HB 24-1058 but was
renumbered on revision for ease of location; subsections (2.4) and (2.5) were numbered as (2.2)
and (2.4) in HB 24-1130 but were renumbered on revision for ease of location.
(2)Section 3(2) of chapter 68 (HB 24-1058), Session Laws of Colorado 2024, provides
that the act changing this section applies to conduct occurring on or after August 7, 2024.
(3)Section 6(2) of chapter 296 (SB 24-041), Session Laws of Colorado 2024, provides
that the act changing this section applies to conduct occurring on or after October 1, 2025.
(4)Section 5(2) of chapter 313 (HB 24-1130), Session Laws of Colorado 2024, provides
that the act changing this section applies to the collection, retention, processing, and use of
biometric identifiers and biometric data on and after July 1, 2025.
Cross references: For the legislative declaration in HB 24-1058, see section 1 of chapter
68, Session Laws of Colorado 2024. For the legislative declaration in HB 24-1130, see section 1
of chapter 313, Session Laws of Colorado 2024.
Sec. 6-1-1304.
Applicability of part. (1) [Editor's note: This version of subsection (1) is
effective until July 1, 2025.] Except as specified in subsection (2) of this section, this part 13
applies to a controller that:
(a)Conducts business in Colorado or produces or delivers commercial products or
services that are intentionally targeted to residents of Colorado; and
(b)Satisfies one or both of the following thresholds:
(I)Controls or processes the personal data of one hundred thousand consumers or more
during a calendar year; or
Colorado Revised Statutes 2024 Page 142 of 320 Uncertified Printout
(II)Derives revenue or receives a discount on the price of goods or services from the
sale of personal data and processes or controls the personal data of twenty-five thousand
consumers or more.
(1)[Editor's note: This version of subsection (1) is effective July 1, 2025, until October
1, 2025.] Except as specified in subsection (2) of this section, this part 13 applies to a controller
that:
(a)(I) Conducts business in Colorado or produces or delivers commercial products or
services that are intentionally targeted to residents of Colorado; and
(II)Satisfies one or both of the following thresholds:
(A)Controls or processes the personal data of one hundred thousand consumers or more
during a calendar year; or
(B)Derives revenue or receives a discount on the price of goods or services from the
sale of personal data and processes or controls the personal data of twenty-five thousand
consumers or more; or
(b)Controls or processes any amount of biometric identifiers or biometric data
regardless of the amount of biometric identifiers or biometric data controlled or processed
annually; except that a controller that meets the qualifications of this subsection (1)(b) but does
not meet the qualifications of subsection (1)(a) of this section shall comply with this part 13 only
for the purposes of a biometric identifier or biometric data that the controller collects and
processes.
(1)[Editor's note: This version of subsection (1) is effective October 1, 2025.] Except
as specified in subsection (2) of this section:
(a)This part 13, other than sections 6-1-1305.5, 6-1-1308.5, and 6-1-1309.5, applies to a
controller that:
(I)(A) Conducts business in Colorado or produces or delivers commercial products or
services that are intentionally targeted to residents of Colorado; and
(B)Satisfies one or both of the following thresholds: controls or processes the personal
data of one hundred thousand consumers or more during a calendar year; or derives revenue or
receives a discount on the price of goods or services from the sale of personal data and processes
or controls the personal data of twenty-five thousand consumers or more; or
(II)Controls or processes any amount of biometric identifiers or biometric data
regardless of the amount of biometric identifiers or biometric data controlled or processed
annually; except that a controller that meets the qualifications of this subsection (1)(b) but does
not meet the qualifications of subsection (1)(a) of this section shall comply with this part 13 only
for the purposes of a biometric identifier or biometric data that the controller collects and
processes;
(b)Sections 6-1-1305.5, 6-1-1308.5, and 6-1-1309.5 to 6-1-1313 apply to a controller
that conducts business in Colorado or delivers commercial products or services that are
intentionally targeted to residents of Colorado.
(2)This part 13 does not apply to:
(a)Protected health information that is collected, stored, and processed by a covered
entity or its business associates;
(b)Health-care information that is governed by part 8 of article 1 of title 25 solely for
the purpose of access to medical records;
Colorado Revised Statutes 2024 Page 143 of 320 Uncertified Printout
(c)Patient identifying information, as defined in 42 CFR 2.11, that are governed by and
collected and processed pursuant to 42 CFR 2, established pursuant to 42 U.S.C. sec. 290dd-2;
(d)Identifiable private information, as defined in 45 CFR 46.102, for purposes of the
federal policy for the protection of human subjects pursuant to 45 CFR 46; identifiable private
information that is collected as part of human subjects research pursuant to the ICH E6 Good
Clinical Practice Guideline issued by the International Council for Harmonisation of Technical
Requirements for Pharmaceuticals for Human Use or the protection of human subjects under 21
CFR 50 and 56; or personal data used or shared in research conducted in accordance with one or
more of the categories set forth in this subsection (2)(d);
(e)Information and documents created by a covered entity for purposes of complying
with HIPAA and its implementing regulations;
(f)Patient safety work product, as defined in 42 CFR 3.20, that is created for purposes of
patient safety improvement pursuant to 42 CFR 3, established pursuant to 42 U.S.C. secs. 299b-
21 to 299b-26;
(g)Information that is:
(I)De-identified in accordance with the requirements for de-identification set forth in 45
CFR 164; and
(II)Derived from any of the health-care-related information described in this section;
(h)Information maintained in the same manner as information under subsections (2)(a)
to (2)(g) of this section by:
(I)A covered entity or business associate;
(II)A health-care facility or health-care provider; or
(III)A program of a qualified service organization as defined in 42 CFR 2.11;
(i)(I) Except as provided in subsection (2)(i)(II) of this section, an activity involving the
collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on
a consumer's creditworthiness, credit standing, credit capacity, character, general reputation,
personal characteristics, or mode of living by:
(A)A consumer reporting agency as defined in 15 U.S.C. sec. 1681a (f);
(B)A furnisher of information as set forth in 15 U.S.C. sec. 1681s-2 that provides
information for use in a consumer report, as defined in 15 U.S.C. sec. 1681a (d); or
(C)A user of a consumer report as set forth in 15 U.S.C. sec. 1681b.
(II)This subsection (2)(i) applies only to the extent that the activity is regulated by the
federal "Fair Credit Reporting Act", 15 U.S.C. sec. 1681 et seq., as amended, and the personal
data are not collected, maintained, disclosed, sold, communicated, or used except as authorized
by the federal "Fair Credit Reporting Act", as amended.
(j)Personal data:
(I)Collected and maintained for purposes of article 22 of title 10;
(II)Collected, processed, sold, or disclosed pursuant to the federal "Gramm-Leach-
Bliley Act", 15 U.S.C. sec. 6801 et seq., as amended, and implementing regulations, if the
collection, processing, sale, or disclosure is in compliance with that law;
(III)Collected, processed, sold, or disclosed pursuant to the federal "Driver's Privacy
Protection Act of 1994", 18 U.S.C. sec. 2721 et seq., as amended, if the collection, processing,
sale, or disclosure is regulated by that law, including implementing rules, regulations, or
exemptions;
Colorado Revised Statutes 2024 Page 144 of 320 Uncertified Printout
(IV)Regulated by the federal "Children's Online Privacy Protection Act of 1998", 15
U.S.C. secs. 6501 to 6506, as amended, if collected, processed, and maintained in compliance
with that law; or
(V)Regulated by the federal "Family Educational Rights and Privacy Act of 1974", 20
U.S.C. sec. 1232g et seq., as amended, and its implementing regulations;
(k)Data maintained for employment records purposes;
(l)An air carrier as defined in and regulated under 49 U.S.C. sec. 40101 et seq., as
amended, and 49 U.S.C. sec. 41713, as amended;
(m)A national securities association registered pursuant to the federal "Securities
Exchange Act of 1934", 15 U.S.C. sec. 78o-3, as amended, or implementing regulations;
(n)Customer data maintained by a public utility as defined in section 40-1-103 (1)(a)(I)
or an authority as defined in section 43-4-503 (1), if the data are not collected, maintained,
disclosed, sold, communicated, or used except as authorized by state and federal law;
(o)Data maintained by a state institution of higher education, as defined in section 23-
18-102 (10), the state, the judicial department of the state, or a county, city and county, or
municipality if the data is collected, maintained, disclosed, communicated, and used as
authorized by state and federal law for noncommercial purposes. This subsection (2)(o) does not
effect any other exemption available under this part 13.
(p)Information used and disclosed in compliance with 45 CFR 164.512; or
(q)A financial institution or an affiliate of a financial institution as defined by and that is
subject to the federal "Gramm-Leach-Bliley Act", 15 U.S.C. sec. 6801 et seq., as amended, and
implementing regulations, including Regulation P, 12 CFR 1016.
(3)The obligations imposed on controllers or processors under this part 13 do not:
(a)Restrict a controller's or processor's ability to:
(I)Comply with federal, state, or local laws, rules, or regulations;
(II)Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or
summons by federal, state, local, or other governmental authorities;
(III)Cooperate with law enforcement agencies concerning conduct or activity that the
controller or processor reasonably and in good faith believes may violate federal, state, or local
law;
(IV)Investigate, exercise, prepare for, or defend actual or anticipated legal claims;
(V)Conduct internal research to improve, repair, or develop products, services, or
technology;
(VI)Identify and repair technical errors that impair existing or intended functionality;
(VII)Perform internal operations that are reasonably aligned with the expectations of the
consumer based on the consumer's existing relationship with the controller;
(VIII)Provide a product or service specifically requested by a consumer or the parent or
guardian of a child, perform a contract to which the consumer is a party, or take steps at the
request of the consumer prior to entering into a contract;
(IX)Protect the vital interests of the consumer or of another individual;
(X)Prevent, detect, protect against, or respond to security incidents, identity theft, fraud,
harassment, or malicious, deceptive, or illegal activity; preserve the integrity or security of
systems; or investigate, report, or prosecute those responsible for any such action;
(XI)Process personal data for reasons of public interest in the area of public health, but
solely to the extent that the processing:
Colorado Revised Statutes 2024 Page 145 of 320 Uncertified Printout
(A)Is subject to suitable and specific measures to safeguard the rights of the consumer
whose personal data are processed; and
(B)Is under the responsibility of a professional subject to confidentiality obligations
under federal, state, or local law; or
(XII)Assist another person with any of the activities set forth in this subsection (3);
(b)Apply where compliance by the controller or processor with this part 13 would
violate an evidentiary privilege under Colorado law;
(c)Prevent a controller or processor from providing personal data concerning a
consumer to a person covered by an evidentiary privilege under Colorado law as part of a
privileged communication;
(d)[Editor's note: This version of subsection (3)(d) is effective until October 1, 2025.]
Apply to information made available by a third party that the controller has a reasonable basis to
believe is protected speech pursuant to applicable law; and
(d)[Editor's note: This version of subsection (3)(d) is effective October 1, 2025.] Apply
to information made available by a third party that the controller has a reasonable basis to
believe is protected speech pursuant to applicable law;
(e)[Editor's note: This version of subsection (3)(e) is effective until October 1, 2025.]
Apply to the processing of personal data by an individual in the course of a purely personal or
household activity.
(e)[Editor's note: This version of subsection (3)(e) is effective October 1, 2025.] Apply
to the processing of personal data by an individual in the course of a purely personal or
household activity;
(f)[Editor's note: Subsection (3)(f) is effective October 1, 2025.] Require a controller
or processor to implement an age verification or age-gating system or otherwise affirmatively
collect the age of consumers, but a controller that chooses to conduct commercially reasonable
age estimation to determine which consumers are minors is not liable for an erroneous age
estimation; and
(g)[Editor's note: Subsection (3)(g) is effective October 1, 2025.] Impose any
obligation on a controller or processor that adversely affects the rights of any person to freedom
of speech or freedom of the press guaranteed by the first amendment to the United States
constitution.
(4)Personal data that are processed by a controller pursuant to an exception provided by
this section:
(a)Shall not be processed for any purpose other than a purpose expressly listed in this
section or as otherwise authorized by this part 13; and
(b)Shall be processed solely to the extent that the processing is necessary, reasonable,
and proportionate to the specific purpose or purposes listed in this section or as otherwise
authorized by this part 13.
(5)If a controller processes personal data pursuant to an exemption in this section, the
controller bears the burden of demonstrating that the processing qualifies for the exemption and
complies with the requirements in subsection (4) of this section.
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3450, § 1, effective July 1,
2023. L. 2024: (1) amended, (HB 24-1130), ch. 313, p. 2108, § 4, effective July 1, 2025; (1),
Colorado Revised Statutes 2024 Page 146 of 320 Uncertified Printout
(3)(d), and (3)(e) amended and (3)(f) and (3)(g) added, (SB 24-041), ch. 296, p. 2021, § 3,
effective October 1, 2025.
Editor's note: (1) Amendments to subsection (1) by SB 24-041 and HB 24-1130 were
harmonized, effective October 1, 2025.
(2)Section 6(2) of chapter 296 (SB 24-041), Session Laws of Colorado 2024, provides
that the act changing this section applies to conduct occurring on or after October 1, 2025.
(3)Section 5(2) of chapter 313 (HB 24-1130), Session Laws of Colorado 2024, provides
that the act changing this section applies to the collection, retention, processing, and use of
biometric identifiers and biometric data on and after July 1, 2025.
Cross references: For the legislative declaration in HB 24-1130, see section 1 of chapter
313, Session Laws of Colorado 2024.
Sec. 6-1-1305.
Responsibility according to role. (1) Controllers and processors shall meet
their respective obligations established under this part 13.
(2)Processors shall adhere to the instructions of the controller and assist the controller to
meet its obligations under this part 13. Taking into account the nature of processing and the
information available to the processor, the processor shall assist the controller by:
(a)Taking appropriate technical and organizational measures, insofar as this is possible,
for the fulfillment of the controller's obligation to respond to consumer requests to exercise their
rights pursuant to section 6-1-1306;
(b)Helping to meet the controller's obligations in relation to the security of processing
the personal data and in relation to the notification of a breach of the security of the system
pursuant to section 6-1-716; and
(c)Providing information to the controller necessary to enable the controller to conduct
and document any data protection assessments required by section 6-1-1309. The controller and
processor are each responsible for only the measures allocated to them.
(3)Notwithstanding the instructions of the controller, a processor shall:
(a)Ensure that each person processing the personal data is subject to a duty of
confidentiality with respect to the data; and
(b)Engage a subcontractor only after providing the controller with an opportunity to
object and pursuant to a written contract in accordance with subsection (5) of this section that
requires the subcontractor to meet the obligations of the processor with respect to the personal
data.
(4)Taking into account the context of processing, the controller and the processor shall
implement appropriate technical and organizational measures to ensure a level of security
appropriate to the risk and establish a clear allocation of the responsibilities between them to
implement the measures.
(5)Processing by a processor must be governed by a contract between the controller and
the processor that is binding on both parties and that sets out:
(a)The processing instructions to which the processor is bound, including the nature and
purpose of the processing;
(b)The type of personal data subject to the processing, and the duration of the
processing;
Colorado Revised Statutes 2024 Page 147 of 320 Uncertified Printout
(c)The requirements imposed by this subsection (5) and subsections (3) and (4) of this
section; and
(d)The following requirements:
(I)At the choice of the controller, the processor shall delete or return all personal data to
the controller as requested at the end of the provision of services, unless retention of the personal
data is required by law;
(II)(A) The processor shall make available to the controller all information necessary to
demonstrate compliance with the obligations in this part 13; and
(B)The processor shall allow for, and contribute to, reasonable audits and inspections by
the controller or the controller's designated auditor. Alternatively, the processor may, with the
controller's consent, arrange for a qualified and independent auditor to conduct, at least annually
and at the processor's expense, an audit of the processor's policies and technical and
organizational measures in support of the obligations under this part 13 using an appropriate and
accepted control standard or framework and audit procedure for the audits as applicable. The
processor shall provide a report of the audit to the controller upon request.
(6)In no event may a contract relieve a controller or a processor from the liabilities
imposed on them by virtue of its role in the processing relationship as defined by this part 13.
(7)Determining whether a person is acting as a controller or processor with respect to a
specific processing of data is a fact-based determination that depends upon the context in which
personal data are to be processed. A person that is not limited in its processing of personal data
pursuant to a controller's instructions, or that fails to adhere to the instructions, is a controller and
not a processor with respect to a specific processing of data. A processor that continues to adhere
to a controller's instructions with respect to a specific processing of personal data remains a
processor. If a processor begins, alone or jointly with others, determining the purposes and
means of the processing of personal data, it is a controller with respect to the processing.
(8)(a) A controller or processor that discloses personal data to another controller or
processor in compliance with this part 13 does not violate this part 13 if the recipient processes
the personal data in violation of this part 13, and, at the time of disclosing the personal data, the
disclosing controller or processor did not have actual knowledge that the recipient intended to
commit a violation.
(b)A controller or processor receiving personal data from a controller or processor in
compliance with this part 13 as specified in subsection (8)(a) of this section does not violate this
part 13 if the controller or processor from which it receives the personal data fails to comply
with applicable obligations under this part 13.
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3455, § 1, effective July 1,
2023.
Sec. 6-1-1305.5.
Responsibility according to role - processing data of minors. [Editor's
note: This section is effective October 1, 2025.] (1) A processor shall adhere to the instructions
of a controller and shall assist the controller to meet the controller's obligations under sections 6-
1-1308.5 and 6-1-1309.5, taking into account the nature of the processing and the information
available to the processor. The processor shall assist the controller by:
(a)Taking appropriate technical and organizational measures, insofar as this is possible,
for the fulfillment of the controller's obligations under section 6-1-1308.5; and
Colorado Revised Statutes 2024 Page 148 of 320 Uncertified Printout
(b)Providing information to enable the controller to conduct and document data
protection assessments pursuant to section 6-1-1309.5.
(2)A contract between a controller and a processor must satisfy the requirements in
section 6-1-1305 (5).
(3)Nothing in this section shall be construed to relieve a controller or processor from the
liabilities imposed on the controller or processor by virtue of the controller's or processor's role
in the processing relationship as described in sections 6-1-1308.5 and 6-1-1309.5.
(4)Determining whether a person is acting as a controller or processor with respect to a
specific processing of data is a fact-based determination that depends upon the context in which
personal data is to be processed. A person that is not limited in the person's processing of
personal data pursuant to a controller's instructions, or that fails to adhere to the instructions, is a
controller and not a processor with respect to a specific processing of data. A processor that
continues to adhere to a controller's instructions with respect to a specific processing of personal
data remains a processor. If a processor begins, alone or jointly with others, determining the
purposes and means of the processing of personal data, the processor is a controller with respect
to the processing and may be subject to an enforcement action under section 6-1-1311.
Source: L. 2024: Entire section added, (SB 24-041), ch. 296, p. 2021, § 4, effective
October 1, 2025.
Editor's note: Section 6(2) of chapter 296 (SB 24-041), Session Laws of Colorado 2024,
provides that the act adding this section applies to conduct occurring on or after October 1, 2025.
Sec. 6-1-1306.
Consumer personal data rights. (1) Consumers may exercise the following
rights by submitting a request using the methods specified by the controller in the privacy notice
required under section 6-1-1308 (1)(a). The method must take into account the ways in which
consumers normally interact with the controller, the need for secure and reliable communication
relating to the request, and the ability of the controller to authenticate the identity of the
consumer making the request. Controllers shall not require a consumer to create a new account
in order to exercise consumer rights pursuant to this section but may require a consumer to use
an existing account. A consumer may submit a request at any time to a controller specifying
which of the following rights the consumer wishes to exercise:
(a)Right to opt out. (I) A consumer has the right to opt out of the processing of
personal data concerning the consumer for purposes of:
(A)Targeted advertising;
(B)The sale of personal data; or
(C)Profiling in furtherance of decisions that produce legal or similarly significant
effects concerning a consumer.
(II)A consumer may authorize another person, acting on the consumer's behalf, to opt
out of the processing of the consumer's personal data for one or more of the purposes specified in
subsection (1)(a)(I) of this section, including through a technology indicating the consumer's
intent to opt out such as a web link indicating a preference or browser setting, browser extension,
or global device setting. A controller shall comply with an opt-out request received from a
person authorized by the consumer to act on the consumer's behalf if the controller is able to
Colorado Revised Statutes 2024 Page 149 of 320 Uncertified Printout
authenticate, with commercially reasonable effort, the identity of the consumer and the
authorized agent's authority to act on the consumer's behalf.
(III)A controller that processes personal data for purposes of targeted advertising or the
sale of personal data shall provide a clear and conspicuous method to exercise the right to opt out
of the processing of personal data concerning the consumer pursuant to subsection (1)(a)(I) of
this section. The controller shall provide the opt-out method clearly and conspicuously in any
privacy notice required to be provided to consumers under this part 13, and in a clear,
conspicuous, and readily accessible location outside the privacy notice.
(IV)(A) Repealed.
(B)Effective July 1, 2024, a controller that processes personal data for purposes of
targeted advertising or the sale of personal data shall allow consumers to exercise the right to opt
out of the processing of personal data concerning the consumer for purposes of targeted
advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of
this section by controllers through a user-selected universal opt-out mechanism that meets the
technical specifications established by the attorney general pursuant to section 6-1-1313.
(C)Notwithstanding a consumer's decision to exercise the right to opt out of the
processing of personal data through a universal opt-out mechanism pursuant to subsection
(1)(a)(IV)(B) of this section, a controller may enable the consumer to consent, through a web
page, application, or a similar method, to the processing of the consumer's personal data for
purposes of targeted advertising or the sale of personal data, and the consent takes precedence
over any choice reflected through the universal opt-out mechanism. Before obtaining a
consumer's consent to process personal data for purposes of targeted advertising or the sale of
personal data pursuant to this subsection (1)(a)(IV)(C), a controller shall provide the consumer
with a clear and conspicuous notice informing the consumer about the choices available under
this section, describing the categories of personal data to be processed and the purposes for
which they will be processed, and explaining how and where the consumer may withdraw
consent. The web page, application, or other means by which a controller obtains a consumer's
consent to process personal data for purposes of targeted advertising or the sale of personal data
must also allow the consumer to revoke the consent as easily as it is affirmatively provided.
(b)Right of access. A consumer has the right to confirm whether a controller is
processing personal data concerning the consumer and to access the consumer's personal data.
(c)Right to correction. A consumer has the right to correct inaccuracies in the
consumer's personal data, taking into account the nature of the personal data and the purposes of
the processing of the consumer's personal data.
(d)Right to deletion. A consumer has the right to delete personal data concerning the
consumer.
(e)Right to data portability. When exercising the right to access personal data
pursuant to subsection (1)(b) of this section, a consumer has the right to obtain the personal data
in a portable and, to the extent technically feasible, readily usable format that allows the
consumer to transmit the data to another entity without hindrance. A consumer may exercise this
right no more than two times per calendar year. Nothing in this subsection (1)(e) requires a
controller to provide the data to the consumer in a manner that would disclose the controller's
trade secrets.
(2)Responding to consumer requests. (a) A controller shall inform a consumer of any
action taken on a request under subsection (1) of this section without undue delay and, in any
Colorado Revised Statutes 2024 Page 150 of 320 Uncertified Printout
event, within forty-five days after receipt of the request. The controller may extend the forty-
five-day period by forty-five additional days where reasonably necessary, taking into account the
complexity and number of the requests. The controller shall inform the consumer of an extension
within forty-five days after receipt of the request, together with the reasons for the delay.
(b)If a controller does not take action on the request of a consumer, the controller shall
inform the consumer, without undue delay and, at the latest, within forty-five days after receipt
of the request, of the reasons for not taking action and instructions for how to appeal the decision
with the controller as described in subsection (3) of this section.
(c)Upon request, a controller shall provide to the consumer the information specified in
this section free of charge; except that, for a second or subsequent request within a twelve-month
period, the controller may charge an amount calculated in the manner specified in section 24-72-
205 (5)(a).
(d)A controller is not required to comply with a request to exercise any of the rights
under subsection (1) of this section if the controller is unable to authenticate the request using
commercially reasonable efforts, in which case the controller may request the provision of
additional information reasonably necessary to authenticate the request.
(3)(a) A controller shall establish an internal process whereby consumers may appeal a
refusal to take action on a request to exercise any of the rights under subsection (1) of this
section within a reasonable period after the consumer's receipt of the notice sent by the controller
under subsection (2)(b) of this section. The appeal process must be conspicuously available and
as easy to use as the process for submitting a request under this section.
(b)Within forty-five days after receipt of an appeal, a controller shall inform the
consumer of any action taken or not taken in response to the appeal, along with a written
explanation of the reasons in support of the response. The controller may extend the forty-five-
day period by sixty additional days where reasonably necessary, taking into account the
complexity and number of requests serving as the basis for the appeal. The controller shall
inform the consumer of an extension within forty-five days after receipt of the appeal, together
with the reasons for the delay.
(c)The controller shall inform the consumer of the consumer's ability to contact the
attorney general if the consumer has concerns about the result of the appeal.
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3457, § 1, effective July 1,
2023.
Editor's note: Subsection (1)(a)(IV)(A) provided for the repeal of subsection
(1)(a)(IV)(A), effective July 1, 2024. (See L. 2021, p. 3457.)
Sec. 6-1-1307.
Processing de-identified data. (1) This part 13 does not require a controller
or processor to do any of the following solely for purposes of complying with this part 13:
(a)Reidentify de-identified data;
(b)Comply with an authenticated consumer request to access, correct, delete, or provide
personal data in a portable format pursuant to section 6-1-1306 (1), if all of the following are
true:
(I)(A) The controller is not reasonably capable of associating the request with the
personal data; or
Colorado Revised Statutes 2024 Page 151 of 320 Uncertified Printout
(B)It would be unreasonably burdensome for the controller to associate the request with
the personal data;
(II)The controller does not use the personal data to recognize or respond to the specific
consumer who is the subject of the personal data or associate the personal data with other
personal data about the same specific consumer; and
(III)The controller does not sell the personal data to any third party or otherwise
voluntarily disclose the personal data to any third party, except as otherwise authorized by the
consumer; or
(c)Maintain data in identifiable form or collect, obtain, retain, or access any data or
technology in order to enable the controller to associate an authenticated consumer request with
personal data.
(2)A controller that uses de-identified data shall exercise reasonable oversight to
monitor compliance with any contractual commitments to which the de-identified data are
subject and shall take appropriate steps to address any breaches of contractual commitments.
(3)The rights contained in section 6-1-1306 (1)(b) to (1)(e) do not apply to
pseudonymous data if the controller can demonstrate that the information necessary to identify
the consumer is kept separately and is subject to effective technical and organizational controls
that prevent the controller from accessing the information.
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3460, § 1, effective July 1,
2023.
Sec. 6-1-1308.
Duties of controllers. (1) Duty of transparency. (a) A controller shall
provide consumers with a reasonably accessible, clear, and meaningful privacy notice that
includes:
(I)The categories of personal data collected or processed by the controller or a
processor;
(II)The purposes for which the categories of personal data are processed;
(III)How and where consumers may exercise the rights pursuant to section 6-1-1306,
including the controller's contact information and how a consumer may appeal a controller's
action with regard to the consumer's request;
(IV)The categories of personal data that the controller shares with third parties, if any;
and
(V)The categories of third parties, if any, with whom the controller shares personal data.
(b)If a controller sells personal data to third parties or processes personal data for
targeted advertising, the controller shall clearly and conspicuously disclose the sale or
processing, as well as the manner in which a consumer may exercise the right to opt out of the
sale or processing.
(c)A controller shall not:
(I)Require a consumer to create a new account in order to exercise a right; or
(II)Based solely on the exercise of a right and unrelated to feasibility or the value of a
service, increase the cost of, or decrease the availability of, the product or service.
(d)Nothing in this part 13 shall be construed to require a controller to provide a product
or service that requires the personal data of a consumer that the controller does not collect or
maintain or to prohibit a controller from offering a different price, rate, level, quality, or
Colorado Revised Statutes 2024 Page 152 of 320 Uncertified Printout
selection of goods or services to a consumer, including offering goods or services for no fee, if
the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards,
premium features, discount, or club card program.
(2)Duty of purpose specification. A controller shall specify the express purposes for
which personal data are collected and processed.
(3)Duty of data minimization. A controller's collection of personal data must be
adequate, relevant, and limited to what is reasonably necessary in relation to the specified
purposes for which the data are processed.
(4)Duty to avoid secondary use. A controller shall not process personal data for
purposes that are not reasonably necessary to or compatible with the specified purposes for
which the personal data are processed, unless the controller first obtains the consumer's consent.
(5)Duty of care. A controller shall take reasonable measures to secure personal data
during both storage and use from unauthorized acquisition. The data security practices must be
appropriate to the volume, scope, and nature of the personal data processed and the nature of the
business.
(6)Duty to avoid unlawful discrimination. A controller shall not process personal data
in violation of state or federal laws that prohibit unlawful discrimination against consumers.
(7)Duty regarding sensitive data. A controller shall not process a consumer's sensitive
data without first obtaining the consumer's consent or, in the case of the processing of personal
data concerning a known child, without first obtaining consent from the child's parent or lawful
guardian.
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3460, § 1, effective July 1,
2023.
Sec. 6-1-1308.5.
Duties of controllers - duty of care - rebuttable presumption. [Editor's
note: This section is effective October 1, 2025.] (1) (a) A controller that offers any online
service, product, or feature to a consumer whom the controller actually knows or willfully
disregards is a minor shall use reasonable care to avoid any heightened risk of harm to minors
caused by the online service, product, or feature.
(b)In any enforcement action brought by the attorney general or a district attorney
pursuant to section 6-1-1311, there is a rebuttable presumption that a controller used reasonable
care as required under this section if the controller complied with this section.
(2)Unless a controller has obtained consent in accordance with subsection (3) of this
section, a controller that offers any online service, product, or feature to a consumer whom the
controller actually knows or willfully disregards is a minor shall not:
(a)Process a minor's personal data:
(I)For the purposes of:
(A)Targeted advertising;
(B)The sale of personal data; or
(C)Profiling in furtherance of decisions that produce legal or similarly significant
effects concerning a consumer;
(II)For any processing purpose other than the processing purpose that the controller
disclosed at the time the controller collected the minor's personal data or that is reasonably
Colorado Revised Statutes 2024 Page 153 of 320 Uncertified Printout
necessary for, and compatible with, the processing purpose that the controller disclosed at the
time the controller collected the minor's personal data; or
(III)For longer than is reasonably necessary to provide the online service, product, or
feature;
(b)Use any system design feature to significantly increase, sustain, or extend a minor's
use of the online service, product, or feature; or
(c)Collect a minor's precise geolocation data unless:
(I)The minor's precise geolocation data is reasonably necessary for the controller to
provide the online service, product, or feature;
(II)The controller only collects and retains the minor's precise geolocation data for the
time necessary to provide the online service, product, or feature; and
(III)The controller provides to the minor a signal indicating that the controller is
collecting the minor's precise geolocation data and makes the signal available to the minor for
the entire duration of the collection of the minor's precise geolocation data; except that this
subsection (2)(c)(III) does not apply to any service or application that is used by and under the
direction of a ski area operator, as defined in section 33-44-103 (7).
(3)(a) A controller shall not engage in the activities described in subsection (2) of this
section unless the controller obtains:
(I)The minor's consent; or
(II)(A) If the minor is a child, the consent of the minor's parent or legal guardian.
(B)A controller that complies with the verifiable parental consent requirements
established in the "Children's Online Privacy Protection Act of 1998", 15 U.S.C. sec. 6501 et
seq., as amended, and the regulations, rules, guidance, and exemptions adopted pursuant to said
act, as amended, is deemed to have satisfied any requirement to obtain parental consent under
this subsection (3)(a)(II).
(b)(I) A controller that offers any online service, product, or feature to a consumer
whom that controller actually knows or willfully disregards is a minor shall not:
(A)Provide any consent mechanism that is designed to substantially subvert or impair,
or is manipulated with the effect of substantially subverting or impairing, user autonomy,
decision-making, or choice; or
(B)Except as provided in subsection (3)(b)(II) of this section, offer any direct messaging
apparatus for use by a minor without providing readily accessible and easy-to-use safeguards to
limit the ability of an adult to send unsolicited communications to the minor with whom the
adult is not connected.
(II)Subsection (3)(b)(I)(B) of this section does not apply to an online service, product,
or feature of which the predominant or exclusive function is:
(A)Electronic mail; or
(B)Direct messaging consisting of text, photos, or videos that are sent between devices
by electronic means, where messages are shared between the sender and the recipient, only
visible to the sender and the recipient, and not posted publicly.
(4)Subsections (2)(a) and (2)(b) of this section do not apply to any service or
application that is used by and under the direction of an educational entity, including a learning
management system or a student engagement program.
Colorado Revised Statutes 2024 Page 154 of 320 Uncertified Printout
Source: L. 2024: Entire section added, (SB 24-041), ch. 296, p. 2022, § 4, effective
October 1, 2025.
Editor's note: Section 6(2) of chapter 296 (SB 24-041), Session Laws of Colorado 2024,
provides that the act adding this section applies to conduct occurring on or after October 1, 2025.
Sec. 6-1-1309.
Data protection assessments - attorney general access and evaluation -
definition. (1) A controller shall not conduct processing that presents a heightened risk of harm
to a consumer without conducting and documenting a data protection assessment of each of its
processing activities that involve personal data acquired on or after July 1, 2023, that present a
heightened risk of harm to a consumer.
(2)For purposes of this section, "processing that presents a heightened risk of harm to a
consumer" includes the following:
(a)Processing personal data for purposes of targeted advertising or for profiling if the
profiling presents a reasonably foreseeable risk of:
(I)Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
(II)Financial or physical injury to consumers;
(III)A physical or other intrusion upon the solitude or seclusion, or the private affairs or
concerns, of consumers if the intrusion would be offensive to a reasonable person; or
(IV)Other substantial injury to consumers;
(b)Selling personal data; and
(c)Processing sensitive data.
(3)Data protection assessments must identify and weigh the benefits that may flow,
directly and indirectly, from the processing to the controller, the consumer, other stakeholders,
and the public against the potential risks to the rights of the consumer associated with the
processing, as mitigated by safeguards that the controller can employ to reduce the risks. The
controller shall factor into this assessment the use of de-identified data and the reasonable
expectations of consumers, as well as the context of the processing and the relationship between
the controller and the consumer whose personal data will be processed.
(4)A controller shall make the data protection assessment available to the attorney
general upon request. The attorney general may evaluate the data protection assessment for
compliance with the duties contained in section 6-1-1308 and with other laws, including this
article 1. Data protection assessments are confidential and exempt from public inspection and
copying under the "Colorado Open Records Act", part 2 of article 72 of title 24. The disclosure
of a data protection assessment pursuant to a request from the attorney general under this
subsection (4) does not constitute a waiver of any attorney-client privilege or work-product
protection that might otherwise exist with respect to the assessment and any information
contained in the assessment.
(5)A single data protection assessment may address a comparable set of processing
operations that include similar activities.
(6)Data protection assessment requirements apply to processing activities created or
generated after July 1, 2023, and are not retroactive.
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3462, § 1, effective July 1,
2023.
Colorado Revised Statutes 2024 Page 155 of 320 Uncertified Printout
Sec. 6-1-1309.5.
Data protection assessments - heightened risk of harm to minors.
[Editor's note: This section is effective October 1, 2025.] (1) A controller that, on or after
October 1, 2025, offers any online service, product, or feature to a consumer whom such
controller actually knows or willfully disregards is a minor shall conduct a data protection
assessment for the online service, product, or feature if there is a heightened risk of harm to
minors. The controller shall conduct the data protection assessment:
(a)In a manner that is consistent with the requirements established in section 6-1-1309;
and
(b)That addresses:
(I)The purpose of the online service, product, or feature;
(II)The categories of a minor's personal data that the online service, product, or feature
processes;
(III)The purposes for which the controller processes a minor's personal data with respect
to the online service, product, or feature; and
(IV)Any heightened risk of harm to minors that is a reasonably foreseeable result of
offering the online service, product, or feature to minors.
(2)A controller that conducts a data protection assessment pursuant to subsection (1) of
this section shall:
(a)Review the data protection assessment as necessary to account for any material
change to the processing operations of the online service, product, or feature that is the subject of
the data protection assessment; and
(b)Maintain documentation concerning the data protection assessment for the longer of:
(I)Three years after the date on which the processing operations cease; or
(II)The date the controller ceases offering the online service, product, or feature.
(3)A single data protection assessment may address a comparable set of processing
operations that include similar activities.
(4)If a controller conducts a data protection assessment for the purpose of complying
with another applicable law or regulation, the data protection assessment is deemed to satisfy the
requirements established in this section if the data protection assessment is reasonably similar in
scope and effect to the data protection assessment that would otherwise be conducted pursuant to
this section.
(5)If a controller conducts a data protection assessment pursuant to subsection (1) of
this section or a data protection assessment review pursuant to subsection (2)(a) of this section
and determines that the online service, product, or feature that is the subject of the assessment
poses a heightened risk of harm to minors, the controller shall establish and implement a plan to
mitigate or eliminate the heightened risk.
(6)(a) A data protection assessment conducted pursuant to this section:
(I)Is confidential, except as provided in subsection (6)(b) of this section; and
(II)Is not a public record, and is exempt from public inspection and copying, under the
"Colorado Open Records Act", part 2 of article 72 of title 24.
(b)(I) A controller shall make a data protection assessment conducted pursuant to this
section available to the attorney general upon request. The attorney general may evaluate the
data protection assessment for compliance with section 6-1-1308.5 and with other laws,
including this article 1.
Colorado Revised Statutes 2024 Page 156 of 320 Uncertified Printout
(II)The disclosure of a data protection assessment pursuant to a request from the
attorney general does not constitute a waiver of any attorney-client privilege or work-product
protection that might otherwise exist with respect to the assessment and any information in the
assessment.
(7)Data protection assessment requirements apply to processing activities created or
generated after October 1, 2025, and are not retroactive.
Source: L. 2024: Entire section added, (SB 24-041), ch. 296, p. 2024, § 4, effective
October 1, 2025.
Editor's note: Section 6(2) of chapter 296 (SB 24-041), Session Laws of Colorado 2024,
provides that the act adding this section applies to conduct occurring on or after October 1, 2025.
Sec. 6-1-1310.
Liability. (1) Notwithstanding any provision in part 1 of this article 1, this
part 13 does not authorize a private right of action for a violation of this part 13 or any other
provision of law. This subsection (1) neither relieves any party from any duties or obligations
imposed, nor alters any independent rights that consumers have, under other laws, including this
article 1, the state constitution, or the United States constitution.
(2)Where more than one controller or processor, or both a controller and a processor,
involved in the same processing violates this part 13, the liability shall be allocated among the
parties according to principles of comparative fault.
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3463, § 1, effective July 1,
2023.
Sec. 6-1-1311.
Enforcement - penalties - repeal. (1) (a) Notwithstanding any other
provision of this article 1, the attorney general and district attorneys have exclusive authority to
enforce this part 13 by bringing an action in the name of the state or as parens patriae on behalf
of persons residing in the state to enforce this part 13 as provided in this article 1, including
seeking an injunction to enjoin a violation of this part 13.
(b)Notwithstanding any other provision of this article 1, nothing in this part 13 shall be
construed as providing the basis for, or being subject to, a private right of action for violations of
this part 13 or any other law.
(c)For purposes only of enforcement of this part 13 by the attorney general or a district
attorney, a violation of this part 13 is a deceptive trade practice.
(d)[Editor's note: This version of subsection (1)(d) is effective until January 1, 2025.]
Prior to any enforcement action pursuant to subsection (1)(a) of this section, the attorney general
or district attorney must issue a notice of violation to the controller if a cure is deemed possible.
If the controller fails to cure the violation within sixty days after receipt of the notice of
violation, an action may be brought pursuant to this section. This subsection (1)(d) is repealed,
effective January 1, 2025.
(d)[Editor's note: This version of subsection (1)(d) is effective (see the editor's note
following this section).] (I) Prior to any enforcement action pursuant to subsection (1)(a) of this
section, other than an enforcement action described in subsection (1)(d)(II) of this section, the
attorney general or district attorney must issue a notice of violation to the controller if a cure is
Colorado Revised Statutes 2024 Page 157 of 320 Uncertified Printout
deemed possible. If the controller fails to cure the violation within sixty days after receipt of the
notice of violation, an action may be brought pursuant to this section. This subsection (1)(d)(I) is
repealed, effective January 1, 2025.
(II)Prior to any enforcement action pursuant to subsection (1)(a) of this section to
enforce section 6-1-1305.5, 6-1-1308.5, or 6-1-1309.5, the attorney general or district attorney
must issue a notice of violation to the controller if a cure is deemed possible. If the controller
fails to cure the violation within sixty days after receipt of the notice of violation, an action may
be brought pursuant to this section. This subsection (1)(d)(II) is repealed, effective December 31,
2026.
(2)The state treasurer shall credit all receipts from the imposition of civil penalties
under this part 13 pursuant to section 24-31-108.
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3463, § 1, effective July 1,
2023. L. 2024: (1)(d) amended (SB 24-041), ch. 296, p. 2026, § 5, effective October 1, 2025 (see
editor's note).
Editor's note: (1) SB 24-041 amended subsection (1)(d), effective October 1, 2025, but
those amendments to subsection (1)(d)(I), as it would become effective October 1, 2025, will not
take effect due to the repeal of subsection (1)(d)(I), effective January 1, 2025. Subsection
(1)(d)(II) is effective October 1, 2025. (See L. 2024, p. 2026.)
(2)Section 6(2) of chapter 296 (SB 24-041), Session Laws of Colorado 2024, provides
that the act changing this section applies to conduct occurring on or after October 1, 2025.
Sec. 6-1-1312.
Preemption - local governments. This part 13 supersedes and preempts laws,
ordinances, resolutions, regulations, or the equivalent adopted by any statutory or home rule
municipality, county, or city and county regarding the processing of personal data by controllers
or processors.
Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3464, § 1, effective July 1,
2023.
Sec. 6-1-1313.
Rules - opt-out mechanism. (1) The attorney general may promulgate rules
for the purpose of carrying out this part 13.
(2)By July 1, 2023, the attorney general shall adopt rules that detail the technical
specifications for one or more universal opt-out mechanisms that clearly communicate a
consumer's affirmative, freely given, and unambiguous choice to opt out of the processing of
personal data for purposes of targeted advertising or the sale of personal data pursuant to section
6-1-1306 (1)(a)(I)(A) or (1)(a)(I)(B). The attorney general may update the rules that detail the
technical specifications for the mechanisms from time to time to reflect the means by which
consumers interact with controllers. The rules must:
(a)Not permit the manufacturer of a platform, browser, device, or any other product
offering a universal opt-out mechanism to unfairly disadvantage another controller;
(b)Require controllers to inform consumers about the opt-out choices available under
section 6-1-1306 (1)(a)(I);
Colorado Revised Statutes 2024 Page 158 of 320 Uncertified Printout
(c)Not adopt a mechanism that is a default setting, but rather clearly represents the
consumer's affirmative, freely given, and unambiguous choice to opt out of the processing of
personal data pursuant to section 6-1-1306 (1)(a)(I)(A) or (1)(a)(I)(B);
(d)Adopt a mechanism that is consumer-friendly, clearly described, and easy to use by
the average consumer;
(e)Adopt a mechanism that is as consistent as possible with any other similar
mechanism required by law or regulation in the United States; and
(f)Permit the controller to accurately authenticate the consumer as a resident of this state
and determine that the mechanism represents a legitimate request to opt out of the processing of
personal data for purposes of targeted advertising or the sale of personal data pursuant to section
6-1-1306 (1)(a)(I)(A) or (1)(a)(I)(B).
(3)By January 1, 2025, the attorney general may adopt rules that govern the process of
issuing opinion letters and interpretive guidance to develop an operational framework for
business that includes a good faith reliance defense of an action that may otherwise constitute a
violation of this part 13. The rules must become effective by July 1, 2025.
Source: L. 2021: Entire part added, (SB 21-190), ch. 483 p. 3464, § 1, effective July 1,
2023.