Colorado Privacy Act, SB 21-190: What You Need to Know


On July 8, 2021, Colorado enacted the Colorado Privacy Act, SB 21-190, following Virginia and California.  The law becomes effective July 1, 2023.

Below are high-level details about the CPA. Please contact our firm to determine whether your organization must comply with the CPA, and, if so, the specifics regarding such compliance.

The law applies to any individual, corporation, government or governmental subdivision or agency, business trust, estate, trust, limited liability company, partnership, association, or other legal entity (“Controller”) that:  

  • alone or jointly with others, determines the purposes for and means of processing personal data
  • delivers commercial products/services targeted to Colorado residents
  • during a calendar year, controls or processes personal data of at least 100,000 consumers
  • derives revenue or receives a discount on the price of goods or services from the sale of personal data and controls or processes personal data of at least 25,000 consumers

Consumers have the following rights:

  • To confirm whether a controller is processing personal data and to access the personal data
  • To correct inaccuracies in the personal data
  • To deletion of their personal data
  • To data portability
  • To opt out of targeted advertising, sale or profiling

Controller Duties:

  • Transparency
  • Purpose specification and limits on secondary uses
  • Data minimization
  • Care in securing personal data
  • Avoid unlawful discrimination
  • Restriction on processing sensitive data absent consent

Other Obligations

  • Provision of a privacy notice
  • Contracts with processors
  • Data Protection Assessments
Skip to content