Colorado Cybersecurity Compliance: Laws, Requirements & What Businesses Must Do

Colorado has established itself as one of the leading states in data privacy regulation. The Colorado Privacy Act (CPA), signed into law in June 2021 and effective July 1, 2023, made Colorado just the third state in the nation — after California and Virginia — to enact a comprehensive consumer data privacy law. Combined with the state's existing breach notification requirements under C.R.S. § 6-1-716, which impose one of the shortest notification deadlines in the country, Colorado businesses face a regulatory environment that demands serious attention to data protection.

This is not abstract regulatory compliance. Colorado's data breach history — including the HCPF MOVEit breach that exposed the records of more than four million residents — demonstrates exactly why the legislature has moved aggressively to strengthen privacy protections. The threat landscape facing Colorado's aerospace, defense, technology, and energy sectors makes compliance both a legal obligation and a practical necessity for business survival.

The Colorado Privacy Act (CPA)

The Colorado Privacy Act (SB 21-190) is the state's comprehensive consumer data privacy law. It was a landmark piece of legislation when passed, placing Colorado alongside California (CCPA/CPRA) and Virginia (VCDPA) as early movers in state-level data privacy. The CPA took effect on July 1, 2023, with the Colorado Attorney General's final rules becoming enforceable on the same date.

Who the CPA Applies To

The CPA applies to entities that conduct business in Colorado or produce products or services that are intentionally targeted to Colorado residents, and that meet either of two thresholds: controlling or processing the personal data of 100,000 or more Colorado residents per year, or controlling or processing the personal data of 25,000 or more Colorado residents and deriving revenue or receiving a discount on goods or services from the sale of personal data. Unlike California's CCPA, the CPA does not use a revenue threshold — applicability is determined entirely by data processing volume.

Consumer Rights Under the CPA

The CPA grants Colorado residents several rights over their personal data:

• Right to access — consumers can confirm whether a controller is processing their personal data and access that data

• Right to correction — consumers can request correction of inaccuracies in their personal data

• Right to deletion — consumers can request deletion of personal data provided by or obtained about them

• Right to data portability — consumers can obtain their personal data in a portable, readily usable format

• Right to opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects

Controllers must respond to authenticated consumer requests within 45 days, with a possible 45-day extension when reasonably necessary. The CPA also introduced a universal opt-out mechanism requirement, effective July 1, 2024, requiring controllers to honor browser-based or device-based opt-out signals for targeted advertising and data sales.

Data Protection Assessments

The CPA requires controllers to conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. These assessments must be documented and made available to the Colorado Attorney General upon request. Required assessment scenarios include processing personal data for targeted advertising, selling personal data, processing sensitive data, and any processing that presents a reasonably foreseeable risk of unfair or deceptive treatment, unlawful disparate impact, financial or physical injury, or intrusion upon solitude or seclusion.

Sensitive Data and Consent

The CPA defines sensitive data as personal data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship or immigration status, genetic or biometric data processed for identification purposes, personal data of a known child, and precise geolocation data. Processing sensitive data requires obtaining the consumer's affirmative, freely given, specific, informed, and unambiguous consent — a standard commonly called opt-in consent. This is a higher bar than the opt-out approach used for non-sensitive personal data.

Enforcement and Penalties

The Colorado Attorney General and district attorneys have exclusive enforcement authority under the CPA. There is no private right of action. The initial 60-day cure period for violations expired on January 1, 2025, after which the Attorney General can pursue enforcement without offering an opportunity to cure. Violations are treated as deceptive trade practices under the Colorado Consumer Protection Act (C.R.S. § 6-1-101 et seq.), which provides for civil penalties of up to $20,000 per violation, or $50,000 per violation involving elderly or disabled consumers.

C.R.S. § 6-1-716: Breach Notification Requirements

Colorado's breach notification statute predates the CPA and imposes specific obligations when a security breach exposes the personal identifying information of Colorado residents.

Who Must Comply

Any individual or commercial entity that maintains, owns, or licenses personal identifying information of Colorado residents must comply with § 6-1-716. This includes businesses headquartered outside Colorado if they maintain data about Colorado residents.

Triggering Events

Notification is required when the entity determines that a security breach of personal identifying information occurred. The law defines a security breach as the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal identifying information. If data was encrypted and the encryption key was also compromised, it is still considered a breach.

Notification Timeline

Affected Colorado residents must be notified within 30 days of the determination that a breach occurred. This is among the shortest notification windows in the country — many states allow 45 or 60 days. The compressed timeline means organizations must have incident response procedures that can identify, investigate, and classify a breach rapidly.

Notification to the Attorney General

If the breach affects 500 or more Colorado residents, the entity must notify the Colorado Attorney General within the same 30-day window. The notification must include the approximate number of affected residents, a description of the breach, and the measures taken in response.

Notification to Credit Reporting Agencies

If a breach affects 1,000 or more Colorado residents, the entity must also notify the major credit reporting agencies.

Content of Notice

Written notification to individuals must include the date or estimated date range of the breach, a description of the personal identifying information that was or may have been acquired, contact information for the entity, contact information for the major credit reporting agencies, and information about the right to file a report with law enforcement.

Protections for Consumer Data Privacy (HB 18-1128)

Before the CPA, Colorado passed HB 18-1128 in 2018, which strengthened the state's breach notification requirements and added data disposal and data security obligations. The law requires covered entities to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and the nature and size of the entity. It also requires covered entities to develop a written policy for the destruction or proper disposal of paper and electronic documents containing personal identifying information when the records are no longer needed.

Industry-Specific Compliance in Colorado

Colorado's industry mix creates additional compliance obligations beyond state privacy law. Organizations in the following sectors face overlapping federal and state requirements.

CMMC — Defense Contractors and Aerospace

Colorado Springs is home to NORAD, U.S. Northern Command, U.S. Space Command, the U.S. Air Force Academy, and dozens of defense contractors including Lockheed Martin, Raytheon, Northrop Grumman, and L3Harris. These organizations and their supply chains must comply with the Cybersecurity Maturity Model Certification (CMMC) program when handling controlled unclassified information (CUI). CMMC 2.0 requires implementing the 110 controls in NIST SP 800-171 and passing third-party assessment at Level 2. The concentration of defense operations in Colorado means that CMMC compliance affects a large number of small and mid-sized subcontractors throughout the state.

HIPAA — Healthcare Organizations

Colorado's healthcare sector, including major systems like UCHealth, Centura Health, and Denver Health, must comply with both HIPAA and state privacy requirements. The HCPF MOVEit breach demonstrated that even when a federal program (Medicaid) is involved, state breach notification requirements apply concurrently. Healthcare organizations in Colorado face dual compliance obligations and should implement security programs that meet the higher of the two standards. Partnering with managed security services providers can help healthcare organizations maintain continuous compliance across both frameworks.

NERC CIP — Energy Sector

Colorado's energy sector includes oil and gas production on the Western Slope, renewable energy operations across the state, and utilities operating within the Western Interconnection. Entities operating bulk electric systems must comply with NERC CIP standards covering electronic security perimeters, physical security, incident response, and recovery planning. The state's growing renewable energy infrastructure adds new operational technology surfaces that must be secured under these standards.

FERPA — Higher Education

Colorado is home to major research universities including the University of Colorado system, Colorado State University, and the Colorado School of Mines. These institutions must comply with the Family Educational Rights and Privacy Act (FERPA) when handling student records, in addition to state privacy requirements. The CU Accellion breach demonstrated that university systems hold enormous volumes of sensitive data — student records, medical information, and research data — that require comprehensive protection.

Colorado Compliance Checklist for Businesses

The following checklist addresses the core requirements that Colorado businesses must meet under the CPA, § 6-1-716, and related regulations:

• Determine CPA applicability — assess whether your organization meets the data processing thresholds that trigger CPA obligations (100,000 consumers, or 25,000 consumers plus revenue from data sales)

• Create a comprehensive data inventory — map all personal data you collect, process, store, and share, including data held by third-party vendors and processors

• Publish a compliant privacy notice that discloses categories of personal data collected, purposes of processing, consumer rights, how to exercise those rights, categories of data shared with third parties, and the types of third parties

• Implement consumer rights request processes to handle access, correction, deletion, portability, and opt-out requests within 45 days, including identity verification procedures

• Honor universal opt-out mechanisms such as the Global Privacy Control browser signal for targeted advertising and data sales, as required since July 1, 2024

• Obtain opt-in consent for sensitive data processing, including health data, biometric data, precise geolocation, and data revealing racial or ethnic origin

• Conduct data protection assessments for processing activities that present heightened risk, and maintain documentation for Attorney General review

• Develop a breach incident response plan that accounts for Colorado's 30-day notification deadline, including pre-drafted notification templates and AG reporting procedures

• Implement reasonable security measures — including encryption, access controls, MFA, endpoint protection, and continuous monitoring appropriate to the data you handle

• Establish data disposal policies as required by HB 18-1128, covering both paper and electronic records containing personal identifying information

How Colorado Compares to Other State Privacy Laws

The CPA is often compared to California's CCPA/CPRA and Virginia's VCDPA because all three were among the first comprehensive state privacy laws. Key differences include:

• No revenue threshold — unlike California, Colorado does not use revenue as an applicability trigger, focusing instead on data processing volume

• Universal opt-out mechanism — Colorado is one of the first states to require controllers to honor browser-based opt-out signals, a requirement California adopted later under CPRA regulations

• No private right of action — like Virginia, Colorado limits enforcement to the Attorney General and district attorneys, unlike California which allows consumers to sue for certain data breaches

• Cure period sunset — the initial 60-day cure period expired January 1, 2025, giving the AG discretion to enforce without offering a cure opportunity

• 30-day breach notification — Colorado's breach notification deadline is shorter than California's and most other states, requiring faster incident response capabilities

Frequently Asked Questions

Does the Colorado Privacy Act apply to small businesses?

The CPA applies based on data processing volume, not business size or revenue. If a small business processes the personal data of 100,000 or more Colorado residents annually, or processes data of 25,000 or more residents while deriving revenue from data sales, it is subject to the CPA. However, many small businesses will fall below these thresholds. All businesses, regardless of size, must comply with Colorado's breach notification requirements under § 6-1-716 and the data security provisions of HB 18-1128.

What is the penalty for violating Colorado's data privacy laws?

CPA violations are enforced as deceptive trade practices under the Colorado Consumer Protection Act, carrying civil penalties of up to $20,000 per violation, or $50,000 per violation affecting elderly or disabled consumers. The Attorney General can also seek injunctive relief and recover costs. For breach notification failures, enforcement similarly proceeds under the Consumer Protection Act. There is no private right of action under either the CPA or § 6-1-716.

How does the CPA's universal opt-out mechanism work?

Since July 1, 2024, controllers subject to the CPA must recognize and honor universal opt-out mechanisms — typically browser-based signals like the Global Privacy Control (GPC). When a consumer's browser sends a GPC signal, the controller must treat it as a valid opt-out request for targeted advertising and the sale of personal data. Controllers must process the signal without requiring additional consumer action, such as filling out a form or creating an account.

What must a Colorado business do within 30 days of discovering a breach?

Within 30 days of determining a breach occurred, the business must send written notification to all affected Colorado residents containing the date or estimated date of the breach, a description of the personal data involved, and contact information for credit reporting agencies. If 500 or more residents are affected, the business must also notify the Colorado Attorney General. If 1,000 or more are affected, credit reporting agencies must be notified as well.

Does Colorado require data protection assessments?

Yes. The CPA requires controllers to conduct and document data protection assessments for processing activities that present a heightened risk of harm. This includes processing for targeted advertising, selling personal data, processing sensitive data, and processing that presents foreseeable risks of unfair treatment or significant injury. Assessments must weigh the benefits of the processing against the potential risks to consumer rights, and must be made available to the Attorney General upon request.

How does the CPA interact with federal regulations like HIPAA?

The CPA exempts data governed by certain federal laws, including HIPAA-protected health information maintained by covered entities and business associates. However, health data that falls outside HIPAA's scope — such as health information collected by wellness apps or employers that are not HIPAA-covered entities — may be subject to the CPA's sensitive data provisions, which require opt-in consent. Organizations should carefully analyze which data sets fall under which regulatory framework and ensure compliance with the higher standard where requirements overlap.