Colorado Privacy Act (CPA)
Colorado's privacy law introducing universal opt-out mandate and data protection assessments, effective July 1, 2023.
The Colorado Privacy Act (CPA), C.R.S. § 6-1-1301 et seq., became effective July 1, 2023, with the Universal Opt-Out Mechanism (UOOM) requirement phased in from July 1, 2024. It applies to controllers processing personal data of 100,000+ Colorado consumers annually, or 25,000+ consumers while deriving revenue or discounts from data sales. The CPA closely mirrors the Virginia VCDPA in consumer rights structure — access, correction, deletion, portability, opt-out — but is notable for being the first U.S. law to mandate technical recognition of UOOMs, requiring controllers to honor opt-out signals transmitted through approved browser or device settings. The Colorado AG maintains a list of recognized UOOM technologies.
The CPA's UOOM requirement is its most distinctive engineering obligation. As of July 1, 2024, controllers that sell personal data or process it for targeted advertising must recognize technically compliant opt-out signals. The Global Privacy Control (GPC) header has been recognized as a qualifying UOOM. Engineering teams must intercept the GPC signal at the network layer — typically in CDN edge logic or reverse proxies — and propagate opt-out state to advertising, analytics, and personalization systems before any processing occurs. Data Protection Assessments (§ 6-1-1309) are required for targeted advertising, data sales, profiling with legal or significant effects, sensitive data processing, and any processing presenting a "heightened risk" — with assessments needing to be produced to the AG on request within 30 days.
The CPA defines "sensitive data" broadly to include racial or ethnic origin, mental or physical health diagnoses, sexual orientation, citizenship status, precise geolocation, genetic or biometric data, and personal data from known minors under 13. Sensitive data requires opt-in consent before processing. The law also imposes a purpose limitation principle: personal data collected for one purpose cannot be processed in a "manner that is not reasonably necessary to or compatible with" the disclosed purpose without additional consent — an obligation that demands engineering-level data flow controls, not just policy statements. Processors must delete or return personal data at the controller's instruction and, unlike GDPR processors, must assist controllers in complying with consumer rights requests.
We deploy GPC signal detection at the CDN edge layer and propagate consent state through event-driven pipelines to advertising, analytics, and ML personalization systems before processing occurs. Our DPA workflow generates Colorado-specific assessments with heightened-risk scoring and stores them with version history for AG production requests within the 30-day window.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.