Colorado Privacy Act (CPA)
A practical compliance guide for website owners. Learn what Colorado's privacy law requires and how to implement it on your site.
Who Must Comply
Controls/processes personal data of 100K+ Colorado residents, OR controls/processes data of 25K+ residents and derives revenue from selling personal data
What Your Website Must Do
| Requirement | Status |
|---|---|
| Cookie consent banner | Recommended |
| Do Not Sell link | Required |
| Do Not Share link | Required |
| Honor GPC browser signals | Required |
| Universal opt-out mechanism | Required |
| Sensitive data opt-in consent | Required |
Required Links & Notices
The CPA requires the following links or notices to be visible on your website:
- 1Your Privacy Choices
- 2Privacy Policy
Enforcement & Penalties
Key Things to Know
Colorado is one of the most important states for privacy compliance because it requires honoring Universal Opt-Out Mechanisms (UOOM) — including Global Privacy Control (GPC) — as of July 2024. This is a technical requirement that many businesses overlook.
Unique requirement: Colorado specifically mandates that businesses recognize "universal opt-out mechanisms" as defined by the Colorado AG. GPC is the primary recognized mechanism. Failure to honor GPC signals is a compliance violation.
How to Configure LegalBanner for CPA
- 1
Create your site
Sign up for free and add your website domain in the dashboard.
- 2
Set consent mode to "Opt-out"
In Settings, select the consent mode that matches Colorado's requirements.
- 3
Install the snippet
Add the one-line script tag to your website. The banner, opt-out links, and GPC support are automatic.
- 4
Generate your Privacy Policy
Use the built-in policy wizard to generate a CPA-compliant privacy policy.
Set up CPA compliance in 5 minutes
LegalBanner handles Colorado privacy requirements automatically — cookie banner, opt-out links, and GPC support included.
Frequently Asked Questions
What is Colorado's Universal Opt-Out Mechanism (UOOM) requirement?
As of July 2024, Colorado requires businesses to honor Universal Opt-Out Mechanisms (UOOM) such as Global Privacy Control (GPC). This means your website must detect and automatically respect GPC browser signals as opt-out requests for targeted advertising and sale of personal data.
Does Colorado require a cookie consent banner?
Colorado does not require opt-in cookie consent. However, you must provide clear opt-out mechanisms for targeted advertising and data sale, and honor universal opt-out signals like GPC. A cookie preference center with opt-out controls is strongly recommended.
Is GPC required in Colorado?
Yes. As of July 2024, Colorado requires businesses to honor GPC signals as a valid universal opt-out mechanism. LegalBanner automatically detects and processes GPC signals for Colorado compliance.
What is the difference between Colorado and California privacy laws?
Both require honoring GPC signals. Colorado uses 'Universal Opt-Out Mechanism' terminology and has specific AG rules defining recognized mechanisms. California uses 'opt-out preference signal' language. Both have similar scope but different enforcement structures.
What are the penalties for CPA violations?
The Colorado AG enforces the CPA under the Colorado Consumer Protection Act. There is no specific per-violation penalty amount — penalties are determined by the court. There is a 60-day cure period (sunset January 2025).