What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

← All states·CPA

Colorado (CPA) Privacy Law Compliance

The Colorado Privacy Act (effective July 1, 2023) is one of the strictest US state privacy regimes — particularly with respect to the Universal Opt-Out Mechanism (UOOM) which has been mandatory since July 1, 2024. Controllers MUST detect and honour Global Privacy Control as a valid opt-out signal. The AG has issued the most prescriptive privacy rules of any US state (rulemaking continues annually).

Statute

Colorado Privacy Act

Colo. Rev. Stat. §6-1-1301 et seq.

Effective

Jul 1, 2023

Universal Opt-Out Mechanism enforcement Jul 1, 2024

Enforcer

Colorado Attorney General + District Attorneys

Consumer rights

9 business obligations

Run free policy audit Does this apply to me? ↓

Who must comply

Controllers that conduct business in Colorado OR produce products/services targeted to Colorado residents
AND one of: (a) control or process personal data of 100,000+ Colorado consumers in a calendar year; OR (b) derive revenue or receive a discount on price from selling personal data AND process the data of 25,000+ consumers
Threshold excludes employment + B2B data (Colorado consumers act in individual/household capacity only)

Exemptions

State institutions, GLBA-covered financial institutions, HIPAA PHI
Employment + B2B data fully exempt
Air carriers regulated under federal law, national securities associations registered with SEC
FCRA, DPPA, FERPA data in context of those laws

Consumer rights (8)

Right to access / know

Confirm whether personal data is processed and obtain a copy in a portable format

Right to correct

Correct inaccurate personal data

Right to delete

Request deletion of personal data the controller has collected

Right to data portability

Receive data in a portable, machine-readable format

Right to opt out of sale

Opt out of the sale of personal data to third parties

Right to opt out of targeted advertising

Opt out of cross-context behavioural advertising

Right to opt out of profiling with legal effect

Opt out of automated decisions producing legal or similarly significant effects

Right to appeal

Appeal a controller's refusal to honour a rights request (typically 45–60 days)

Business obligations (9)

Public privacy notice

Clear, accessible notice of categories collected, purposes, third parties, rights, and contact channel

Rights response within 45 days

Respond to consumer rights requests within 45 days (extendable by 45 more with notice)

Data processing agreements

Written contracts with processors restricting their processing to the controller's documented instructions

Data protection assessments

Document risk assessment for targeted advertising, sale, profiling, sensitive data processing

Honour universal opt-out signals (GPC)

Recognise the Global Privacy Control browser signal as a valid opt-out (where required)

Reasonable security practices

Administrative, technical, physical safeguards appropriate to the data's sensitivity

Data minimisation + purpose limitation

Collect only what is adequate, relevant, and reasonably necessary for the disclosed purposes

Children & teen consent

Opt-in consent before selling or sharing data of minors (age threshold varies 13–16)

Opt-in for sensitive data

Affirmative consent before processing sensitive data

Required privacy notice elements

Categories of personal data processed
Purpose of processing
Whether data is sold or processed for targeted advertising (with opt-out)
Categories of third parties + categories of data shared
Consumer rights enumerated + how to exercise them
Process to appeal a refused rights request
Active method to submit rights requests (web form + email)
Disclosure of the controller's identity + contact
Statement that controller recognises Universal Opt-Out Mechanisms

Don't hand-check this. Drop your existing privacy policy into the free policy audit and we'll grade every required element and surface the missing language.

Penalties

Civil penalty per violation

Up to $20,000

Colo. Rev. Stat. §6-1-112 (CCPA-incorporated penalty cap)

Per minor violation cap

Up to $50,000

Aggregated violations involving minors

Investigation costs

Recoverable

AG + DA enforcement

Common compliance pitfalls

⚠ Not honouring GPC by July 1, 2024

Colorado requires controllers to detect and process the Universal Opt-Out Mechanism — Global Privacy Control is currently the recognised mechanism. CMPs must fire opt-out on GPC detection AND record the opt-out before any sale/targeted ad tags fire.

⚠ Missing the appeal process

Section 6-1-1306(3) requires a conspicuous appeal mechanism within 60 days of a rights refusal, with a 60-day response. AG can subpoena appeal logs.

⚠ DPAs missing for targeted advertising

Colorado DPAs are required for targeted advertising, sale, sensitive data, profiling with legal/significant effect, and heightened-risk processing. Must be documented + retained, AG-accessible on 30-day notice.

⚠ Treating Colorado as 'just like Virginia'

Colorado has more prescriptive AG rules — bona fide loyalty programs require a separate disclosure, sensitive data processing has additional notice obligations, profiling carries explicit DPA + opt-out duties.

FAQ

What is the Universal Opt-Out Mechanism?

An automated signal a consumer's browser/device sends to controllers expressing an opt-out from sale and targeted advertising. The Colorado AG has currently approved Global Privacy Control (GPC) as the recognised UOOM. Controllers MUST honour it as a valid opt-out — overriding any prior consent.

Does CPA have a private right of action?

No. Enforcement is exclusive to the Colorado AG and district attorneys. The AG has issued detailed rules (4 CCR 904-3) and runs the most active state privacy rulemaking process in the US.

How does CPA compare to CCPA?

CPA is more GDPR-like (opt-in for sensitive data, mandatory DPAs, no private right of action) but adds the prescriptive UOOM requirement that California has only partially matched. Penalties per violation are higher in Colorado ($20K vs $7.5K).

Grade your Colorado privacy policy in 20 seconds

Paste your privacy policy and we'll score it against CPA requirements — categories collected, rights enumeration, opt-out mechanism, sensitive data handling. Free, 3 audits/day, no signup.

Run free audit for Colorado