Go to:

Colorado State Privacy Protection Rights

Colorado statewide privacy links:

Sponsored

Introduction to Colorado Privacy Rights

Colorado has emerged as one of the most progressive states in the nation for privacy protection, joining California, Virginia, and a handful of other states that have enacted comprehensive consumer privacy legislation. The Colorado Privacy Act (CPA), which took effect on July 1, 2023, represents a landmark achievement in state-level privacy regulation, giving Colorado residents substantial control over their personal data and establishing enforceable rights against businesses that collect and process their information.

The privacy landscape in Colorado extends far beyond the Colorado Privacy Act. The state maintains robust protections across multiple domains, including data breach notification requirements under C.R.S. § 6-1-716, employment privacy protections, financial data safeguards, and health information security measures that supplement federal HIPAA requirements. Colorado's approach to privacy is notably comprehensive, addressing not just consumer data but also employee monitoring, biometric information, and the increasingly important realm of children's online privacy.

Compared to other states, Colorado occupies a middle-ground position that balances business interests with consumer protections. While not as expansive as California's Consumer Privacy Act (CCPA), Colorado's privacy framework is more comprehensive than the majority of states that still lack dedicated consumer privacy legislation. The Colorado Privacy Act applies to businesses that control or process personal data of at least 100,000 Colorado consumers annually, or derive revenue from selling personal data of at least 25,000 consumers. This threshold makes Colorado's law more business-friendly than California's but still captures most major data collectors and processors operating in the state.

Colorado's State Privacy Laws

The cornerstone of Colorado's privacy framework is the Colorado Privacy Act (CPA), codified as C.R.S. § 6-1-1301 et seq. Signed into law in July 2021 and effective as of July 1, 2023, the CPA grants Colorado residents five fundamental privacy rights: the right to access personal data, the right to correct inaccuracies, the right to delete personal data, the right to data portability, and the right to opt out of certain data processing activities including targeted advertising, sale of personal data, and profiling for decisions that produce legal or similarly significant effects.

Under the CPA, controllers (entities that determine the purposes and means of processing personal data) must provide clear privacy notices, honor consumer rights requests within 45 days (with one 45-day extension permitted), conduct data protection assessments for high-risk processing activities, and limit collection to what is adequate, relevant, and reasonably necessary. The law creates a private right of action enforced exclusively by the Colorado Attorney General, with potential penalties reaching $20,000 per violation. Importantly, the CPA includes a 60-day cure period through December 31, 2024, allowing businesses to remedy violations before facing enforcement action.

Data Breach Notification Requirements are governed by C.R.S. § 6-1-716, which Colorado significantly strengthened in recent years. Any person or business that maintains, owns, or licenses personal identifying information of Colorado residents must provide notice of a security breach without unreasonable delay. The statute does not specify an exact timeframe, but "without unreasonable delay" has been interpreted to mean as soon as possible after discovery, typically within 30 days. Notice must be provided to affected Colorado residents, and if the breach affects more than 500 Colorado residents, the entity must also notify the Colorado Attorney General. The law defines personal information broadly to include names combined with Social Security numbers, driver's license numbers, financial account information, medical information, health insurance identification numbers, biometric data, and usernames or email addresses combined with passwords or security questions.

Employee Privacy Rights in Colorado are particularly robust. C.R.S. § 8-2-121 restricts employers from requiring employees to provide access to personal social media accounts or taking adverse action against employees who refuse such requests. Colorado's Lawful Off-Duty Activities Statute, C.R.S. § 24-34-402.5, prohibits employers from terminating employees for engaging in lawful activities off company premises during non-working hours, which has been interpreted to include certain privacy-related activities. Additionally, Colorado law requires employers to provide advance notice before conducting workplace monitoring in certain contexts, though specific requirements vary by the type of monitoring.

Financial Privacy protections in Colorado include state-level enforcement of the federal Gramm-Leach-Bliley Act (GLBA) requirements, with the Colorado Division of Banking overseeing financial institutions' compliance with privacy notice and opt-out requirements. Colorado Revised Statutes § 11-30-101 et seq. establishes additional requirements for financial institutions operating in the state, including provisions related to information sharing and consumer consent.

Biometric Privacy receives specific attention under the Colorado Privacy Act. C.R.S. § 6-1-1308 requires that processing of sensitive data, including biometric data used to uniquely identify an individual, requires consumer consent or falls within specific exempted purposes. This places Colorado among states with explicit biometric privacy protections, though not as stringent as Illinois' Biometric Information Privacy Act (BIPA).

Freedom of Information / Open Records in Colorado

Colorado's transparency law is the Colorado Open Records Act (CORA), codified at C.R.S. § 24-72-201 et seq. CORA establishes that public records are open for inspection by any person at reasonable times, except as specifically provided by law. The Act defines "public records" broadly to include all writings made, maintained, or kept by the state or any of its political subdivisions for use in the exercise of functions required or authorized by law or administrative rule, or involving the receipt or expenditure of public funds.

Under CORA, any person may inspect public records during normal business hours, and custodians must produce records within three business days of receiving a request, unless additional time is necessary to locate, retrieve, or review the records. If more time is needed, the custodian must notify the requester and provide a reasonable date and time when the records will be available. Colorado law does not permit indefinite delays; if a custodian cannot comply within seven business days, they must provide a written statement explaining the delay and estimating when records will be available.

CORA Exemptions that protect privacy include: personnel files except for specific information like name, compensation, and job title (C.R.S. § 24-72-204(3)(a)(II)); records of investigations for law enforcement purposes while the investigation is ongoing; medical records; records related to juveniles; adoption records; trade secrets and confidential business information; library patron records; and certain records that would invade individual privacy if disclosed. Notably, C.R.S. § 24-72-204(3)(a)(I) creates a general privacy exemption allowing custodians to deny inspection of records when public disclosure would do substantial injury to the public interest or invade individual privacy.

Fee Schedules under CORA are specifically regulated. Research and retrieval fees may not exceed $33.58 per hour (as of 2023, adjusted annually for inflation) and custodians cannot charge for the first hour of time. Copying fees are limited to 25 cents per standard page. Custodians must provide a detailed cost estimate if fees are expected to exceed $30, and requesters may then decide whether to proceed.

The Appeals Process for CORA denials involves filing an application for injunctive relief in district court pursuant to C.R.S. § 24-72-204(5). If the court finds that the custodian wrongfully denied inspection, it shall order the custodian to produce the records and may award court costs and attorney fees to the prevailing applicant. Colorado courts review CORA denials de novo, meaning they conduct a fresh review without deferring to the custodian's determination.

HIPAA and Health Privacy

The federal Health Insurance Portability and Accountability Act (HIPAA) establishes baseline privacy protections for health information throughout the United States, including Colorado. HIPAA's Privacy Rule applies to covered entities (health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically) and their business associates, requiring these entities to protect individually identifiable health information, provide patients with access to their medical records, and obtain patient authorization before most disclosures of protected health information (PHI).

Colorado supplements HIPAA with state-level health privacy protections. Under C.R.S. § 25-1-801, medical records are confidential and may not be released without patient consent except in specific circumstances defined by law. This statute applies more broadly than HIPAA, covering healthcare providers that might not meet HIPAA's definition of covered entities. Colorado law also provides specific protections for mental health records under C.R.S. § 27-65-127, which restricts disclosure of information obtained during mental health treatment and creates a therapist-patient privilege.

Colorado's data breach notification law, C.R.S. § 6-1-716, requires notification when medical information is compromised, creating an additional layer of accountability beyond HIPAA's breach notification rule. The Colorado Privacy Act also classifies health data as sensitive data requiring heightened protections and consumer consent for processing, providing coverage that extends to health-related information held by non-HIPAA entities like fitness apps, wellness programs, and health-focused websites.

To protect medical records in Colorado, residents should: request copies of their medical records to verify accuracy (providers must comply within 15 days under C.R.S. § 25-1-801(4)); submit corrections to any inaccuracies in writing; limit authorization for disclosure to only what is necessary; request an accounting of disclosures from HIPAA covered entities; and file complaints with the Colorado Department of Public Health and Environment or the U.S. Department of Health and Human Services Office for Civil Rights if privacy violations occur.

Consumer Data Privacy Rights

The Colorado Privacy Act grants residents comprehensive rights regarding their personal data. Colorado consumers have the right to know what personal data a controller is collecting about them and how that data is being used. This includes the right to access personal data that a business has collected, which must be provided in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance.

The right to delete enables Colorado residents to request deletion of personal data that a business has collected from them, subject to certain exceptions for legal compliance, fraud prevention, security purposes, and other specified reasons. Controllers must honor verified deletion requests within 45 days.

The right to correction allows consumers to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes for which it is processed. This right is particularly important for maintaining accurate information in contexts like employment, credit, and healthcare.

Opt-out rights under the CPA are extensive. Colorado residents can opt out of: (1) targeted advertising, (2) the sale of their personal data, and (3) profiling in furtherance of decisions that produce legal or similarly significant effects. Controllers must provide a clear and conspicuous method for exercising these opt-out rights, and beginning July 1, 2024, controllers must recognize universal opt-out mechanisms like Global Privacy Control signals.

Removing information from data brokers requires a multi-step approach in Colorado. Under the CPA, data brokers (businesses whose primary activity is collecting and selling personal data that they did not collect directly from consumers) must register with the Colorado Attorney General and allow consumers to opt out of the sale of their data. Colorado residents can submit opt-out requests directly to data brokers through the mechanisms described in their privacy policies. Major data brokers like Acxiom, Epsilon, Oracle Data Cloud, and Experian maintain opt-out pages, though the process must be completed separately for each broker.

Credit report rights in Colorado are governed by the federal Fair Credit Reporting Act (FCRA) as enforced at the state level. Colorado residents are entitled to one free credit report annually from each of the three major credit bureaus (Equifax, Experian, and TransUnion) through AnnualCreditReport.com. Colorado law also allows consumers to place security freezes on their credit reports at no cost under C.R.S. § 12-14.3-105, restricting access to credit reports and helping prevent identity theft. Freezes must be implemented within one business day of a request, and Colorado consumers can temporarily lift or permanently remove freezes at no charge.

Employment Background Checks & Privacy

Colorado has enacted progressive legislation limiting how employers can use criminal history information in hiring decisions. The state's ban-the-box law, codified in C.R.S. § 8-2-130, prohibits employers from including questions about criminal history on initial job applications. This law applies to private employers with 11 or more employees operating in Colorado. Employers can only inquire about criminal history after the initial application stage, and if they choose to take adverse action based on criminal history, they must conduct an individualized assessment considering the nature of the offense, the time elapsed since the offense or completion of sentence, and the nature of the job sought.

Under the federal Fair Credit Reporting Act (FCRA), which applies in Colorado, employers must obtain written consent before procuring a consumer report (background check) on an applicant or employee. If an employer intends to take adverse action based on information in the background check, they must provide the individual with a pre-adverse action disclosure that includes a copy of the report and a summary of FCRA rights. After taking adverse action, employers must provide an adverse action notice that includes information about the background check company, a statement that the company did not make the adverse decision, and notice of the right to dispute the report's accuracy.

Colorado Revised Statutes § 24-72-702 through § 24-72-709 govern criminal history record checks in the state. Conviction records in Colorado generally remain accessible indefinitely, but the state provides several pathways for limiting access. Arrest records not leading to conviction can be sealed immediately upon dismissal or acquittal. For convictions, Colorado law allows sealing of certain criminal records, though eligibility depends on the offense type and time elapsed.

Under C.R.S. § 24-72-706, individuals may petition to seal conviction records for: (1) petty offenses and municipal ordinance violations immediately after completing the sentence; (2) misdemeanor convictions three years after completing the sentence; (3) certain drug felonies (levels 3 and 4) three years after completing the sentence; and (4) other felonies five years after completing the sentence. Some offenses, including sex offenses, crimes of violence, and DUI convictions, are not eligible for sealing.

Disputing inaccurate background check information in Colorado involves contacting both the background check company (consumer reporting agency) and the source of the information. Under the FCRA, consumer reporting agencies must investigate disputes within 30 days. Colorado residents should submit disputes in writing with supporting documentation, and if the investigation reveals inaccuracies, the reporting agency must correct or delete the information. The Colorado Bureau of Investigation maintains the state's criminal history records, and individuals can request their own Colorado criminal history record to verify accuracy by submitting fingerprints and a processing fee to the CBI.

Protecting Yourself in Colorado

Colorado residents can take concrete steps to protect their privacy and control their personal information. This practical guide provides actionable measures specific to Colorado law and resources.

Step 1: Freeze Your Credit

Placing a security freeze on your credit reports is the single most effective way to prevent identity theft. Under C.R.S. § 12-14.3-105, Colorado consumers can freeze their credit for free. Contact each of the three major credit bureaus separately:

Freezes must be implemented within one business day. You'll receive a PIN or password to temporarily lift the freeze when you need to apply for credit.

Step 2: Exercise Your Rights Under the Colorado Privacy Act

Identify businesses that collect your personal data and submit requests to access, delete, or correct your information. Visit company privacy pages (usually found at companyname.com/privacy) to locate their consumer rights request portals. For businesses that sell your data or engage in targeted advertising, submit opt-out requests. Consider installing a browser extension that sends Global Privacy Control signals, which Colorado businesses must honor as of July 2024.

Step 3: Opt Out of Data Broker Databases

Data brokers aggregate and sell personal information. While time-consuming, opting out reduces your exposure. Priority data brokers to address include:

For people-search sites like Whitepages, Spokeo, and BeenVerified, visit each site's opt-out page (usually found by searching "site name opt out") and follow their specific removal procedures.

Step 4: Seal Eligible Criminal Records

If you have criminal records in Colorado that meet sealing criteria under C.R.S. § 24-72-706, file a petition in the court where the case was resolved. The Colorado Judicial Branch provides forms at courts.state.co.us. You'll need to: obtain your criminal history record from the Colorado Bureau of Investigation, complete the petition form, file it with the court along with the required fee, and serve copies on the district attorney and arresting agency. The court will schedule a hearing, and if granted, sealed records will not appear on most background checks.

Step 5: Request Your Public Records

To understand what information government agencies maintain about you, submit CORA requests to relevant agencies. Common records to request include DMV records (Colorado Department of Revenue), professional licensing records (Colorado Department of Regulatory Agencies), and court records (Colorado Judicial Branch). Submit written requests to the records custodian at the specific agency, clearly describing the records sought.

Step 6: Secure Your Health Information

Request copies of your medical records from healthcare providers under C.R.S. § 25-1-801 to verify accuracy. Review Explanation of Benefits statements from insurers for unauthorized services. Limit healthcare authorizations to specific purposes and time periods. Report suspected HIPAA violations to the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr/complaints.

Colorado Data Breach Notification

Colorado's data breach notification law, C.R.S. § 6-1-716, establishes specific requirements for entities that experience security breaches involving Colorado residents' personal information. The statute underwent significant amendments in 2018 and 2021, expanding both the definition of personal information and the obligations of entities experiencing breaches.

Who Must Notify: Any person or business that maintains, owns, or licenses personal identifying information of Colorado residents must provide notice following a security breach. This includes both Colorado-based entities and out-of-state entities that maintain data on Colorado residents. Third-party service providers that experience breaches must notify the data owner without unreasonable delay.

What Triggers Notification: A breach of security occurs when there is unauthorized acquisition of unencrypted computerized personal identifying information that compromises the security, confidentiality, or integrity of the information. Personal identifying information includes: a Colorado resident's first name or initial and last name combined with any of the following: Social Security number, driver's license number, identification card number, student or military identification number, financial account number, or medical information. The definition also includes biometric data, health insurance identification number, and username/email combined with password or security questions.

Notification Timeframe: Entities must provide notice "without unreasonable delay and no later than thirty days after the date of determination that a security breach occurred." The thirty-day period begins when the entity determines that a breach occurred, not when the breach actually happened. Law enforcement may delay notification if it would impede a criminal investigation, but only for the specific time period requested by law enforcement.

Notification Requirements: Notice to affected Colorado residents must include: the date or estimated date of the breach, a description of the personal information involved, information about what the entity is doing to investigate and mitigate the breach, contact information for consumer reporting agencies if the breach involves Social Security numbers, and information about the entity's identity theft prevention and mitigation services if being offered. If the breach affects 500 or more Colorado residents, the entity must also notify the Colorado Attorney General.

Penalties for Violations: Violations of Colorado's breach notification law constitute deceptive trade practices under the Colorado Consumer Protection Act, C.R.S. § 6-1-105. The Attorney General can seek civil penalties of up to $20,000 per violation, with each affected Colorado resident potentially constituting a separate violation. The law does not create a private right of action, so enforcement is exclusively through the Attorney General's office.

Colorado entities can avoid notification requirements if they conduct a good faith, reasonable risk assessment concluding that the breach is unlikely to cause harm to affected individuals, but they must document this assessment and provide it to the Attorney General upon request.

Children's Privacy in Colorado

Children's privacy receives special protection under both federal and Colorado state law. The federal Children's Online Privacy Protection Act (COPPA) applies nationwide, including in Colorado, requiring operators of websites and online services directed to children under 13 to obtain verifiable parental consent before collecting personal information from children. COPPA also requires clear privacy policies, data security measures, and limitations on data retention.

The Colorado Privacy Act enhances children's privacy protections beyond COPPA. Under C.R.S. § 6-1-1308(1), processing of personal data concerning children constitutes processing of sensitive data, triggering heightened requirements including the necessity for consent. While the CPA defines "child" differently than COPPA (potentially extending to ages 13-18 in certain contexts), it creates an additional layer of protection for minors' personal information.

Colorado law also addresses children's privacy in educational settings. The federal Family Educational Rights and Privacy Act (FERPA) protects student education records in Colorado schools receiving federal funding. FERPA grants parents the right to inspect and review their children's education records, request corrections to inaccurate information, and control disclosure of personally identifiable information from those records. When students reach age 18 or attend a postsecondary institution, FERPA rights transfer to the student.

Colorado supplements FERPA with state-level protections under C.R.S. § 22-16-101 et seq., which regulates student data privacy in K-12 education. This law requires school districts to maintain policies regarding collection, use, and disclosure of student personally identifiable information (PII). School service contract providers (companies that provide digital educational services) must maintain comprehensive security programs, are prohibited from selling student PII or using it for targeted advertising, and must delete student data upon request or when it is no longer needed for the authorized purpose.

Colorado parents can protect their children's privacy by: reviewing school privacy policies and data-sharing agreements, opting out of directory information disclosure under FERPA where possible, limiting children's use of apps and websites that collect personal information, reporting COPPA violations to the Federal Trade Commission at ftc.gov/complaint, and exercising rights under the Colorado Privacy Act on behalf of minor children.

Frequently Asked Questions

Q: Does the Colorado Privacy Act apply to small businesses?

The Colorado Privacy Act applies only to businesses that meet specific thresholds: controlling or processing personal data of 100,000 or more Colorado consumers per year, or deriving revenue from selling personal data and controlling or processing personal data of 25,000 or more consumers. Many small businesses fall below these thresholds and are not subject to the CPA. However, all businesses must still comply with Colorado's data breach notification law and other applicable state and federal privacy regulations.

Q: How do I request my records under the Colorado Open Records Act?

Submit a written request to the custodian of records at the specific government agency that maintains the records you seek. Your request should clearly describe the records you want to inspect or receive copies of. The custodian must respond within three business days by either providing the records, scheduling a time for inspection, or explaining why additional time is needed. You can submit CORA requests via email, mail, or in person. No specific form is required, though some agencies provide optional request forms.

Q: Can employers in Colorado monitor employee emails and computer use?

Colorado law does not specifically prohibit employer monitoring of workplace email and computer systems that the employer owns and provides. However, employers should maintain clear policies notifying employees of monitoring practices. The Electronic Communications Privacy Act (ECPA) provides some federal-level protections, and Colorado's lawful off-duty activities statute, C.R.S. § 24-34-402.5, may limit employer actions based on off-duty electronic communications. Employers cannot require employees to provide access to personal social media accounts under C.R.S. § 8-2-121.

Q: How long does it take to seal criminal records in Colorado?

The timeline for sealing criminal records in Colorado varies. After filing a petition to seal under C.R.S. § 24-72-706, the court will schedule a hearing, typically within 60-90 days. The district attorney and arresting agency have the right to object. If the court grants the petition, the sealing order is sent to the Colorado Bureau of Investigation and other relevant agencies, which have up to 180 days to seal the records, though many complete the process more quickly. The entire process typically takes 4-8 months from petition filing to complete sealing.

Q: What should I do if a business refuses to honor my Colorado Privacy Act rights?

If a business denies your CPA request or fails to respond within 45 days (or 90 days if they notified you of an extension), first attempt to resolve the issue directly with the business's privacy contact. If unsuccessful, file a complaint with the Colorado Attorney General's Office at coag.gov. The Attorney General has exclusive enforcement authority for CPA violations. Provide documentation of your request and the business's response. Note that through December 31, 2024, businesses have a 60-day cure period to remedy violations before the Attorney General can take enforcement action.

Q: Are divorce records public in Colorado?

Divorce records are generally considered public records in Colorado under CORA, though certain documents may be sealed. Financial affidavits, documents containing children's addresses or schools, and information sealed by court order are typically not publicly accessible. Parties to a divorce can petition the court to seal sensitive portions of the record under C.R.S. § 13-3-117 if disclosure would be detrimental to the parties or children. Basic information like party names, case numbers, and final orders are usually accessible through Colorado courts' online systems or by visiting the clerk's office in the county where the divorce was filed.

Q: How do I remove my address from Colorado property records?

Property ownership records maintained by Colorado county assessors are public records under CORA and cannot be removed entirely. However, you can take steps to limit public exposure of your home address. Colorado's Address Confidentiality Program (ACP), administered by the Colorado Secretary of State under C.R.S. § 24-21-201 et seq., provides a substitute address for survivors of domestic violence, sexual assault, or stalking. ACP participants can use the substitute address for public records, DMV records, voter registration, and other purposes. Contact the Colorado Secretary of State at 303-894-2200 for ACP information. For property records specifically, consider using a trust or LLC to hold title, which can provide some privacy, though the beneficial owner may still need to be disclosed in certain contexts.

Q: Can I access my spouse's or ex-spouse's medical records in Colorado?

Generally, no. Under HIPAA and Colorado law (C.R.S. § 25-1-801), medical records are confidential and cannot be released without the patient's authorization. Marriage does not create an automatic right to access a spouse's medical records. Exceptions exist for: (1) healthcare decision-making when you have medical power of attorney or are the legal guardian; (2) situations involving minor children where you have parental rights; and (3) specific circumstances defined by court order in legal proceedings like divorce or custody cases. If you need medical records for a legal proceeding, you typically must obtain them through formal discovery processes or a court-issued subpoena.

Last reviewed: Apr 2, 2026 Updated: Apr 2, 2026