Colorado Privacy Act Exemption List [2024 Guide]

colorado privacy act exemption

The Colorado Privacy Act applies to businesses that process the data of or offer goods and services to the residents of Colorado. But not all of them.

Discover in this comprehensive Colorado Privacy Act exemption list if your business also has to follow this data privacy regulation.

Let’s dive right in.

Key Takeaways

  • The Colorado Privacy Act (CPA) applies to businesses that offer goods and services to CO residents for profit.
  • The CPA applies to businesses that either process data of at least 100,000 consumers in one year or process data of 25,000 or more consumers and earn revenue from selling their data.
  • The Colorado Privacy Act exemption list includes data such as healthcare, de-identified data, HIPPA-related data, GBLA-related data, SEC data, employee records, etc.

Colorado Privacy Act Explained

The Colorado Privacy Act is a new data privacy law effective as of July 1, 2023, that regulates data processing for businesses selling products and services aimed at Colorado residents.

The Act applies to any business (the data controller) that conducts business in Colorado or offers products and services targeted at Colorado residents and fulfills one of these criteria:

  1. Controls or processes data of at least 100,000 consumers during a single calendar year or
  2. Controls or processes data of 25,000 or more consumers and either earns revenue or gets a discount based on the sale of their data.

This act was created to provide consumers in Colorado with more assurance that their data is being treated with the privacy it deserves and that the consumers have more power over their data.

Does the Colorado Privacy Act Have Exemptions?

Similarly to the CPRA exemptions, the Colorado Privacy Act also has several, both when it comes to the businesses it applies to and in terms of data this data privacy law covers.

Just like with other data privacy laws like the GDPR or CPRA, the CPA exemptions have to be considered on a case-by-case basis and will depend on why your organization processes data in the first place.

The exemptions typically exist because they are protected by other laws like the HIPAA or GLBA, or they pose little to no risks to consumers.

Finally, if you believe your business should be exempt from the CPA, you need to justify the exemption and document the reasons.

Colorado Privacy Act Exemption List

Here is the full Colorado Privacy Act exemption list:

  1. Any information and documents created by an organization covered by the CPA for purposes of complying with and/or implementing the Health Insurance Portability and Accountability Act (HIPAA)
  2. Healthcare information that is governed by the Colorado Statutes Title 25, Article 1, Section 8
  3. Patient identifying information (PII) that is collected and processed according to CFR 42 Section 2
  4. Information collected, processed, sold, or disclosed according to the Gramm-Leach Bliley Act (GLBA) of 1999 (financial institutions and their affiliates)
  5. Collecting, maintenance, disclosure, sale, communication, or use of personal data related to the data collected and processed by a consumer reporting agency authorized by the Fair Credit Reporting Act (FCRA)
  6. Information collected, processed, sold, or disclosed according to the Driver’s Privacy Protection Act (DPPA) of 1994
  7. Data regulated by the Children’s Online Privacy Protection Act (COPPA) of 1998
  8. Data regulated by the Family Educational Rights and Privacy Act (FERPA) of 1974
  9. Collected and maintained in relation to Article 22, Title 10
  10. Identifiable private information collected as part of human subject research under CFR or the CPA
  11. De-identified information defined by the CFR and the Colo. Rev. Stat.
  12. Information maintained the same way as information under the Colorado Revised Statutes §6-1-1304(2)(a) to (2)(g) by:
  1. Data related to employment records
  2. Air carriers according to the United States Code (USC) Title 49 (Transportation)
  3. National Security Association registered under the Securities Exchange Act (SEC) of 1934
  4. Data maintained by a public utility or authority when the processing is authorized by state or federal law for non-commercial purposes
  5. Data maintained by a CO higher education institution in the state if it is processed for non-commercial purposes
  6. Information used and disclosed pursuant to the 45 CFR §164.512 (Uses and disclosures for which an authorization or opportunity to agree or object is not required)

CPA Exemptions for Data

In short, the Colorado Privacy Act has several data exemptions that range from healthcare data to public data. These are mostly related to:

  • Healthcare information
  • Non-commercial information
  • De-identified information
  • Information covered by GLBA, SEC, COPPA or FERPA
  • Data related to maintaining employee records
  • Public data

What Businesses are Included Under the CPA?

The CPA includes most medium to large companies that process data of Colorado residents. Here’s a breakdown of the businesses that must follow the CPA:

  1. Conducts business with Colorado residents or sells products and services to Colorado residents and
  • Control or process the personal data of a minimum of 100,000 consumers during a single calendar year or
  • Earn revenue or get a discount on the price of goods and services by selling personal data and also control and process the personal data of at least 25,000 consumers

Penalties for Non-Compliance with the CPA

Under the CPA, in case of a data security violation or to prevent future violations, the Attorney General (AG) or the District Attorneys are authorized to access and evaluate a company’s data protection assessments to set appropriate penalties.

However, the Colorado Privacy Act itself does not specify the penalties for non-compliance.

Instead, the penalties are defined by the Colorado Consumer Protection Act (CCPA), which sets the penalties from $2,000 to $20,000 per violation. There is a maximum penalty of $500,000 with the current regulation.

On top of these, Colorado Privacy Act fines, lawsuits, criminal charges, and reputational damages are possibilities, depending on the severity of the violation.

There is a Cure Period that will last until January 2025, which allows you to correct your non-compliance action within 60 days. However, other regulations like the CCPA may not be so lenient if you process Californian resident data.


Do you think the data your business processes is exempt from the CPA? If you’re wrong, this could potentially cost you up to $20,000 just for just one violation, with fines ranging up to $500,000 and much more in reputational costs, along with fines from other regulations.

If you’re wondering whether your business applies to the CPA, get in touch and talk with our compliance experts today! We have centuries of collective experience to ensure your business’s compliance with the CPA and other relevant regulations.

Don’t risk your company’s reputation and money; contact us today.


Who does the Colorado Privacy Act Apply to?

The Colorado Privacy Act applies to businesses and organizations that offer products and services to Colorado residents for profit and that:

  1. Collect and process data of at least 100,000 consumers in a single calendar year, or
  2. Collect and process data of a minimum of 25,000 consumers and earn revenue from processing their data

Is your business located in California? Here’s who the CPRA applies to.

What is the purpose limitation of the Colorado Privacy Act?

The Colorado Privacy Act (CPA) limits data processing and collection to the data that is:

  • That is adequate, relevant, and necessary for the processing purpose (data minimization),
  • For which consumer’s consent is obtained (no secondary use)
  • Necessary for protecting personal data

Looking for a data protection compliance service? Here’s how to find the best one for your business needs.

Does the Colorado Privacy Act have a private right of action?

A private right of action (PRA) represents the individual’s right to sue a company for violating their privacy rights directly instead of depending on the government to enforce data privacy laws.

The Colorado Privacy Act does not include a private right of action.

Find out if CCPA has a private right of action.

How long does Colorado keep medical records?

The state of Colorado requires that doctors keep medical records for at least 7 years, while hospitals must keep the same records for 10 years after the patient’s last treatment with that institution.

Learn what a healthcare compliance solution is and how to find the best one.

What is the cookie law in Colorado?

The state of Colorado (CO) does not have a specific cookie law. Instead, cookie consent is regulated by the Colorado Privacy Act (CPA).

The CPA regulates general cookie usage, exceptions, opt-out rules, and cookie notices.

Learn what is implied cookie consent.