Colorado Privacy Act Privacy Notice
COLORADO PRIVACY ACT (CPA) PRIVACY NOTICE
Effective Date: [DATE]
Last Updated: [DATE]
NOTICE TO COLORADO RESIDENTS
This Privacy Notice is provided pursuant to the Colorado Privacy Act, codified at Colorado Revised Statutes (C.R.S.) Section 6-1-1301 et seq., and the Colorado Privacy Act Rules at 4 CCR 904-3.
1. SCOPE AND APPLICABILITY
1.1 Who This Notice Applies To
This Notice applies to Colorado residents acting in an individual or household context ("consumers"). It does not apply to individuals acting in a commercial or employment context.
1.2 Applicability Thresholds
Pursuant to C.R.S. Section 6-1-1304, this Notice applies because [COMPANY NAME] meets one or more of the following thresholds:
☐ During a calendar year, controls or processes personal data of 100,000 or more Colorado consumers
☐ Derives revenue or receives discounts from the sale of personal data AND controls or processes personal data of 25,000 or more Colorado consumers
1.3 Exemptions
Pursuant to C.R.S. Section 6-1-1304(2), the following are exempt:
- State and local government entities
- National securities associations registered under the Securities Exchange Act
- Financial institutions subject to GLBA
- Covered entities and business associates under HIPAA
- Data subject to specific federal privacy laws (GLBA, HIPAA, FCRA, FERPA, COPPA)
- Nonprofit organizations (limited exemption)
- Higher education institutions (limited exemption)
- Air carriers
2. DEFINITIONS
Pursuant to C.R.S. Section 6-1-1303:
"Personal Data" means information that is linked or reasonably linkable to an identified or identifiable individual, excluding de-identified data and publicly available information.
"Sensitive Data" includes:
- Personal data revealing racial or ethnic origin
- Religious beliefs
- Mental or physical health condition or diagnosis
- Sex life or sexual orientation
- Citizenship or citizenship status
- Genetic or biometric data for identification purposes
- Personal data from a known child
- Precise geolocation data (as of May 23, 2025, per SB 25-276)
"Sale" means the exchange of personal data for monetary or other valuable consideration.
"Targeted Advertising" means displaying advertisements based on personal data obtained from consumer's activities over time and across nonaffiliated websites/applications to predict preferences or interests.
"Profiling" means automated processing to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual.
3. CATEGORIES OF PERSONAL DATA PROCESSED
Pursuant to C.R.S. Section 6-1-1308(1)(a) and 4 CCR 904-3, Rule 5.03, we process the following categories of personal data:
3.1 General Personal Data
| Category | Examples | Collected | Purpose |
|---|---|---|---|
| Identifiers | Name, email address, phone number, account ID | ☐ Yes ☐ No | [PURPOSE] |
| Contact Information | Postal address, email, phone | ☐ Yes ☐ No | [PURPOSE] |
| Demographic Information | Age, gender, language | ☐ Yes ☐ No | [PURPOSE] |
| Commercial Information | Purchase history, products viewed | ☐ Yes ☐ No | [PURPOSE] |
| Internet Activity | Browsing history, search history, interactions | ☐ Yes ☐ No | [PURPOSE] |
| Geolocation Data | General location (non-precise) | ☐ Yes ☐ No | [PURPOSE] |
| Professional Information | Employment, job title | ☐ Yes ☐ No | [PURPOSE] |
| Education Information | Educational history | ☐ Yes ☐ No | [PURPOSE] |
| Inferences | Preferences, characteristics, behavior predictions | ☐ Yes ☐ No | [PURPOSE] |
3.2 Sensitive Data
Pursuant to C.R.S. Section 6-1-1308(7), we collect sensitive data only with your consent:
| Sensitive Category | Collected | Consent Obtained | Purpose |
|---|---|---|---|
| Racial or ethnic origin | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Religious beliefs | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Mental or physical health condition | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Sex life or sexual orientation | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Citizenship or citizenship status | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Genetic data | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Biometric data | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Data from known child | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Precise geolocation data | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
4. PURPOSES OF PROCESSING
Pursuant to C.R.S. Section 6-1-1308(1)(a)(II), we process personal data for:
4.1 Specified, Express, and Legitimate Purposes
☐ Providing and maintaining our services
☐ Processing transactions and orders
☐ Communicating with you about your account
☐ Customer support and inquiries
☐ Security and fraud prevention
☐ Legal compliance and obligations
☐ Research and analytics
☐ Marketing and promotional communications (with consent where required)
☐ Personalization of services
☐ Targeted advertising (subject to opt-out)
☐ [ADDITIONAL PURPOSES]
5. SALE OF PERSONAL DATA AND TARGETED ADVERTISING
5.1 Sale of Personal Data
Pursuant to C.R.S. Section 6-1-1306(1)(a)(IV):
☐ We sell personal data
☐ We do not sell personal data
Categories of Data Sold:
| Category | Third Party Recipients | Purpose |
|---|---|---|
| [CATEGORY] | [RECIPIENTS] | [PURPOSE] |
5.2 Targeted Advertising
Pursuant to C.R.S. Section 6-1-1306(1)(a)(III):
☐ We process personal data for targeted advertising
☐ We do not process personal data for targeted advertising
5.3 Profiling
Pursuant to C.R.S. Section 6-1-1306(1)(a)(V):
☐ We engage in profiling that produces legal or similarly significant effects
☐ We do not engage in such profiling
6. THIRD-PARTY DISCLOSURES
Pursuant to C.R.S. Section 6-1-1308(1)(a)(III-IV), we share personal data with:
| Third Party Category | Categories of Data | Purpose |
|---|---|---|
| Service Providers | [CATEGORIES] | Processing on our behalf |
| Business Partners | [CATEGORIES] | [PURPOSE] |
| Advertising Partners | [CATEGORIES] | Targeted advertising |
| Analytics Providers | [CATEGORIES] | Analytics services |
| Payment Processors | [CATEGORIES] | Transaction processing |
| Government Entities | [CATEGORIES] | Legal compliance |
7. YOUR COLORADO PRIVACY RIGHTS
Pursuant to C.R.S. Section 6-1-1306, Colorado consumers have the following rights:
7.1 Right to Access (C.R.S. Section 6-1-1306(1)(a)(I))
You have the right to confirm whether we are processing your personal data and to access such data.
7.2 Right to Correct (C.R.S. Section 6-1-1306(1)(a)(II))
You have the right to correct inaccuracies in your personal data.
7.3 Right to Delete (C.R.S. Section 6-1-1306(1)(a)(VI))
You have the right to delete personal data provided by or obtained about you.
7.4 Right to Data Portability (C.R.S. Section 6-1-1306(1)(a)(VII))
You have the right to obtain a copy of your personal data in a portable and, to the extent technically feasible, readily usable format.
7.5 Right to Opt Out (C.R.S. Section 6-1-1306(1)(a)(III-V))
You have the right to opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects
8. EXERCISING YOUR RIGHTS
8.1 How to Submit a Request
Pursuant to 4 CCR 904-3, Rule 5.04:
Methods to Submit Requests:
☐ Online Portal: [URL]
☐ Email: [PRIVACY EMAIL]
☐ Phone: [PHONE NUMBER]
☐ Mail: [MAILING ADDRESS]
8.2 Identity Verification
We will authenticate your identity before fulfilling your request. Verification methods may include:
- Account authentication
- Matching information you provide
- Third-party verification services
8.3 Authorized Agents
You may designate an authorized agent to submit requests on your behalf. Requirements include:
- Written authorization signed by you
- Verification of your identity
- Verification of the agent's authority
8.4 Response Timeline
Pursuant to C.R.S. Section 6-1-1306(2)(c):
- Initial Response: Within 45 days of receipt
- Extension: May extend by an additional 45 days when reasonably necessary
- Notification: We will inform you of any extension and the reason
8.5 No Fee
We provide responses free of charge. We may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests.
9. UNIVERSAL OPT-OUT MECHANISMS
9.1 Recognition of Opt-Out Preference Signals
Pursuant to C.R.S. Section 6-1-1306(1)(a) and 4 CCR 904-3, Rule 5.11, effective July 1, 2024, we recognize and process opt-out preference signals including:
☐ Global Privacy Control (GPC)
☐ Other Universal Opt-Out Mechanisms: [SPECIFY]
9.2 How Universal Opt-Out Requests Are Processed
When we receive a universal opt-out signal, we will:
- Process it as a valid opt-out request for targeted advertising and sale of personal data
- Apply the opt-out to the browser or device from which the signal was sent
- Not require you to verify your identity for opt-out requests
9.3 Opt-Out Link
"Your Privacy Choices" Link: [URL]
10. RIGHT TO APPEAL
10.1 Appeal Process
Pursuant to C.R.S. Section 6-1-1306(3), if we decline your request, you have the right to appeal.
To Submit an Appeal:
☐ Email: [APPEAL EMAIL]
☐ Online Form: [URL]
☐ Mail: [ADDRESS]
10.2 Appeal Response
- We will respond to your appeal within 45 days
- If we deny your appeal, we will provide information on how to contact the Colorado Attorney General
10.3 Contact the Attorney General
If you are not satisfied with our appeal decision:
Colorado Attorney General
Consumer Protection Section
Ralph L. Carr Colorado Judicial Center
1300 Broadway, 7th Floor
Denver, CO 80203
Website: coag.gov/resources/colorado-privacy-act
11. DATA PROTECTION ASSESSMENTS
Pursuant to C.R.S. Section 6-1-1309, we conduct data protection assessments for processing activities that present heightened risk of harm, including:
☐ Processing for targeted advertising
☐ Sale of personal data
☐ Processing for profiling with reasonably foreseeable risk
☐ Processing sensitive data
☐ Any processing presenting heightened risk of harm
12. MINOR PROTECTIONS (SB 24-041)
12.1 Enhanced Protections for Minors
Pursuant to SB 24-041 (effective July 1, 2024), we:
☐ Exercise a duty of reasonable care to avoid heightened risk of harm to minors
☐ Obtain consent before processing personal data of known minors for targeted advertising or sale
☐ Implement age verification mechanisms where appropriate
12.2 Definition of Minor
A "minor" means an individual under 18 years of age who is a Colorado resident.
12.3 Prohibited Practices for Minors
We do not:
☐ Process personal data of minors for targeted advertising without consent
☐ Sell personal data of minors without consent
☐ Use design features that increase, sustain, or extend minor use against their interests
13. DATA MINIMIZATION AND PURPOSE LIMITATION
13.1 Data Minimization
Pursuant to C.R.S. Section 6-1-1308(3), we limit collection to what is adequate, relevant, and reasonably necessary for the specified purposes.
13.2 Purpose Limitation
Pursuant to C.R.S. Section 6-1-1308(4), we do not process personal data for purposes incompatible with the disclosed purposes without obtaining your consent.
14. DATA SECURITY
Pursuant to C.R.S. Section 6-1-1308(2), we maintain reasonable administrative, technical, and physical data security practices to protect personal data.
Our security measures include:
☐ Encryption of data in transit and at rest
☐ Access controls and authentication
☐ Regular security assessments
☐ Employee training
☐ Incident response procedures
☐ Vendor security requirements
15. DATA RETENTION
We retain personal data only as long as reasonably necessary for the purposes disclosed:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account Information | [PERIOD] | [BASIS] |
| Transaction Records | [PERIOD] | [BASIS] |
| Marketing Data | [PERIOD] | [BASIS] |
| Communication Records | [PERIOD] | [BASIS] |
16. CONTROLLER AND PROCESSOR RELATIONSHIPS
16.1 Controller Information
[COMPANY NAME] is the controller of personal data processed under this Notice.
Controller Contact:
[ADDRESS]
[EMAIL]
[PHONE]
16.2 Processor Contracts
Pursuant to C.R.S. Section 6-1-1305, our contracts with processors include:
- Clear processing instructions
- Nature and purpose of processing
- Types of data subject to processing
- Duration of processing
- Rights and obligations of both parties
17. CONTACT INFORMATION
Privacy Inquiries:
Name: [PRIVACY OFFICER NAME]
Title: [TITLE]
Email: [EMAIL]
Phone: [PHONE]
Address: [ADDRESS]
Consumer Rights Requests:
Email: [EMAIL]
Online: [URL]
Phone: [PHONE]
18. CHANGES TO THIS NOTICE
We may update this Notice to reflect changes in our practices or legal requirements. We will notify you of material changes:
☐ By posting an updated Notice on our website
☐ By email notification
☐ By notice within our application
DOCUMENT CONTROL
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | [DATE] | [NAME] | Initial version |
| 2.0 | [DATE] | [NAME] | Updated for 2026 requirements |
Legal Review: ☐ Completed Date: _________ Reviewer: _________
Next Review Date: _____________
This Notice is provided for informational purposes and compliance with the Colorado Privacy Act. It does not constitute legal advice. Consult with qualified legal counsel for specific compliance questions.
About This Template
Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: February 2026