Does the Colorado Privacy Act require a cookie consent banner?

The CPA does not require opt-in consent for general data processing the way GDPR does — it uses an opt-out model. However, it requires a clear opt-out mechanism for targeted advertising, sale of personal data, and certain profiling. Critically, Colorado was the first US state to mandate that businesses technically honour Universal Opt-Out Mechanisms (UOOMs) like the Global Privacy Control (GPC) browser signal. Since July 1, 2024, your website must automatically detect and honour GPC signals from Colorado visitors — no manual opt-out click required from the consumer.

CPA Compliance - Colorado Privacy Act

Q: What is the Colorado Privacy Act?

The Colorado Privacy Act (CPA) is Colorado's comprehensive consumer data privacy law, signed in July 2021 and effective July 1, 2023. It grants Colorado residents rights over their personal data — including access, correction, deletion, portability, and opt-out from targeted advertising, sale of personal data, and certain profiling — and imposes obligations on businesses that control or process that data. The CPA was the third comprehensive US state privacy law, following California's CCPA and Virginia's VCDPA.

Q: What makes the Colorado Privacy Act different from other state privacy laws?

Colorado's CPA has several notable distinctions. First, it was the first US state privacy law to explicitly require businesses to honour Universal Opt-Out Mechanisms (UOOMs) — including the Global Privacy Control (GPC) browser signal — as a valid opt-out from July 1, 2024. Second, the CPA requires data protection assessments for a broader set of processing activities than most other state laws, including processing for advertising purposes generally (not just targeted advertising). Third, the Colorado AG published detailed rules in 2023 providing specific technical guidance on consent, UOOMs, and dark patterns — making CPA one of the most technically prescriptive US privacy laws.

Q: What is the penalty for Colorado Privacy Act non-compliance?

The Colorado Attorney General and district attorneys have exclusive enforcement authority. Civil penalties can reach $20,000 per violation, with a maximum of $500,000 for related violations in a single action — significantly higher per-violation than CCPA's $7,500 cap. The CPA includes a 60-day cure period (reduced to a discretionary cure period after January 1, 2025), meaning regulators may give businesses an opportunity to fix issues before imposing penalties. There is no private right of action.

Q: What are dark patterns under the Colorado Privacy Act?

The Colorado AG's rules explicitly prohibit dark patterns in consent interfaces — UI designs that manipulate or coerce consumers into granting consent they would not otherwise give. Prohibited patterns include: making 'Accept All' buttons visually prominent while burying 'Reject' options; requiring multiple clicks to opt out compared to one click to opt in; using pre-ticked boxes for non-essential processing; and presenting consent choices in misleading or confusing language. Colorado's rules on dark patterns are among the most detailed in the US and go further than equivalent GDPR guidance.

What Is the Colorado Privacy Act?

The Colorado Privacy Act is Colorado's comprehensive consumer data privacy law, signed by Governor Jared Polis on July 7, 2021 and effective July 1, 2023. It was the third state-level comprehensive privacy law in the United States after California's CCPA and Virginia's VCDPA — and in several respects it is the most technically prescriptive of the three.

The CPA draws heavily from the GDPR's controller/processor framework and from the VCDPA's structure, but adds notable Colorado-specific requirements. Most significantly, Colorado was the first US state to explicitly mandate that businesses honour Universal Opt-Out Mechanisms (UOOMs) — including the Global Privacy Control (GPC) browser signal — as a legally valid opt-out from targeted advertising and data sale. This requirement took effect July 1, 2024.

The Colorado Attorney General's office also published detailed implementing rules in 2023, covering consent interfaces, dark patterns, data protection assessments, and processor contracts. These rules are more technically specific than equivalent guidance from any other US state and provide both clear compliance targets and clear enforcement criteria.

💡

Colorado's AG rules on dark patterns are the most detailed in the US. The rules explicitly prohibit consent interfaces that make opting out harder than opting in, require multiple steps to decline versus a single click to accept, use confusing or misleading language, or exploit cognitive biases to obtain consent. This directly impacts how your consent banner must be designed — not just whether you have one.

Who Does the CPA Apply To?

The CPA applies to controllers that conduct business in Colorado or produce commercial products or services intentionally targeted to Colorado residents, and that during a calendar year meet at least one of the following thresholds:

👥

100,000+

Colorado consumers whose personal data you control or process per calendar year

Includes website visitors tracked by analytics or ad pixels

💰

25,000+

Colorado consumers processed, and revenue or discounts derived from selling personal data

Even a small discount from a data broker relationship can trigger this

There is no revenue threshold in the CPA — unlike CCPA's $25 million trigger. A business with significant web traffic but modest revenues can be covered based on consumer volume alone. The 100,000 consumer count includes website visitors whose data is processed by third-party analytics, advertising, or session-replay tools — not only paying customers or registered users.

⚠️

Non-profits are partially exempt but not fully. The CPA exempts non-profit organisations from its core requirements — one of the few meaningful structural differences from CCPA and VCDPA. However, the exemption applies to the organisation processing data in its non-profit capacity. If a non-profit operates a commercial storefront or sells data, those activities may still be covered.

Consumer Rights Under the CPA

Colorado consumers have five statutory rights under the CPA, mirroring the VCDPA structure. Covered businesses must respond to verifiable consumer requests within 45 days, extendable by a further 45 days (90 days total) with written notice.

Right 1

Right to Access

Consumers can confirm whether you are processing their personal data and, if so, obtain a copy. You may charge a reasonable fee for manifestly unfounded or excessive requests but must respond free of charge to the first request in any 12-month period.

Right 2

Right to Correction

Consumers can request correction of inaccurate personal data you hold about them, taking into account the nature of the data and the purposes of processing. You must consider requests in good faith.

Right 3

Right to Deletion

Consumers can request deletion of personal data you collected about them — including data obtained from third parties. Exceptions apply for legal obligations, fraud prevention, public interest research, and free speech purposes.

Right 4

Right to Data Portability

Consumers can receive a copy of their personal data in a portable, readily usable format enabling transmission to another controller. Applies to data processed through automated means.

Right 5

Right to Opt Out

Consumers can opt out of processing of their personal data for targeted advertising, sale of personal data, and profiling that produces legal or similarly significant effects. Since July 1, 2024, opt-out must also be honoured automatically via Universal Opt-Out Mechanisms including the Global Privacy Control browser signal.

Colorado's Universal Opt-Out Mechanism Requirement

The most operationally significant CPA requirement for website operators is the Universal Opt-Out Mechanism (UOOM) mandate — and it is one that most businesses are not yet meeting.

Effective July 1, 2024 GPC Signal Honouring Is Now Mandatory in Colorado

Since July 1, 2024, businesses subject to the CPA must technically recognise and honour Universal Opt-Out Mechanisms (UOOMs) as a valid consumer opt-out from targeted advertising and data sale. The Global Privacy Control (GPC) — a browser-level privacy signal supported by Firefox, Brave, and Chrome extensions — is the primary UOOM the Colorado AG has recognised.

What this means in practice: when a Colorado consumer visits your website with GPC enabled in their browser, your consent management platform must automatically detect the signal and suppress all targeted advertising and data-sale scripts — without requiring the consumer to manually click an opt-out link. A cookie banner that a GPC user still needs to interact with to opt out does not satisfy this requirement.

This is technically more demanding than a standard opt-out banner. Your CMP must read the Sec-GPC: 1 HTTP request header or the navigator.globalPrivacyControl JavaScript property and respond by blocking the relevant scripts in real time, before any data is transmitted.

Colorado's Dark Patterns Prohibition

The Colorado AG's implementing rules explicitly prohibit the use of dark patterns in consent interfaces — and this has direct, practical implications for how your consent banner must be designed. A consent mechanism obtained through a dark pattern is not valid consent under the CPA, and the AG's rules list specific prohibited patterns.

🎨

Visual prominence asymmetry

Making "Accept All" visually prominent (large, brightly coloured) while "Reject" or "Manage Preferences" is greyed out, smaller, or buried. Both options must be equally accessible.

🖱️

Click asymmetry

Requiring one click to accept all but multiple clicks or a separate preferences panel to decline. Opting out must be as simple — the same number of steps — as opting in.

📝

Misleading language

Using confusing, ambiguous, or double-negative language in consent choices — for example, "Uncheck to not receive personalised ads" — that obscures what the consumer is actually agreeing to.

🔁

Consent fatigue tactics

Repeatedly re-prompting consumers who have already opted out, using nagging banners to wear down resistance, or making the opt-out choice expire unreasonably quickly to force re-engagement.

🔒

Bundled consent

Requiring consent to non-essential data processing as a condition of using a service when that processing is not necessary to provide the service. Granular category consent is required.

😰

False urgency or threats

Creating false urgency ("You must decide now"), implying negative consequences for declining, or misrepresenting what declining consent will mean for the consumer's experience.

🚫

Most "consent-washing" banners violate Colorado's rules. A banner where "Accept All" is a large teal button and "Manage Preferences" is small grey text in the corner fails Colorado's visual prominence requirement. If your current banner was designed to maximise opt-in rates rather than to present a genuine choice, it likely uses at least one prohibited dark pattern under CPA rules.

Does your banner pass Colorado's dark pattern rules?

ConsentPixel — Privacy · Verified deploys balanced consent interfaces that meet Colorado's specific requirements — equal visual weight, single-click opt-out, automatic GPC detection.

Run Free Site Scan →

CPA vs. CCPA vs. VCDPA vs. GDPR

Feature	CPA (Colorado)	CCPA/CPRA (California)	VCDPA (Virginia)	GDPR (EU)
Effective date	Jul 1, 2023	Jan 1, 2020 / 2023	Jan 1, 2023	May 25, 2018
Revenue threshold	None	$25M gross revenue	None	None
Consumer volume threshold	100K/year	100K/year	100K/year	None
Opt-in consent for tracking?	No — opt-out	No — opt-out	No — opt-out	Yes — opt-in
GPC/UOOM mandatory?	Yes (Jul 2024)	Yes	Yes (Jan 2025)	Recommended
Dark patterns explicitly prohibited?	Yes — detailed rules	Partially	Partially	Yes — EDPB guidance
Data protection assessments	Required (broad)	Not required	Required (high-risk)	Required (DPIAs)
Private right of action	No	Limited (breaches)	No	Yes
Max civil penalty	$20K/violation; $500K/action	$7,500/intentional	$7,500/violation	€20M or 4% revenue
Non-profit exemption	Yes	No	No	No

How ConsentPixel — Privacy · Verified Handles CPA

ConsentPixel — Privacy · Verified is built to meet the specific technical requirements of Colorado's CPA — not just generic consent management. A single pixel installation handles every CPA obligation automatically.

📡

Automatic GPC signal detection

ConsentPixel reads the Global Privacy Control signal on every page load — both the HTTP header and the JavaScript property. Colorado visitors with GPC enabled have targeted advertising and data-sale scripts suppressed automatically, with no manual opt-out click required. Compliant with Colorado's July 2024 UOOM mandate.

⚖️

Balanced consent interface — no dark patterns

ConsentPixel's consent banner is designed to meet Colorado's specific dark pattern prohibitions: equal visual weight for Accept and Reject options, single-click opt-out at the same level as Accept All, clear category-level descriptions, and no consent fatigue re-prompting. Your interface passes Colorado's AG rules by design.

🚫

Script blocking before opt-out established

All targeted advertising and analytics scripts are blocked at page load until the visitor's opt-out status is confirmed. For visitors with GPC active, blocking is immediate. For all others, the opt-out mechanism is presented before any non-essential data is transmitted.

🗂️

Consent and opt-out audit log

Every consent decision and opt-out event — including GPC-triggered opt-outs — is timestamped and stored in your portal. The log records the banner version shown, the consumer's choices, and the signal source. Produceable on demand for Colorado AG investigations.

🔍

Continuous tracker scanning

ConsentPixel scans your site continuously and alerts you when new trackers appear — including those silently added by plugin or app updates. Your data inventory stays current without manual quarterly audits, supporting Colorado's data protection assessment requirements.

📬

Consumer rights request portal

An embeddable DSAR form handles all five CPA consumer rights. Requests are routed to your portal with 45-day deadline tracking, identity-verification prompts, and a response log. Appeal workflows are supported — the CPA requires a process for consumers to appeal a denied request within 45 days.

Colorado CPA Compliance Checklist

Use this checklist to assess your CPA compliance posture. Click each item to mark it complete.

📋 Colorado Privacy Act Compliance Checklist — 2026 11 items

Confirm CPA thresholds apply to your business100K+ Colorado consumer records/year, or 25K+ records with revenue or discounts from selling personal data

Deploy a consent banner that technically blocks scripts — not just displays a noticeScript blocking before consent is the baseline for meaningful compliance

Audit your consent banner for dark patternsEqual visual weight for Accept and Reject; single-click opt-out; no misleading language; no bundled consent

Implement GPC / Universal Opt-Out Mechanism detectionMandatory since July 1, 2024 — must auto-suppress targeted advertising scripts when GPC is active

Provide a clear opt-out for targeted advertising and data saleProminently placed link or banner mechanism — must be functional, not cosmetic

Set up a consumer rights request process with appeal workflow45-day response + 45-day extension option + 45-day appeal window for denied requests

Conduct data protection assessments for required activitiesRequired for targeted advertising, data sale, profiling with significant effects, and sensitive data processing

Update privacy policy with CPA-required disclosuresCategories of data, purposes, third-party sharing, how to exercise rights, and appeal process

Review processor contracts for CPA compliance languageAll data processors must have contracts specifying instructions, confidentiality, and deletion obligations

Build and maintain a data inventoryMap every category of personal data — what is collected, from where, stored where, shared with whom

Maintain consent and opt-out logs for audit purposesTimestamped records of every consumer choice including GPC-triggered automatic opt-outs

Frequently Asked Questions

What is the Colorado Privacy Act?

The Colorado Privacy Act is Colorado's comprehensive consumer data privacy law, effective July 1, 2023. It grants Colorado residents five rights over their personal data — access, correction, deletion, portability, and opt-out from targeted advertising, data sale, and consequential profiling — and imposes obligations on businesses that collect or process that data. Colorado was the first US state to mandate technical honouring of the Global Privacy Control browser signal as a valid opt-out.

Does the Colorado Privacy Act apply to my business?

The CPA applies to controllers conducting business in Colorado or targeting Colorado residents that process personal data of 100,000 or more Colorado consumers per year, or 25,000 or more consumers while deriving revenue or discounts from selling personal data. There is no revenue threshold — only volume-based triggers. The consumer count includes website visitors tracked by analytics or advertising tools, not only paying customers.

What makes the Colorado Privacy Act different from other state laws?

Three things distinguish Colorado's CPA. First, it was the first US state to mandate technical honouring of Universal Opt-Out Mechanisms including GPC — effective July 2024. Second, Colorado's AG published detailed implementing rules specifically prohibiting dark patterns in consent interfaces, with more specificity than any other US state. Third, the CPA requires data protection assessments for a broader set of activities than other US state laws, including general advertising processing.

What is the penalty for CPA non-compliance?

The Colorado AG and district attorneys enforce the CPA. Civil penalties can reach $20,000 per violation with a $500,000 maximum per enforcement action — significantly higher per-violation than CCPA's $7,500 cap. The CPA originally included a 60-day cure period, which became discretionary for regulators after January 1, 2025. There is no private right of action.

Does the CPA require a cookie consent banner?

The CPA uses an opt-out model — not GDPR-style opt-in consent. However, it requires a clear opt-out mechanism for targeted advertising and data sale, and since July 2024 mandates automatic GPC signal recognition. It also prohibits dark patterns in consent interfaces, meaning your banner design must present genuinely equal choices. A consent management platform that blocks scripts, detects GPC, and presents a balanced interface satisfies all of these requirements simultaneously.

What are dark patterns under the Colorado Privacy Act?

Colorado's AG rules explicitly prohibit consent interfaces that: make Accept visually prominent while burying Reject; require more clicks to opt out than to accept; use confusing or double-negative language; repeatedly re-prompt consumers who have opted out; bundle consent to non-essential processing with service access; or create false urgency or imply negative consequences for declining. Any consent obtained through a prohibited dark pattern is not valid consent under the CPA.

Colorado CPA Compliance — Automated

GPC detection. No dark patterns.
One pixel. Sorted.

ConsentPixel — Privacy · Verified automatically detects GPC signals, suppresses targeted advertising scripts, presents a balanced consent interface that meets Colorado's dark pattern rules, and logs every opt-out event for your audit trail.

Start Free 14-Day Trial Scan My Site First →