Colorado has two landmark state laws affecting websites: the Colorado Privacy Act (CPA), in effect since July 2023, and the Colorado AI Act (SB 24-205), the country's first comprehensive AI regulation, effective February 1, 2026. Combined with HB 21-1110 (state accessibility law), Colorado has built one of the most comprehensive state-level digital compliance regimes outside of California.
Last reviewed 2026-06-01 · Risk rating rationale: The Colorado AG has been actively enforcing the CPA since 2024, and the Colorado AI Act creates a new category of website compliance obligation no other state has yet matched.
Find out in 10 seconds whether your site meets Colorado's requirements
Scantra runs a free, no-account, 9-check audit of your homepage covering privacy policy, contact info, CCPA-style opt-out, security headers, accessibility, and SEO basics. Most Colorado sites we scan fail at least three.
No credit card · Email required so we can send you the full results.
Key Colorado laws affecting websites
The statutes most likely to apply to a commercial website serving Colorado residents. Click a citation to read the official text where available.
CPA
— Colorado Privacy Act· Effective 2023
Applies to: Businesses that conduct business in Colorado or produce products/services targeting Colorado residents, AND either (a) process personal data of 100,000+ Colorado consumers, or (b) derive revenue from selling personal data while processing data of 25,000+ Colorado consumers.
What your website must do
Publish a clear and conspicuous privacy notice
Provide consumer rights: access, correction, deletion, portability, opt-out of sale + targeted advertising + profiling
Recognize universal opt-out mechanisms (Global Privacy Control) — required since July 2024
Obtain opt-in consent for sensitive personal data
Conduct data protection assessments for high-risk processing
— Consumer Protections for Interactions With Artificial Intelligence Systems· Effective 2026
Applies to: Developers and deployers of 'high-risk AI systems' that make or substantially assist in making 'consequential decisions' about Colorado consumers (employment, education, financial services, healthcare, housing, insurance, government services, legal services).
What your website must do
Disclose to consumers that an AI system is being used to make a consequential decision
Explain the principal factors in adverse decisions and how to appeal
Provide an opportunity to correct incorrect personal data used in the decision
Conduct and document impact assessments at least annually
Develop and maintain risk management programs that conform to a recognized framework (e.g. NIST AI RMF)
Citation: C.R.S. § 6-1-1701 et seq.
HB 21-1110
— Colorado Laws for Persons with Disabilities· Effective 2024
Applies to: State and local government entities. Imposes WCAG 2.1 Level AA conformance with statutory damages of $3,500 per violation.
What your website must do
If you're a Colorado state or local government entity: conform to WCAG 2.1 Level AA
Provide an accessibility plan documenting conformance progress
Designate an accessibility coordinator
Citation: C.R.S. § 24-85-101 et seq.
Colorado compliance by topic
Consumer data protection
State-specific rule applies
What your site has to disclose, ask consent for, and allow consumers to do with their personal information.
The CPA gives Colorado residents the modern set of privacy rights and was the first state law to mandate that businesses honor the Global Privacy Control browser signal. The Colorado AG has been the most active enforcer among second-wave state privacy regulators.
Practical requirements for your website
Publish a CPA-compliant privacy notice
Provide opt-out mechanisms for sale, targeted advertising, and profiling
Honor the Global Privacy Control (mandatory since July 2024)
Obtain opt-in consent for sensitive personal data
Conduct data protection assessments for high-risk processing
Respond to consumer rights requests within 45 days
Cookies and tracking
State-specific rule applies
When you need consent, opt-outs, or universal-signal honor for cookies and analytics scripts.
Colorado specifically requires honoring universal opt-out preference signals like the Global Privacy Control. A cookie banner is not enough — the browser-level signal must be respected, and the regulator has indicated that ignoring it is a per-se violation.
Practical requirements for your website
Honor the Global Privacy Control signal as an opt-out from sale and targeted advertising
Provide a cookie-specific opt-out interface for users without GPC enabled
Disclose third-party cookie sharing in the privacy notice
Suppress advertising and analytics cookies on opt-out
Accessibility (ADA + state)
State-specific rule applies
WCAG conformance expectations and how the state's accessibility cases tend to be litigated.
HB 21-1110 applies to state and local government entities. Private commercial sites in Colorado face federal ADA Title III liability, though Colorado state courts have been more willing than some jurisdictions to apply general consumer-protection theories to inaccessible commercial websites.
Practical requirements for your website
Government entities: conform to WCAG 2.1 Level AA and publish an accessibility plan
Private commercial sites: conform to WCAG 2.1 Level AA as the federal-ADA-compliance benchmark
Publish an accessibility statement with a contact route for users encountering barriers
Cybersecurity and breach response
State-specific rule applies
What 'reasonable security' looks like under state law and how fast you have to notify after a breach.
Colorado requires reasonable security procedures and practices to protect personal information (C.R.S. § 6-1-713.5) and 30-day breach notification under § 6-1-716. The CPA layers in data-protection-assessment requirements for high-risk processing.
Practical requirements for your website
Implement reasonable security procedures
Notify affected Colorado residents within 30 days of breach discovery
Notify the Colorado AG for breaches affecting 500+ residents
Conduct data protection assessments for high-risk processing
Email and SMS marketing
Federal law applies
How federal CAN-SPAM and TCPA interact with state-level marketing rules in this jurisdiction.
Colorado follows federal CAN-SPAM with no significant state-level additions for commercial email. The Colorado no-call list (C.R.S. § 6-1-903.3) applies to telemarketing.
Practical requirements for your website
Comply with federal CAN-SPAM for email
Comply with federal TCPA for SMS
Maintain working unsubscribe mechanisms
AI regulation
State-specific rule applies
Which AI uses the state has chosen to regulate, who's covered, and what the website has to disclose.
The Colorado AI Act is the country's first comprehensive AI regulation, effective February 1, 2026. It applies to developers and deployers of high-risk AI systems and creates obligations around disclosure, appeal rights, impact assessments, and risk management programs. The scope is broader than New York City's Local Law 144 (which only covers employment).
Practical requirements for your website
If deploying high-risk AI for consequential decisions about Coloradans: disclose AI use to the consumer
Explain the principal factors in adverse decisions and provide an appeal path
Allow the consumer to correct incorrect personal data used in the decision
Conduct annual impact assessments
Maintain a risk-management program aligned with NIST AI RMF or equivalent framework
Frequently asked questions about Colorado website compliance
Does my website have to honor the Global Privacy Control in Colorado?
Yes — Colorado has required honoring the Global Privacy Control browser signal as a universal opt-out since July 2024. A CPA-covered business that ignores it is in violation per se, regardless of whether the user has interacted with the on-site cookie banner. The Colorado AG has stated GPC compliance is a priority enforcement area.
When does the Colorado AI Act affect my business?
February 1, 2026, is the effective date. The act applies if you deploy a high-risk AI system that makes or substantially assists consequential decisions about Coloradans in employment, education, financial services, healthcare, housing, insurance, government services, or legal services. If your business is in any of those verticals and uses automated decisioning, the disclosure, impact-assessment, and appeal-path obligations apply.
What's the difference between the CPA and Texas TDPSA?
The CPA has a higher applicability threshold (100,000 Colorado consumers or revenue from sale + 25,000 consumers) than the TDPSA's broader 'targeting Texas residents' standard. The CPA was also the first state law to mandate GPC honor, where the TDPSA's GPC obligation began January 1, 2025. Both require opt-in consent for sensitive data and both lack a private right of action — enforcement is AG-only.
Do I need a CPA-compliant privacy notice if I'm based outside Colorado?
Yes if you process the personal data of 100,000 Colorado consumers (most national websites cross this in weeks once analytics and ad-tech are connected) or if you sell data + process data of 25,000 Coloradans. Location of your office is irrelevant. The CPA notice can be combined with the CCPA notice in a single multi-state privacy policy as long as the Colorado-specific rights are clearly described.
Ready to check your own site against Colorado's requirements?
The same free 9-rule scan, no signup needed. Two of the findings include drafted fixes you can copy/paste; full results (and ongoing monitoring) come with a free account.
Important: Scantra is a software tool and a non-profit publisher, not a law firm. The summaries on this page are written for general business orientation and reflect the editors' reading of the statutes as of 2026-06-01. They are not legal advice and should not be the only source you rely on for compliance decisions. For your specific situation, consult a licensed attorney in Colorado.