On July 12, 2023, Colorado Attorney General Phil Weiser announced that his office has sent out a series of letters to businesses letting them know that it is beginning enforcement of the Colorado Privacy Act. The state’s privacy law officially went into effect on July 1.

“These letters will help make businesses aware of the law and direct them to educational resources to help them comply,” said Weiser. “And, if we become aware of organizations that are flouting the law or refusing to comply with it, we are prepared to act.”

The letters have also identified two areas of compliance that the Attorney General’s Office will be paying particular attention to:

1. Sensitive Data
   Under the CPA, businesses must first get a consumer’s consent before processing any sensitive data. This includes data that reveals racial or ethnic origin, religious beliefs, health conditions or diagnosis, sex life or sexual orientation, and citizenship or immigration status. It also includes biometric data and the personal data of anyone under the age of 13.
2. Opt-Outs
   The CPA gives consumers the right to opt out of targeted advertising, the sale of their personal data, and profiling in furtherance of decisions that produce significant effects for the consumer.

While Colorado may not have a dedicated agency focused exclusively on data privacy—like California’s Privacy Protection Agency—the state has been sending signals that it intends to take enforcement seriously. It has already finalized regulations that go into great detail about compliance requirements such as universal opt-outs, data protection assessments, and purpose limitation. This new round of letters reinforces the perception that the Attorney General has privacy on his mind.

‍