The New Colorado and California Privacy Regulations Are Finalized: How Do They Compare?

April 27, 2023

In a Nutshell

What Happened

The Colorado and California comprehensive privacy regulations have been recently finalized. Companies have until July 1, 2023 to comply with most of the Colorado and California regulations. Enforcement of certain areas of the regulations will be delayed. 

Who Does this Affect

Subject to certain exemptions, companies doing business in the respective state and meeting processing and/or revenue thresholds as described below. .

How this Affects You

Failure to comply with the Colorado and/or California regulations may result in fines of up to $7,500 per violation (for California) and up to $20,000 per violation (for Colorado). Certain data breaches affecting California residents may trigger a private right of action for consumers. For Colorado residents, violation of the regulations may be considered an unfair or deceptive trade practice.

What You Can Do Now

Evaluate your privacy practices and policies to determine what updates are needed for compliance with the final regulations. Review any existing privacy notices, loyalty and financial incentives programs, internal retention policies, and procedures and mechanisms for verifying and fulfilling consumer requests (including honoring universal opt out mechanisms / preference signals).

Further Reading

What Happened?

On March 15, 2023, the Colorado Attorney General’s Office finalized regulations to the Colorado Privacy Act (CPA).  Both the law and most requirements under the regulations will take effect on July 1, 2023. Some requirements, such as an obligation to honor universal opt out mechanisms for targeted advertising and/or for the sale of personal information, will take effect on July 1, 2024.

Likewise, on March 29, 2023, the newly created California Privacy Protection Agency (CPPA) finalized regulations to the California Privacy Rights Act (CPRA).  The CPRA and its new regulations are themselves amendments to the California Consumer Privacy Act (CCPA) and the CCPA’s regulations, which first went into effect in 2020.  The CPPA will begin enforcement of the CPRA regulations on July 1, 2023.  What is notably missing from the finalized CPRA regulations is rulemaking concerning cyber audits, risk assessments, and automated decision-making, and it is unclear at this time when regulations regarding these topics will be finalized.  On March 30, 2023, the California Chamber of Commerce (CCC) filed suit against the CPPA (No. 2023-80004106) seeking to compel the CPPA to finalize complete regulations for all relevant topics by July 1, 2023, and to push back the enforcement date until 12 months after the full regulations are adopted so that businesses have adequate time to comply with the CPRA regulations. Regardless of the outcome of the suit, it is advised that businesses continue working toward compliance with the CPRA regulations by the July 1, 2023 deadline. 

Who is subject to the new regulations?

California: To be subject to the CCPA as amended by the CPRA, a for-profit entity must be doing business in California and meet one of the following thresholds: (i) have annual gross revenues of over 25 million dollars worldwide (not just in California); (ii) annually buys, sells, or shares the personal information of over 100,000 California residents/households; or (iii) derives over 50% of its revenue from selling or sharing California resident personal information. 

Colorado: The CPA applies to any person or entity which does business in Colorado or offers commercial good/services that are intentionally targeted to Colorado residents, and which meets one of the following thresholds: (i) process the personal information of 100,000 or more Colorado residents; or (ii) derive revenue from sale of personal information of 25,000 or more Colorado residents.   

Both the California CPRA and the Colorado CPA have exemptions that should be reviewed for scoping purposes.

What do I need to do to comply?

Compliance with the new regulations in both states by July 1, 2023, may seem like a daunting task. However, there are similarities between the two states’ regulations that could be leveraged when creating and/or updating your privacy compliance program. A summary of the key topics under both the California and Colorado regulations are described in the table, below.

Comparison Table between the New Privacy Regulations in California and Colorado





Rules on format, content, and delivery of privacy notices.



Mechanisms required to enable a consumer request



Rules on authenticating consumer requests



How and when to respond to consumer requests

(e.g., access, deletion, correction, and data portability)



Opt out request mechanisms for personal information selling & sharing for targeted advertising



Honoring Universal Opt Out Mechanisms /

Preference Signals


Yes, but will not be in force until July 1, 2024

Rules governing loyalty programs / financial incentives



Purpose and data minimization requirements including restrictions on secondary uses of personal information



Duty of care requirement

No, but the CPRA requires reasonable security measures to be employed


Documentation of compliance measures



Specific training requirements



Consent requirements for the processing of sensitive personal information or personal information of minors

Yes, consent is required for processing children’s data. Opt out required for certain uses of sensitive personal information.

Yes, for sensitive personal information and personal information of minors

Rules on profiling / automated decision-making activities

Yes, regulations are pending


Specific service provider contract requirements


Yes, under the CPA

Cyber audits / data protection risk assessments (DPIA)

Yes, regulations are pending

Yes, for high-risk activities & profiling

 *Red = Fully required; Orange = Partially required; Yellow = Required, but there is an enforcement delay; Green = Not required.


How We Can Help


Click here to view a downloadable PDF of the legal update.

This Cybersecurity, Data Protection, & Privacy Alert is intended to keep readers current on developments in the law and is not intended to be legal advice.  If you have any questions, please contact Matthew H. Meade at 412.566.6983 or mmeade@eckertseamans.comElizabeth Wilson at 215.851.8497 or, Roger LaLonde at 215.851.8503 or, or a member of our Cybersecurity, Data Protection, & Privacy Practice Group, or any other attorney at Eckert Seamans with whom you have been working for further information and assistance.

Share This Post


Elizabeth Wilson Photo Philadelphia

Elizabeth Wilson

Member - Philadelphia

See full bio
Roger LaLonde Photo Philadelphia

Roger LaLonde

Associate - Philadelphia

See full bio