DSAR Requirements in Colorado (CPA)
Colorado DSAR requirements: consumer rights, response deadlines, identity verification, and penalties under the Colorado Privacy Act.
Last updated: 2026-02-08
Consumer Rights That Trigger DSARs
Colorado consumers can submit requests to:
- Access all personal data you hold about them
- Correct inaccurate personal data
- Delete personal data you collected
- Port their data in a portable, machine-readable format
- Opt out of the sale of personal data
- Opt out of targeted advertising
- Opt out of profiling that produces legal or similarly significant effects
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
Response Deadline
45 days from receipt. You can extend by an additional 45 days if reasonably necessary — but you must notify the consumer of the extension and the reason within the initial 45-day window.
Colorado requires businesses to honor universal opt-out mechanisms (like Global Privacy Control).
Identity Verification
Required before fulfilling any request. The CPA does not prescribe a specific verification method.
Appeal Process
If you deny a request, the consumer can appeal. You must provide notice of their right to contact the Colorado Attorney General if the appeal is also denied.
Penalties
- $20,000 per violation (higher than most states)
- Cure period expired January 1, 2025 — no cure period is currently available
- No private right of action — only the Attorney General can enforce
Enforced by the Colorado Attorney General.
DSAR-Specific Exemptions
You may decline or limit a request when the data is needed to:
- Comply with a legal obligation
- Detect security incidents or protect against fraud
- Complete a transaction the consumer requested
Sensitive data (racial/ethnic origin, religious beliefs, health data, sexual orientation, biometric data, children's data, geolocation) requires opt-in consent before processing.
Who This Applies To
Businesses that process personal data of 100K+ Colorado consumers or 25K+ consumers with any revenue from data sales.
For the full Colorado privacy law guide, see boringgovernance.com.
Related Guides
- How to Respond to a DSAR — response process
- DSAR Response Deadlines — all deadlines
- DSAR Identity Verification — verification methods
- DSAR Exemptions — when you can refuse