Colorado's landmark digital accessibility legislation requiring state agencies to meet WCAG 2.1 AA standards.
Colorado Accessibility & Privacy Laws
Colorado leads in both digital accessibility and privacy legislation. HB21-1110 establishes comprehensive accessibility requirements for state government, while the Colorado Privacy Act (CPA), effective July 1, 2023, provides robust consumer privacy protections including a mandatory universal opt-out mechanism.
→
Accessibility Law
HB21-1110
→
Privacy Law
Colorado Privacy Act (CPA)
Comprehensive privacy rights with unique universal opt-out mechanism requirement for honoring browser signals.
Colorado Digital Accessibility Law (HB21-1110)
Colorado's HB21-1110 establishes comprehensive digital accessibility requirements for state government, making it one of the most progressive states for government accessibility.
Key Requirements
- State agencies must conform to WCAG 2.1 Level AA
- Accessibility plans required for all state agency websites
- Regular accessibility audits mandated
- Procurement requirements for accessible technology
Covered Entities
- Colorado state government agencies
- State contractors and vendors
- Public educational institutions
- Local government entities
Colorado Privacy Act (CPA)
The Colorado Privacy Act, effective July 1, 2023, provides comprehensive privacy protections and is notable for its mandatory universal opt-out mechanism requirement.
Who Must Comply?
Businesses that conduct business in Colorado or target Colorado residents AND:
- Control or process personal data of at least 100,000 Colorado consumers per year, OR
- Control or process personal data of at least 25,000 consumers and derive revenue from the sale of personal data
Consumer Rights Under CPA
| Right | Description |
|---|---|
| Right to Access | Confirm processing and access personal data |
| Right to Correct | Correct inaccurate personal data |
| Right to Delete | Delete personal data |
| Right to Portability | Obtain data in portable format |
| Right to Opt Out | Opt out of targeted advertising, sale of data, and profiling |
Universal Opt-Out Mechanism
GPC Compliance Required
Colorado is one of the first states to require businesses to honor universal opt-out mechanisms like Global Privacy Control (GPC). As of July 1, 2024, businesses must recognize and honor browser-based opt-out signals.
Sensitive Data
CPA requires opt-in consent before processing sensitive personal data, including:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health condition or diagnosis
- Sex life or sexual orientation
- Citizenship or citizenship status
- Genetic or biometric data
- Personal data from a known child
Enforcement
| Aspect | Details |
|---|---|
| Enforcing Authority | Colorado Attorney General, District Attorneys |
| Cure Period | 60 days (expires January 1, 2025) |
| Penalties | Up to $20,000 per violation under CCPA |
| Private Right of Action | No private right of action |