Personal data under the Colorado Privacy Act (CPA) refers to any information that is linked, or could reasonably be linked, to an identified or identifiable individual. This includes details like names, email addresses, physical addresses, ID numbers, IP addresses, and credit card information. However, the CPA excludes de-identified data, publicly available information, and certain exemptions such as employee data, job applicant information, and data collected for commercial or B2B purposes.

The Colorado Privacy Act exempts a variety of organizations, including:
- Colorado government bodies
- Airlines
- Public utility organizations
- Higher education institutions
- Consumer reporting agencies
- Entities processing de-identified personal data
- Entities handling data for Colorado health insurance law or employment records

Personal data regulated by other state and federal laws is also exempt, such as organizations covered by:
- Children’s Online Privacy Protection Act (COPPA)
- Fair Credit Reporting Act (FCRA)
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)

However, non-profits and charitable organizations are not exempt from the CPA.

The Colorado Attorney General (AG) and District Attorneys have exclusive enforcement authority over the CPA. If a potential violation occurs, the AG's office will issue a notice to the business, allowing 60 days from the notice to address and correct the violation.4o

To assure CPA compliance for your business, start by implementing clear data protection policies and procedures. One of the easiest ways to simplify compliance is by using a Consent Management Platform (CMP) like Consentmo, which is designed specifically for Shopify stores. Our app helps you manage cookie consent, data requests, and user rights, verifying your store meets CPA requirements without hassle.