Colorado recently enacted an amendment to the Colorado Privacy Act (CPA), designating “precise” geolocation data as sensitive personal data. Since its passage in 2021, the CPA has positioned Colorado as a leader among the growing number of states enshrining privacy protections into comprehensive privacy laws.
With this amendment, Colorado has further strengthened and refined privacy protections for Colorado consumers to keep pace with new digital technological and legal developments. The state joins the trend of states defining precise geolocation information (i.e., any information enabling a person to be located within 1,850 feet) and classifying it as sensitive personal data.
As consumers increasingly rely on technology in every facet of their lives, they leave behind a widening digital trail revealing their preferences, habits, and routines. Among the most significant of these is location data (whether precise or general), which is particularly sensitive because it tracks a person’s daily movements, offering insight into their lives. Businesses use this information for targeted marketing, but others may use it to monitor a person’s activities.
For someone wishing to learn as much as possible about a person, location data is among the most valuable types of information. It reveals a person’s daily comings and goings. A favored route for a morning run, a habitual place to eat lunch, or a dinner at a romantic partner’s home are just a few examples. But malicious actors can also use location data for exploitative purposes, such as stalking or extortion. That’s why the CPA now explicitly bans controllers from selling sensitive data, including precise geolocation data, unless they first obtain the consumer’s affirmative consent.
The Importance of Protecting Location Data
Recognizing the significance of this information, most state privacy laws, including Colorado’s CPA amendment, designate “precise” geolocation data as a sensitive personal data type that requires heightened safeguards and protections to stop misuse or unauthorized access.
For businesses and public agencies in Colorado, the CPA’s change likely has significant implications. Any processing of precise geolocation data, including transfers or sharing, now requires explicit consumer consent.
The law’s broad scope includes “derived” information (data that can infer a person’s whereabouts or activities). This includes data from Wi-Fi networks, cellular towers, Bluetooth devices, IP addresses, and many others that help identify a person’s location. Other peripheral categories of data may also come under scrutiny if they can reveal someone’s location, such as purchase and transaction data, online behavior, and social media activity.
Evolving Landscape of Privacy Laws and Best Practices
Expect to see the contours of location data protections continue to evolve in the coming years. States with comprehensive privacy laws are sure to incrementally refine their approaches to protecting personal data. They may also gradually become more uniform by copying provisions from each other that have proven popular. Meanwhile, the growing body of enforcement actions and court decisions will shape a clearer set of principles and best practices for personal data management and protection that businesses can follow.
Note:
The CPA amendment, SB25-276, adds language that defines “precise” geolocation data as sensitive, which includes any data allowing a person’s whereabouts to be determined to within a broad radius of 1,850 feet. Specifically, SB25-276[i] defines “precise geolocation data” as “information derived from technology that accurately identifies the present or past location of a device that links or is linkable to an individual within a radius of one thousand eight hundred fifty feet… [and] includes: (i) global positioning system (gps) coordinates within a radius of one thousand eight hundred fifty feet; or (ii) any data derived from a device and that is used or intended to be used to locate a consumer within a geographic area within a radius of one thousand eight hundred fifty feet.”
This roughly tracks the definition provided in California Consumer Privacy Act (CCPA), which also specifies 1,850 feet (about six football fields). It also excludes communication content or any data from advanced utility meeting systems.
[i] https://leg.colorado.gov/sites/default/files/documents/2025A/bills/2025a_276_enr.pdf