117 | Colorado Privacy Act
(4)  A controller shall make the data protection assessment available to the attorney general upon request. The attorney
general may evaluate the data protection assessment for compliance with the duties contained in section 6-1-1308 and
with other laws, including this article 1. Data protection assessments are confidential and exempt from public inspection
and copying under the “Colorado Open Records Act”, part 2 of article 72 of title 24. The disclosure of a data protection
assessment pursuant to a request from the attorney general under this subsection (4) does not constitute a waiver of any
attorney-client privilege or work-product protection that might otherwise exist with respect to the assessment and any
information contained in the assessment.
(5) A single data protection assessment may address a comparable set of processing operations that include similar activities.
(6)  Data protection assessment requirements apply to processing activities created or generated after July 1, 2023, and are
not retroactive.
6-1-1310. Liability.
(1)  Notwithstanding any provision in part 1 of this article 1, this Part 13 does not authorize a private right of action for a
violation of this part 13 or any other provision of law. This subsection (1) neither relieves any party from any duties or
obligations imposed, nor alters any independent rights that consumers have, under other laws, including this Article 1, the
state constitution, or the united states constitution.
(2)  Where more than one controller or processor, or both a controller and a processor, involved in the same processing
violates this Part 13, the liability shall be allocated among the parties according to principles of comparative fault.
6-1-1311. Enforcement - penalties - repeal.
(1)  (a)  Notwithstanding any other provision of this article 1, the attorney general and district attorneys have exclusive authority
to enforce this Part 13 by bringing an action in the name of the state or as parens patriae on behalf of persons residing
in the state to enforce this Part 13 as provided in this Article 1, including seeking an injunction to enjoin a violation of
this Part 13.
(b)  Notwithstanding any other provision of this article 1, nothing in this Part 13 shall be construed as providing the basis
for, or being subject to, a private right of action for violations of this Part 13 or any other law.
(c)  For purposes only of enforcement of this part 13 by the attorney general or a district attorney, a violation of this part
13 is a deceptive trade practice.
(d)  Prior to any enforcement action pursuant to subsection (1)(a) of this section, the attorney general or district attorney
must issue a notice of violation to the controller if a cure is deemed possible. if the controller fails to cure the violation
within sixty days after receipt of the notice of violation, an action may be brought pursuant to this section. this
subsection (1)(d) is repealed, effective January 1, 2025.
(2)  The state treasurer shall credit all receipts from the imposition of civil penalties under this Part 13 pursuant to section
24-31-108.
6-1-1312. Preemption - local governments.
This Part 13 supersedes and preempts laws, ordinances, resolutions, regulations, or the equivalent adopted by any statutory
or home rule municipality, county, or city and county regarding the processing of personal data by controllers or processors.