An Overview of Colorado Open Records Act Requirements
Managing the Colorado Open Records Act often creates a challenge for agencies because they must meet transparency requirements while working with limited daily capacity. With a standard response window of only three business days, the pressure to identify, review, and produce records across fragmented digital channels is a constant challenge for state and local agencies.
Navigating these requests requires a secure process that turns complex data into a reliable, retrievable asset rather than a liability. Establishing clear visibility into your communication archives is the only way to meet public expectations without disrupting operations.
Key takeaways
-
If a message is about public business, it is considered a public record under the Colorado Open Records Act — including emails, texts, social media messages, or other digital communication tools.
-
Agencies have three working days to respond to a request, with up to seven additional working days available when extenuating circumstances apply.
-
Any person can submit a request without disclosing identity or purpose, except when records pertain to a person in interest.
-
Non-compliance can trigger a court order, mandatory attorney's fees to the requester, personal financial penalties on the records custodian for arbitrary or capricious denials, and can cause operational strain for the agency involved.
What is the Colorado Open Records Act (CORA)?
The Colorado Open Records Act (CORA), codified at C.R.S. § 24-72-201 to 206, establishes the presumption that public records held by state and local agencies are open for inspection.
Records are defined broadly as writings made, maintained, or kept by a public entity for use in the performance of public functions or involving the receiving or spending of public funds. Records encompass any written or documentary material, regardless of format or channel.
How to file a Colorado Open Records Act (CORA) request
Filing a request under CORA does not require a specific form, however many agencies maintain their own submission process to keep requests trackable and defensible.
Who can submit records requests?
Colorado takes a fairly open approach to eligibility. Under the statute, any person can submit a request, and the definition of person extends beyond individuals to include corporations, limited liability companies, partnerships, and associations. A requester is not required to state a reason, and the requester’s purpose has no bearing on whether records need to be disclosed.
Identification is not generally required. Agencies cannot demand proof of identity unless the requested records pertain to a person in interest or fall under the Colorado Criminal Justice Records Act, which has different identification requirements.
The statute does not impose a particular format, so requests can come by email, mail, fax, or in person, though most state agencies prefer written submissions to have a clear record of what was asked and when.
Response timelines and obligations
Timeline for response
Once a records custodian receives a request, the agency has three working days to make the records available. If the request involves extenuating circumstances, the custodian may take up to seven additional working days. This might be the case when records are stored off-site, the request is unusually broad, or the staff members are already handling a high volume of requests.
Denials and exemptions
When a custodian denies a request in whole or in part, the response must include a written explanation citing the specific statutory basis for the denial. For a broader context on how Colorado compares with other states, our interactive FOIA laws map shows side-by-side response windows and exemption categories around the country.
Fees
Under C.R.S. § 24-72-205, agencies are required to provide the first hour of research and retrieval time at no cost. After that, they may charge for staff time, with the hourly rate capped at $41.37 as of July 1, 2024. The rate is reviewed every five years and adjusted based on the Denver-Aurora-Lakewood consumer price index.
For paper copies, agencies may charge $0.25 per page beginning at the 26th page, though per-page fees cannot be applied to records delivered in digital format.
Electronic and digital records
CORA focuses more on the communication itself, rather than what format it is in or what device it was sent from. For example, email communication regarding agency business is considered to be a public record, regardless of whether it was sent from a personal or state-issued device.
The same logic applies to text messages, direct messages on collaboration platforms, social media posts, and content exchanged on encrypted messaging apps when used to conduct public business.
A 2023 amendment to the law added another layer of complexity. Records maintained in a digital format must be provided in the same digital format when requested, and a custodian cannot convert a searchable digital record into a non-searchable one before sending it to the requester.
In practice, that requirement becomes harder to manage when agencies are also dealing with fragmented communication tools. This tension is part of the broader friction between state sunshine laws vs. shadow IT, where unsanctioned tools and channels can leave records scattered across systems that no records officer has visibility into. Agencies handling significant text volume often need to rely on a dedicated government text message archiving system so that mobile communications remain retrievable when a request comes in.
Tip
Agencies should treat mobile and off-platform communications as part of their disclosable records environment when those messages involve agency business — no matter what device or channel was used to send the message.
What are the penalties for non-compliance?
CORA is generally enforced through civil court proceedings when a requester challenges a denial or alleges that records were improperly withheld. Typically, requesters who believe they were improperly denied access can pursue a court order, and the risks to agencies who aren't in compliance can be significant.
- Court application: A requester may file an application in the district court where the records are kept, asking the court to order the custodian to give reason why inspection should not be allowed.
- 14-day notice: Before filing in court, the requester is required to give the custodian at least 14 days of written notice of intent to sue. During that period, the custodian is required to meet with the requester in person or by phone to attempt to resolve the dispute without litigation.
- Court costs and attorney fees: If the court finds that records were improperly withheld, it shall award court costs and reasonable attorney fees to the requester. A requester can be considered prevailing even if the order grants access to only a portion of the records originally sought.
- Personal penalty: For denials found to be arbitrary or capricious, the records custodian may be personally ordered to pay up to $25 for each day access was improperly denied. This has resulted in five-figure judgments in cases where access was withheld for months.
Challenges of managing Colorado open records compliance
While the legal framework of the Colorado Open Records Act may seem straightforward, the operational execution often presents significant hurdles for government agencies. Most difficulties stem from the friction between strict statutory timelines and the modern reality of fragmented, high-volume digital recordkeeping.
- Fragmented communication channels: Locating responsive material is increasingly difficult as records are scattered across email, text messages, social media, voice transcripts, and collaboration tools.
- Decentralized storage: Searching for records becomes an administrative bottleneck when data is stored on personal devices or accounts, requiring one-on-one coordination with individual employees.
- Strict compliance timelines: The standard three-day window for production often forces agencies to pull staff away from their primary duties for extended periods to meet deadlines.
- Financial and political trade-offs: Agencies must balance the statutory maximum fees — which can lead to public criticism regarding transparency — against the significant budget pressure of absorbing costs internally.
- Format and metadata integrity: Traditional workflows like printing to PDF or flattening files often fail to meet modern requirements for providing records in searchable, usable, and native digital formats.
These gaps play a critical role in why many agencies look to build FOIA-proof archives, where records are captured at the source and stored in searchable formats from the outset rather than gathered under reactionary deadline pressure.
A summary of the Colorado Open Records Act
The Colorado Open Records Act (CORA) gives Colorado’s state, county, and municipal agencies a legal framework for public transparency. Agencies are required to work within a short statutory response window to be in compliance. They can recover only limited costs from requesters, and improper denials can lead to civil court action. Any resulting judgment can also create reputational risk for the agencies and individuals involved.
| Regulatory Element | Details |
|---|---|
| Law Name | Colorado Open Records Act |
| Statute Citation | C.R.S. § 24-72-201 to 206 |
| Governing Body | Appropriate government office or custodian |
| Response Deadline | 3 working days; up to 7 more if extended |
| Fee Structure | $41.37/hr after first hour, $0.25/page |
| Covered Entities | State and local public agencies |
| Key Exemptions | Personnel, medical, work product |
| Penalty Provisions | Court costs, fees, $25/day personal |
| Electronic Records | Included under CORA |
| Appeal Process | District court application |
When records sit in centralized, searchable systems, the entire response process becomes less reactive. Agencies often turn to robust recordkeeping technology that consolidates communications across email, mobile, social, and collaboration platforms into a single environment to not only to ease these real operational pressures but also to remain in compliance with the law and maintain the public's trust.
Frequently asked questions
Agencies should know where official records are stored, which communication channels employees use, and who is responsible for searching each system. A documented process combined with an automated recordkeeping technology platform helps staff respond faster to incoming requests, especially when records are spread across multiple communication systems.
Yes, an agency can ask for clarification or a narrower scope when a request is too broad, unclear, or difficult to process within the standard response window. The request cannot be ignored, but a good-faith conversation can help both sides identify the records that are needed.
Records stored across several systems may still need to be searched if they relate to the request. This can result in difficulty if the agency cannot locate the record quickly enough to respond within CORA’s timeline.
Share this post!
- An Overview of Colorado Open Records Act Requirements - June 24, 2026
- South Carolina Freedom of Information Act Compliance Requirements - June 23, 2026
- New Jersey Open Public Records Act Requirements - June 22, 2026
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing [email protected].
FOLLOW US