Colorado’s new data privacy law, the Student Data Transparency and Security Act [C.R.S. 22-16-101 et. al.], includes obligations for vendors who provide certain services to Local Education Providers (LEPs). Several definitions within the law raised a number of questions. The Colorado Department of Education (CDE) has worked with stakeholders to get clarity on how to determine what vendors are required to comply with the law and the contractual methods for doing so. The analysis below includes the definitions within the law and an overview of how to determine which vendors fit within these definitions.