TermsBuilder
Back to Blog
March 26, 20269 min read

Colorado Privacy Act and Universal Opt Out Requirements

Colorado requires a clear public opt out path for targeted advertising and recognition of qualifying universal opt out signals.

Colorado can change both your privacy policy and the public path a user follows to opt out of sale and targeted advertising. The Colorado Privacy Act requires a privacy notice with the familiar categories, purposes, third party disclosures, and consumer rights instructions, and it also reaches the external path outside your policy.

If a business uses targeted advertising, sells personal data, or wants to rely on a universal opt out signal workflow, the public site has to reflect those choices clearly.

For many online businesses, Colorado becomes the law that exposes whether the privacy page is connected to the actual user experience. If your policy promises an opt out and your site has no clean way to honor it, the gap is visible immediately.

Colorado joins the notice and the public path

The Colorado Attorney General describes the baseline privacy notice in familiar terms. The page should explain the types of personal data processed, the purpose for processing, the categories of personal data shared with third parties, the categories of third parties, and how consumers can exercise their rights. That is the starting point.

Colorado also requires disclosure if personal data is sold or processed for targeted advertising and expects consumers to be able to opt out both through the privacy notice and through a readily accessible location outside the privacy notice. In practical terms, your policy and your site architecture have to be read together.

Targeted advertising changes the footer and the user path

Colorado is one of the states where targeted advertising changes the visible interface. If your business uses ad pixels, off site behavioral targeting, audience syncing, or similar advertising infrastructure, the public site needs a clear path for the consumer to opt out.

The business should present a clear opt out path and make sure the page accurately describes how that path works.

Universal opt out signals are part of the Colorado build

Colorado also requires covered businesses to process recognized universal opt out mechanisms. The legal effect of that rule is straightforward. The business should treat your privacy policy and signal handling as one compliance program if your site is expected to receive and honor browser based signals such as Global Privacy Control.

This changes both drafting and implementation. The policy should explain whether your business recognizes qualifying signals, and the team should know what happens when one of those signals is received. A site that publishes a polished Colorado rights section while ignoring the signal-handling question leaves a visible gap between the page and the product.

Colorado is a workflow test as much as a drafting test

Many state privacy pages become inaccurate because your business writes from assumptions rather than from the operating facts. Colorado exposes that problem quickly. The policy has to describe what categories of data are processed, why they are processed, what categories of third parties receive them, and how the consumer can opt out. The implementation has to show that those statements are true.

That means reviewing analytics, advertising, consent tooling, request intake, and footer placement as one project. If your business handles those pieces separately, the Colorado page may look complete while the underlying user path is broken.

What to review before publishing under Colorado law

A Colorado review should start with the advertising stack and then move through your policy and the public opt out path. The goal is to make the page and your site architecture say the same thing.

  • Confirm whether personal data is sold or processed for targeted advertising
  • Publish a readily accessible opt out path outside your privacy policy when Colorado requires it
  • Explain in the privacy notice how consumers exercise rights and how universal opt out signals are handled
  • Review whether the footer, privacy choices path, and policy text are describing the same workflow
  • Check the advertising and analytics stack against the disclosures on the page

Key Takeaways

  • Colorado changes both the privacy notice and the external user path for opt out choices.
  • Targeted advertising and sale disclosures need a clear, accessible opt out path on your site.
  • Universal opt out signals are part of the Colorado build.
  • The policy works only if the footer path, the signal handling, and the advertising stack match what the page says.

Primary Sources

Turn this into a real document

TermsBuilder uses an attorney-built questionnaire to turn these legal issues into Terms & Conditions and Privacy Policy pages that match the way your business operates.

Start your document set

Related Reading

Privacy Policy Requirements by State in 2026

State privacy laws change privacy policy drafting in different ways. Some states add website disclosure rules, some change the opt out path, and some require a separate notice.

Where to Put Privacy Policy and Do Not Sell or Share Links on Your Website

A privacy policy in the footer is the baseline, but some privacy links and notices need to appear closer to checkout, signup, and other collection points if you want your site disclosures to match the law and the way your business operates.