Colorado Privacy Act and Universal Opt Out Requirements

The Colorado Privacy Act took effect on July 1, 2023, and it applies to a controller that processes the personal data of at least 100,000 Colorado consumers in a year, or at least 25,000 consumers when the controller earns revenue from selling personal data. It reaches two places at once, the privacy notice itself and the public opt out path outside it, so for many online businesses a Colorado review is what reveals whether the page matches what a visitor experiences.

The notice carries the baseline content other state laws use, describing the types of personal data processed, the purposes, the categories shared with third parties, the categories those third parties fall into, and how a consumer exercises rights. Colorado then adds a disclosure when personal data is sold or used for targeted advertising, and it expects a consumer to be able to opt out both inside the notice and through a readily accessible place outside it, so the policy and the site architecture have to be read together.

Targeted advertising changes what a visitor sees, because a business that uses ad pixels, off site behavioral targeting, audience syncing, or similar infrastructure has to give the consumer a visible way to opt out and describe how that path works. The Act also requires covered businesses to honor recognized universal opt out signals such as Global Privacy Control, so the policy should state whether the business honors those signals and the team should know what happens when one arrives.

Colorado is a workflow test as much as a drafting test, because a page drifts from the truth when a business writes from assumptions instead of operating facts, and a review has to confirm that the stated categories, purposes, recipients, and opt out hold true on the site. That means looking at analytics, advertising, consent tooling, request intake, and footer placement as one project, since handling them separately leaves a Colorado page that reads as complete while the user path behind it is broken.

A Colorado review starts with the advertising stack, then moves through the policy and the public opt out path, with the goal of making the page and the site say the same thing. Confirm whether personal data is sold or used for targeted advertising, publish the opt out outside the policy where the law requires it, explain in the notice how a consumer exercises rights and how universal opt out signals are handled, and check that the footer, the privacy choices path, and the policy text all describe one workflow.