Colorado Data Privacy Rights: CPA Guide for Data Broker Opt-Outs (2026)
Colorado's CPA requires businesses to recognize the Global Privacy Control browser signal as a legal opt-out — the first state to mandate this. This guide covers GDPR-comparable rights for Colorado residents, the appeals process, and how to use GPC for automatic ongoing opt-outs.
Colorado's Consumer Protection Act (CPA) took effect July 1, 2023, making Colorado one of the earliest states outside California to enact comprehensive privacy legislation. Colorado's law is notable for several consumer-favorable provisions, including a universal opt-out mechanism requirement and a strong appeals process. This guide explains Colorado residents' rights against data brokers and how to exercise them.
What Colorado's CPA Covers
The Colorado Privacy Act applies to businesses that:
- Conduct business in Colorado or target products/services to Colorado residents, AND
- Control or process personal data of at least 100,000 Colorado consumers annually, OR
- Control or process personal data of at least 25,000 Colorado consumers and derive revenue or a discount from selling personal data
All major data brokers meet these thresholds and are subject to Colorado's CPA.
Core Consumer Rights Under Colorado CPA
Right to Access: Request confirmation of what personal data a company processes and obtain a copy.
Right to Correct: Request correction of inaccurate personal data.
Right to Delete: Request deletion of personal data the company has collected about you.
Right to Data Portability: Request your personal data in a portable, machine-readable format.
Right to Opt Out of Sale: Opt out of the sale of your personal data.
Right to Opt Out of Targeted Advertising: Opt out of targeted advertising.
Right to Opt Out of Profiling: Opt out of profiling that produces legal or similarly significant effects.
Universal Opt-Out Mechanism: Colorado requires businesses to recognize browser-level universal opt-out signals (such as the Global Privacy Control, GPC). If your browser sends a GPC signal, covered businesses must honor it as an opt-out.
Colorado's Universal Opt-Out Requirement: A Practical Advantage
One of Colorado's most consumer-friendly provisions is the requirement that businesses recognize universal opt-out signals. If you install a browser extension or configure a browser that sends a Global Privacy Control (GPC) signal, covered Colorado businesses must honor that signal as an opt-out from:
- Sale of personal data
- Targeted advertising
How to use GPC:
- Firefox: Enable via privacy settings (about:config: privacy.globalprivacycontrol.enabled = true)
- Brave: Enabled by default in privacy settings
- Chrome extension: Install the GPC extension from the Chrome Web Store
This provides automatic opt-out from data sales for covered businesses without requiring individual opt-out requests.
Colorado's Appeals Process
Like Virginia, Colorado requires businesses to maintain an internal appeals process for denied consumer requests. If a data broker denies your deletion request:
- Request the company's internal appeal process in writing
- The company must respond to the appeal within 45 days
- If the appeal is denied, the company must provide information about filing a complaint with the Colorado AG
- File a complaint with the Colorado AG at coag.gov
Sensitive Data Under Colorado CPA
Colorado requires opt-in consent before processing sensitive personal data categories:
- Racial/ethnic origin
- Religious beliefs
- Mental or physical health
- Sexual orientation/gender identity
- Immigration status
- Genetic or biometric data
- Children's data (under 13)
- Precise geolocation data (within 1,750 feet)
Data brokers that have inferred or compiled sensitive data about Colorado residents without opt-in consent are in violation of CPA.
How to Exercise CPA Deletion Rights Against Data Brokers
Step 1: Use standard opt-out forms
Most major data broker opt-out forms comply with Colorado CPA automatically. Navigate to each site's opt-out page and submit your request.
Step 2: For formal CPA requests, use explicit language
"Pursuant to the Colorado Privacy Act (CRS § 6-1-1301 et seq.), I am requesting deletion of all personal data you have collected, processed, or shared about me as a Colorado consumer. Please confirm receipt and expected deletion timeline, including information about your internal appeals process."
Step 3: Escalate denied requests
If a request is denied without adequate explanation, request the internal appeals process. If the appeal is denied, file a complaint with the Colorado AG's consumer protection office at coag.gov/privacy.
Step 4: Enable GPC in your browser
Enable the Global Privacy Control in your browser for ongoing automatic opt-out signals to covered Colorado businesses.
Colorado vs. California and Virginia: How the Laws Compare
| Feature | Colorado CPA | California CCPA | Virginia VCDPA |
|---|---|---|---|
| Effective date | Jul 1, 2023 | Jan 1, 2020 | Jan 1, 2023 |
| Universal opt-out (GPC) | Required | Required | Not required |
| Appeals process | Required | Not required | Required |
| Sensitive data | Opt-in | Opt-in | Opt-in |
| Private right of action | No | Limited | No |
| Enforcement body | AG | CPPA | AG |
| Data broker registry | No | Yes | No |
Colorado and Virginia share the appeals process requirement that California lacks. Colorado and California share the universal opt-out requirement that Virginia lacks.
Who Enforces Colorado CPA?
The Colorado Attorney General has exclusive enforcement authority. The AG can:
- Investigate consumer complaints
- Issue civil investigative demands to businesses
- Seek injunctions, civil penalties of up to $20,000 per violation, and disgorgement of profits
- Pursue pattern-and-practice enforcement actions against systematic violators
File complaints at: coag.gov/privacy
Practical Steps for Colorado Residents
For data broker removal:
- Submit deletion requests using standard opt-out forms on major sites
- Use formal CPA language for any sites that add friction
- Enable GPC in your browser for ongoing automatic opt-out coverage
- For persistent non-compliance, file a complaint with the Colorado AG
For comprehensive removal across all 500+ data brokers, OfflistMe handles all submissions in a single session. One-time pricing: $7.00 for 24 hours, $90.00 ($45.00 currently at 50% OFF) for annual monitoring. Start your removal here.
Frequently Asked Questions
Does Colorado CPA apply to companies based outside Colorado?
Yes. CPA applies based on where consumers are located. A data broker headquartered in Virginia that processes data about Colorado residents is subject to Colorado CPA.
What is the response deadline for deletion requests under Colorado CPA?
45 days from receipt of the request, with one possible 45-day extension if the business notifies you of the extension within the initial 45 days and explains why the extension is needed.
Is the Global Privacy Control (GPC) signal effective against data brokers?
GPC is effective against businesses that recognize browser opt-out signals — which Colorado law requires. For data brokers that process Colorado residents' data and are subject to CPA, a GPC signal is legally binding as an opt-out of data sales and targeted advertising. It is less effective against the broader data broker ecosystem because not all brokers recognize GPC signals.
Does Colorado CPA cover data that was collected before the law took effect?
CPA applies to personal data processed after the effective date (July 1, 2023), but also applies to ongoing processing of data that may have been initially collected before the law took effect if it is currently being used or shared. This means data brokers cannot grandfather in old data collections as exempt from CPA if they are actively using that data.
What can I do if a data broker deletes my data but it keeps reappearing?
Data reappearance from new public record ingestion is a known phenomenon, not necessarily a CPA violation if the broker is deleting when requested. If a broker repeatedly fails to delete data that you have successfully requested deletion of multiple times, document the pattern and file a complaint with the Colorado AG, which may indicate a systematic failure to comply with deletion obligations.
Colorado CPA vs. CCPA: Key Practical Differences
California's CCPA and Colorado's CPA are often grouped together as equivalent laws, but for data broker opt-outs there are meaningful practical differences — some favoring Colorado residents, some favoring California residents.
| Feature | Colorado CPA | California CCPA/CPRA |
|---|---|---|
| Universal opt-out (GPC required) | Yes — businesses must honor GPC signals | Yes — CPPA requires GPC recognition |
| Internal appeals process | Required within 45 days | Not required by law |
| Data broker registry | No | Yes — California DELETE Act registry (2026) |
| Single opt-out portal | No | Yes — California DROP portal (2026) |
| Private right of action | No (AG-only enforcement) | Limited (data security breaches only) |
| Opt-in for sensitive data | Required | Required (CPRA amendment) |
| Enforcement body | Colorado AG | California Privacy Protection Agency (CPPA) |
| Response deadline | 45 days + 45-day extension | 45 days + 45-day extension |
| Penalties | Up to $20,000 per violation | Up to $7,500 per intentional violation |
What this means in practice:
Colorado's appeals process is a real advantage California lacks. If Spokeo denies your deletion request, you have a legally mandated escalation path in Colorado that California does not require. The company must formally hear your appeal, respond within 45 days, and if it denies again, tell you how to reach the Colorado AG.
California's data broker registry and upcoming DROP portal (California's Delete Act single opt-out system) will be the most powerful consumer tool in any state once operational in 2026. Colorado has no equivalent centralized portal.
For Colorado residents, the practical recommendation is to use the GPC signal in your browser, send deletion requests using explicit CPA statutory language when brokers add friction, and use the appeals process aggressively when requests are denied. The AG complaint is a real enforcement lever — the Colorado AG has issued civil investigative demands to data brokers.
How to File a Colorado Privacy Complaint if a Company Ignores You
Most data broker deletion requests get honored without escalation. But some sites — particularly smaller aggregators that cache data from larger sources — fail to respond or deny valid requests without adequate justification. Here is the full escalation path for Colorado residents.
Step 1: Document the denial or non-response
Keep a written record of: the date you submitted the request, the broker's name and opt-out URL, any confirmation number or email, and the response you received (or the date you stopped receiving a response after 45 days).
Step 2: Send a formal written request citing CPA
If the initial form submission was denied or ignored, send a direct email or letter to the broker's privacy team with this exact language:
"Pursuant to the Colorado Privacy Act, C.R.S. § 6-1-1306, I am exercising my right to delete personal data you hold about me. I submitted an initial request on [date] and have not received a compliant response within the required 45-day period. Please confirm deletion and provide written confirmation. Failure to comply within 15 days of this notice will result in a complaint filed with the Colorado Attorney General."
This letter changes the record from an informal opt-out form to a documented statutory request. Some brokers who ignored the initial form submission will respond to this.
Step 3: Request the internal appeals process in writing
If the request is denied, the CPA requires the business to maintain an internal appeals process. Email the broker's legal or privacy team requesting information about their appeals process. Document the date of this request.
Step 4: File a complaint with the Colorado AG
If the appeal is denied or the company does not provide an appeals process, file a complaint at coag.gov/privacy. The AG's Consumer Protection Section handles CPA complaints. Include:
- Company name and website
- Dates of all requests and responses
- Copies of your correspondence
- Description of the data you requested deleted
The AG cannot file suit on every individual complaint, but patterns of complaints against specific brokers trigger investigations and enforcement actions. Your complaint contributes to the aggregate record.
Step 5: Consider Daniel's Law or other applicable statutes (if relevant)
If you are a judge, law enforcement officer, prosecutor, or other covered professional, check whether Colorado's specific address-protection statutes apply in addition to CPA. Some categories of personal information have stronger removal rights under profession-specific statutes.
Related Guides
Understand your privacy rights
Every removal request cites a specific statute. These plain-English explainers show what each law covers and how enforcement actually works.
Related Data Broker Removal Guides
Take back your privacy today
Remove your personal information from data brokers and platforms in seconds.
Remove Your Personal Data NowFrom $7.00 one-time · 500+ data brokers · No subscription