Colorado Privacy Act and opt-out signals
The Colorado Privacy Act (CPA) is a comprehensive US state law granting access, deletion, correction, and portability rights and opt-outs for targeted advertising, sale, and profiling. It is notable for requiring controllers to honour a universal opt-out mechanism. This page explains, educationally, how that affects analytics and ad tags.
Rights and the universal opt-out
Like its peers, the CPA grants Colorado consumers rights to access, correct, delete, and port data, and to opt out of targeted advertising, sale, and certain profiling. Distinctively, it requires controllers to recognise a universal opt-out mechanism — a browser- or device-level signal a consumer can set once — and the Colorado Attorney General has issued rules specifying how that mechanism works.
- Standard access/correct/delete/portability rights
- Opt-out of targeted advertising, sale, profiling
- Mandatory universal opt-out mechanism recognition
Impact on analytics and ads
Because the CPA mandates honouring a universal opt-out, any analytics or ad tag that performs targeted advertising must be able to detect that signal and stop the relevant disclosures for Colorado users. This raises the bar from offering an opt-out link to processing a machine-readable signal automatically — closely related to how Global Privacy Control is treated. First-party measurement that does no targeted advertising is largely unaffected.
How it appears in analytics and logs
If ad or analytics tags keep disclosing data for targeted advertising after a universal opt-out signal, that is a likely CPA compliance gap for Colorado residents.
Diagnostic use case
Confirm your stack can honour a universal opt-out signal for Colorado users so targeted-advertising disclosures stop when that signal is present.
What WebmasterID can help detect
WebmasterID's first-party model with no targeted advertising means there is no cross-context disclosure for a universal opt-out to stop.
Common mistakes
- Offering only a manual opt-out and ignoring universal signals.
- Assuming all analytics triggers the targeted-advertising opt-out.
- Overlooking the Colorado AG's universal opt-out rules.
Privacy and accuracy notes
This page is educational and not legal advice. CPA thresholds, rules, and the universal opt-out mechanism specification are detailed; consult the statute and Colorado AG rules.
Related pages
- US state privacy laws overview
In the absence of a single federal privacy statute, several US states have enacted comprehensive consumer privacy laws with overlapping but non-identical rules. Most grant access, deletion, and correction rights and require opt-outs for targeted advertising and 'sale'. This page gives an educational overview of the common pattern and how it touches analytics.
- Global Privacy Control: legal status
Global Privacy Control (GPC) is a specification that lets a browser or extension send a machine-readable opt-out signal to every site. Unlike the older Do Not Track, GPC has been given legal teeth in some US states: California's Attorney General and the CPPA have stated that GPC must be honoured as a valid do-not-sell-or-share request. This page summarises its status.
- The Global Privacy Platform (GPP)
The Global Privacy Platform (GPP) is an IAB Tech Lab specification that transmits a user's consent and privacy choices across the digital advertising supply chain using a single, extensible container. Instead of separate strings per regulation, GPP bundles section-specific signals — for example US state strings and the EU TCF — into one encoded value. This page explains the container model.
- Privacy-first analytics
Measurement that needs no targeted-advertising opt-out.
Sources and verification notes
- Colorado Attorney General — Colorado Privacy ActOfficial CPA resource, including universal opt-out rulemaking.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.