RatedWithAI

RatedWithAI

Accessibility scanner

Privacy LawJuly 13, 2026

Colorado Privacy Act (CPA) AI Profiling Opt-Out Requirements 2026

Colorado has two separate AI-relevant laws, and businesses regularly confuse them. This guide covers the Colorado Privacy Act's opt-out and assessment requirements for AI profiling — distinct from the Colorado AI Act's high-risk system rules.

2 Laws
Colorado Privacy Act (profiling opt-outs) and Colorado AI Act (high-risk systems) apply separately
Jul 2024
Universal opt-out mechanism (UOOM) support became mandatory statewide
100,000
Colorado consumers processed triggers CPA coverage

Two Colorado Laws, Two Different Obligations

If your AI product touches Colorado consumers, you need to separate two questions:

Colorado Privacy Act (CPA)

Effective July 1, 2023

General consumer data rights: access, deletion, portability, opt-out of profiling used for consequential decisions, universal opt-out mechanism support, data protection assessments for high-risk processing.

Colorado AI Act (SB 24-205)

High-risk system obligations

Developer and deployer duties for 'high-risk' AI systems making consequential decisions — algorithmic discrimination impact assessments, risk management programs, and consumer notice when AI is the basis of a decision. A separate compliance track from CPA.

This post focuses on the CPA — the profiling opt-out and assessment obligations that apply to far more everyday AI products than the AI Act's narrower "high-risk" category.

Does CPA Apply to Your AI Product?

CPA applies to controllers that conduct business in Colorado or produce products/services intentionally targeted to Colorado residents, and during a calendar year:

  • Control or process personal data of 100,000 or more Colorado consumers, OR
  • Control or process personal data of 25,000 or more consumers and derive revenue from the sale of personal data

The Universal Opt-Out Mechanism (UOOM) Requirement

Since July 1, 2024, Colorado requires covered businesses to recognize universal opt-out signals — like Global Privacy Control — sent automatically by a consumer's browser or device. This is one of the more technical, easy-to-miss CPA requirements for AI companies:

Detect the signal server-side
Your site must check for the GPC signal on every page load and treat it as equivalent to a manual opt-out request for sale and targeted advertising.
Apply it without requiring an account
The opt-out must work for anonymous visitors, not just logged-in users — you can't gate the universal signal behind authentication.
Extend it to profiling decisions
If your profiling is used for legal or similarly significant decisions, treat the UOOM signal as covering that opt-out too, not just ad targeting.
Don't require a duplicate manual step
Consumers who send the signal should not need to also click an on-page opt-out link — the signal alone must be sufficient.

CPA Data Protection Assessments for AI Profiling

CPA requires a documented data protection assessment before processing that presents a heightened risk of harm. For AI companies, this is triggered by:

  • Profiling in furtherance of decisions that produce legal or similarly significant effects for consumers (credit, employment, housing, healthcare, insurance, education access)
  • Profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, or unlawful disparate impact
  • Profiling that presents a reasonably foreseeable risk of financial, physical, or reputational injury
  • Processing sensitive data through AI systems, including biometric identifiers

The assessment must weigh the benefits of the processing against the potential risks to consumers, factoring in safeguards you've implemented. The Colorado Attorney General can require you to produce these assessments during an investigation — they are not optional paperwork exercises.

CPA AI Profiling Checklist

Determine whether you meet the 100,000 or 25,000-consumer CPA thresholds
Identify every AI-driven decision that qualifies as producing a legal or similarly significant effect
Build and test Global Privacy Control detection across your site and app
Ensure the opt-out mechanism works without requiring account creation or login
Draft data protection assessments for any high-risk profiling before you launch it
Separately evaluate whether your AI system also qualifies as 'high-risk' under the distinct Colorado AI Act
Update your privacy notice to disclose profiling categories and the opt-out right in plain language
Review AI vendor contracts to confirm processor-level restrictions on secondary use of Colorado consumer data

Frequently Asked Questions

If we already comply with CCPA, are we done for Colorado?

Not automatically. CPA's universal opt-out mechanism requirement is stricter about anonymous-visitor support than some other states, and its data protection assessment trigger for profiling is broader in some respects. Treat CPA compliance as its own checklist item, even if your CCPA infrastructure covers most of the underlying mechanics.

Do we need to worry about the Colorado AI Act too?

Only if your AI system meets the AI Act's definition of a 'high-risk' system making or being a substantial factor in a consequential decision. Many everyday AI features (search ranking, generic recommendations) fall under CPA's profiling rules without triggering the AI Act's separate developer/deployer obligations — but you need to check both, not assume one covers the other.

What counts as a 'universal opt-out signal' besides Global Privacy Control?

Global Privacy Control (GPC) is the primary recognized mechanism today, transmitted as an HTTP header or JavaScript property by supporting browsers and extensions. Colorado's implementing regulations describe technical requirements a signal must meet to qualify; GPC currently satisfies them and is the signal your compliance tooling should be built to detect.

Don't Let the Two Colorado Laws Blur Together

Treat CPA as your baseline privacy compliance for any AI profiling touching Colorado consumers — opt-outs, universal signals, and assessments. Then separately evaluate the Colorado AI Act's narrower, higher-risk category.

Most AI companies need CPA compliance regardless of whether the AI Act applies to them. Start there, and layer AI Act obligations on top only if your system actually meets the high-risk threshold.