Colorado Privacy Act (CPA) AI Profiling Opt-Out Requirements 2026
Colorado has two separate AI-relevant laws, and businesses regularly confuse them. This guide covers the Colorado Privacy Act's opt-out and assessment requirements for AI profiling — distinct from the Colorado AI Act's high-risk system rules.
Two Colorado Laws, Two Different Obligations
If your AI product touches Colorado consumers, you need to separate two questions:
Colorado Privacy Act (CPA)
Effective July 1, 2023General consumer data rights: access, deletion, portability, opt-out of profiling used for consequential decisions, universal opt-out mechanism support, data protection assessments for high-risk processing.
Colorado AI Act (SB 24-205)
High-risk system obligationsDeveloper and deployer duties for 'high-risk' AI systems making consequential decisions — algorithmic discrimination impact assessments, risk management programs, and consumer notice when AI is the basis of a decision. A separate compliance track from CPA.
This post focuses on the CPA — the profiling opt-out and assessment obligations that apply to far more everyday AI products than the AI Act's narrower "high-risk" category.
Does CPA Apply to Your AI Product?
CPA applies to controllers that conduct business in Colorado or produce products/services intentionally targeted to Colorado residents, and during a calendar year:
- Control or process personal data of 100,000 or more Colorado consumers, OR
- Control or process personal data of 25,000 or more consumers and derive revenue from the sale of personal data
The Universal Opt-Out Mechanism (UOOM) Requirement
Since July 1, 2024, Colorado requires covered businesses to recognize universal opt-out signals — like Global Privacy Control — sent automatically by a consumer's browser or device. This is one of the more technical, easy-to-miss CPA requirements for AI companies:
CPA Data Protection Assessments for AI Profiling
CPA requires a documented data protection assessment before processing that presents a heightened risk of harm. For AI companies, this is triggered by:
- Profiling in furtherance of decisions that produce legal or similarly significant effects for consumers (credit, employment, housing, healthcare, insurance, education access)
- Profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, or unlawful disparate impact
- Profiling that presents a reasonably foreseeable risk of financial, physical, or reputational injury
- Processing sensitive data through AI systems, including biometric identifiers
The assessment must weigh the benefits of the processing against the potential risks to consumers, factoring in safeguards you've implemented. The Colorado Attorney General can require you to produce these assessments during an investigation — they are not optional paperwork exercises.
CPA AI Profiling Checklist
Frequently Asked Questions
If we already comply with CCPA, are we done for Colorado?
Not automatically. CPA's universal opt-out mechanism requirement is stricter about anonymous-visitor support than some other states, and its data protection assessment trigger for profiling is broader in some respects. Treat CPA compliance as its own checklist item, even if your CCPA infrastructure covers most of the underlying mechanics.
Do we need to worry about the Colorado AI Act too?
Only if your AI system meets the AI Act's definition of a 'high-risk' system making or being a substantial factor in a consequential decision. Many everyday AI features (search ranking, generic recommendations) fall under CPA's profiling rules without triggering the AI Act's separate developer/deployer obligations — but you need to check both, not assume one covers the other.
What counts as a 'universal opt-out signal' besides Global Privacy Control?
Global Privacy Control (GPC) is the primary recognized mechanism today, transmitted as an HTTP header or JavaScript property by supporting browsers and extensions. Colorado's implementing regulations describe technical requirements a signal must meet to qualify; GPC currently satisfies them and is the signal your compliance tooling should be built to detect.
Don't Let the Two Colorado Laws Blur Together
Treat CPA as your baseline privacy compliance for any AI profiling touching Colorado consumers — opt-outs, universal signals, and assessments. Then separately evaluate the Colorado AI Act's narrower, higher-risk category.
Most AI companies need CPA compliance regardless of whether the AI Act applies to them. Start there, and layer AI Act obligations on top only if your system actually meets the high-risk threshold.