Colorado ran the first sweep. When the state's Attorney General started checking whether sites honored the Global Privacy Control, it set the tone for every opt-out state that followed. The Colorado Privacy Act (CPA) took effect on July 1, 2023, its universal opt-out mandate turned on July 1, 2024, and Colorado became the first state to publish an official list of opt-out mechanisms it recognizes. GPC is the only one on it.
Does the CPA reach cookies?
The CPA governs personal data, defined as information linked or reasonably linkable to an identified or identifiable individual. Cookie IDs, advertising identifiers, and pixels that build a profile fall inside that. Purely functional cookies that never leave your site usually fall outside.
Cookies come into scope when they support two activities: the sale of personal data (Colorado defines it broadly, covering exchange for monetary or other valuable consideration) and targeted advertising based on activity across sites you don't control. Both give Coloradans a right to opt out.
The consent model: opt-out with a hard GPC rule
Colorado uses an opt-out model. You can set analytics and advertising cookies by default, but you owe residents a working way to opt out of sale and targeted advertising, and you have to honor a universal signal automatically.
Since July 1, 2024, controllers must treat a GPC signal from a Colorado resident as a valid opt-out of sale and targeted advertising. No banner interaction required. The browser speaks, you comply. The Colorado Department of Law maintains the official list of recognized universal opt-out mechanisms, and GPC has been the sole approved mechanism since it was named in late 2023.
Sensitive data needs opt-in
Processing sensitive data requires prior opt-in consent under the CPA. Colorado's list includes data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions, sex life or sexual orientation, citizenship or immigration status, genetic and biometric data, and personal data from a known child. Precise geolocation is treated as sensitive as well.
Colorado also amended the CPA to add stronger protections for minors, with new obligations for online services that reach users under 18 taking effect in late 2025. If children can reach your service, budget for that.
Who's covered
The CPA applies to controllers that conduct business in Colorado or target Colorado residents and either control or process the personal data of 100,000 or more consumers in a year, or derive revenue (or a discount) from selling personal data while processing the data of 25,000 or more consumers. There's no minimum-revenue gate, so a high-traffic free site can be covered even without much income.
Assessments and the opt-out link
Two CPA details catch people out. First, the law requires a data protection assessment before you engage in processing that presents a heightened risk of harm, which explicitly includes selling personal data, processing it for targeted advertising, and certain profiling. If your cookies drive targeted ads, that assessment is a documented obligation, not a nicety. Second, Colorado's rules are specific about the opt-out itself: the mechanism has to be clear and conspicuous, and the universal signal must be honored without any default setting that presumes consent. You can't pre-check a box or bury the control three menus deep.
Which cookies the opt-out has to switch off
In concrete terms, a Colorado opt-out (clicked or sent by GPC) has to suppress the tags that sell data or drive cross-context ads. That usually means your Google Ads and Meta advertising pixels, any data-broker or identity-resolution tags, and the advertising features of analytics tools (for example, Google Analytics 4 with Google signals enabled). Strictly first-party analytics that never shares data externally is generally fine to keep running. The practical test: if a tag sends an identifier to a company that could use it to target the same person elsewhere, it belongs behind the opt-out.
Penalties and the vanished cure period
CPA violations are deceptive trade practices under Colorado law, which means civil penalties up to $20,000 per violation. Stacked across many affected consumers, that adds up fast. Enforcement sits with the Colorado Attorney General and district attorneys.
The safety net is gone. The CPA's right to cure expired on January 1, 2025. Before that date the AG had to give notice and 60 days to fix a violation. Now it can move straight to enforcement. Colorado's early GPC sweeps show the office is willing to test compliance in the wild.
A practical setup for Colorado traffic
- Map the sale and targeted-ad cookies. These are the categories an opt-out has to switch off.
- Give a clear opt-out control for sale and targeted advertising, reachable from every page.
- Honor GPC automatically. This has been mandatory since July 2024. Detect the signal and apply it before ad tags load.
- Require opt-in for sensitive data, including precise geolocation.
- Log everything. With no cure period, your evidence that the mechanism works is your defense.
How CookieBeam handles Colorado
CookieBeam's US opt-out states preset covers CPA-style laws directly. A Colorado visitor sees an opt-out banner with a "Your Opt-Out Rights" link; GPC honoring is default-on in the runtime, so a Colorado browser sending the signal has its sale and targeted-advertising categories suppressed automatically, which is exactly what the July 2024 mandate requires. The regional consent engine serves that opt-out model to Colorado while serving opt-in to the EU from the same banner. Sensitive categories can be gated behind opt-in. Verify the current CPA rules and the AG's opt-out list before finalizing.
Related guides
Read Global Privacy Control explained and universal opt-out mechanisms across US state laws for the signal mechanics, and sensitive data consent under US state laws for the opt-in exception. For the full map, see the complete guide to US state privacy laws. Primary sources: the Colorado AG's CPA page and its recognized opt-out list.