Colorado CPA: Opt Out of Data Brokers (UOOM Guide)

Jun 16, 2026 · 8 min read · data broker opt out state privacy laws ·

Share on:

Colorado law turns a single browser setting into a data-broker opt-out

Within 45 days of submitting your Colorado Privacy Act request, a data broker must respond — and unlike voluntary suppression lists, this is a deadline the state can enforce. The Colorado Privacy Act (CPA), codified at C.R.S. §6-1-1301 et seq. and effective July 1, 2023, gives every Colorado resident the legal right to access, correct, and delete the personal data companies hold, and to opt out of having that data sold or used for targeted advertising. The same data brokers that compile those profiles are the upstream suppliers of the mailing lists that fill your mailbox with catalogs.

What makes Colorado's law unusually practical is the Universal Opt-Out Mechanism, or UOOM. Rather than tracking down every broker and filing requests one at a time, Colorado requires covered businesses to honor a single browser-level signal — most commonly Global Privacy Control — that broadcasts your opt-out to every site you visit at once. That requirement became enforceable on July 1, 2024. The Colorado Department of Law maintains the official guidance and the list of recognized mechanisms on its Colorado Privacy Act resource page.

The CPA was enacted as SB21-190 and grew out of the Colorado General Assembly's broader consumer-protection framework. The full statutory text and legislative history are public. If you live in Colorado, you hold a lever most residents never use — and using it is a practical step, not a legal exercise.

Your rights under the Colorado Privacy Act

The CPA establishes a set of consumer rights that apply to "controllers" — the businesses, including data brokers, that determine how personal data is processed. For Colorado residents, the relevant rights are:

Right to access. You can ask a controller to confirm whether it is processing your personal data and to give you a copy of the data it holds. This lets you see exactly what a broker has compiled about you before you decide what to remove.

Right to correction. You can request that a controller fix inaccurate personal data. For data brokers, correction matters beyond accuracy: a corrected or fragmented profile is harder to match against a mailing list, which can disrupt the way your record propagates downstream.

Right to deletion. You can request that a controller delete the personal data it has collected or obtained about you. For marketing-data brokers, this is the core lever — it removes your record from the pool that list buyers draw from.

Right to data portability. You can obtain your personal data in a portable, transferable format, which is useful if you want a complete record of what a broker has assembled.

Right to opt out. This is the heart of the CPA for anyone fighting junk mail. You can direct a controller to stop processing your personal data for three specific purposes: the sale of personal data, targeted advertising, and certain profiling that produces legal or similarly significant effects. Data brokers whose entire business is selling compiled consumer records to retailers, catalog companies, and list vendors must honor that opt-out.

The Colorado Attorney General's guidance confirms all of these rights and the response obligations attached to them. Crucially, the CPA does not ask brokers to opt you out as a courtesy — it gives you a mechanism to compel them, backed by state enforcement.

How to opt out: the Universal Opt-Out Mechanism plus direct requests

Colorado gives you two complementary paths. The fastest covers most brokers automatically; the second handles the rest.

Enable a Universal Opt-Out Mechanism (the one-setting method). Since July 1, 2024, controllers operating in Colorado must recognize an approved UOOM. The most widely supported is Global Privacy Control (GPC), a signal your browser sends to every website you visit, telling each one not to sell your data or use it for targeted advertising. Some browsers — including Firefox, Brave, and DuckDuckGo's browser and extension — support GPC natively in their privacy settings. For Chrome and Edge, install a privacy extension that transmits the GPC signal. Once enabled, you do not file anything: the signal does the opting-out continuously, on every covered site, with no per-broker paperwork. The Colorado Department of Law publishes the list of recognized mechanisms on its CPA resource page.
File direct requests with high-volume brokers. The UOOM covers sites you visit in your browser, but it does not reach back-office data brokers you will never load in a tab — the bulk compilers that feed catalog prospecting lists. For those, send a direct CPA request invoking your right to delete and your right to opt out of sale and targeted advertising. Priority targets include Acxiom, Epsilon, Experian Marketing Services, LexisNexis, Spokeo, and Intelius. Look for a "Do Not Sell or Share My Personal Information" link or a privacy-request form, usually in the site footer or privacy policy.
State your residency and request clearly. In each request, write: "I am a Colorado resident exercising my rights under the Colorado Privacy Act. I request deletion of all personal data you hold about me, and I direct you to stop selling my personal data and stop using it for targeted advertising." Include your full name, current mailing address, and any prior addresses, so the broker can match its records accurately.
Know the 45-day clock. Once a controller receives a valid request, it must respond within 45 days. It may extend that window by one additional 45-day period when reasonably necessary, but it must notify you of the extension and the reason within the original 45 days. Ninety days is the outer limit.
Appeal a refusal. If a controller declines your request, the CPA requires it to give you a way to appeal, and to explain its reasoning. Use that appeal process before escalating.
File a complaint with the Colorado Attorney General. If a broker ignores you, misses the deadline, or refuses without a valid basis, you can report it to the Colorado Department of Law. The Attorney General and district attorneys enforce the CPA, and consumer complaints are part of how they identify violators.

What to expect

Set realistic expectations. The 45-day window is a maximum, not a promise of speed — many brokers process requests in batches, so your profile may not disappear the moment you submit. Give the full cycle before following up, and keep a log of each request with the broker name, submission date, and any confirmation number.

The Universal Opt-Out Mechanism is the part of Colorado's law that genuinely changed the math. Before July 1, 2024, honoring browser-level opt-out signals was voluntary; now it is mandatory for covered controllers, and the Colorado Department of Law actively maintains which mechanisms qualify. That means a single GPC setting carries legal weight in Colorado — a website that ignores it is out of compliance, not merely impolite.

Two limits are worth understanding. First, deletion is point-in-time: brokers continuously ingest new records from public filings, purchases, and other sources, so a record you delete today can be rebuilt from fresh data later. Re-submitting to the highest-volume brokers every 12 to 18 months, and leaving your UOOM signal permanently on, is a sensible maintenance cadence. Second, the CPA has no private right of action. You cannot sue a data broker yourself for a CPA violation. Enforcement rests exclusively with the Colorado Attorney General and the state's district attorneys, who treat violations as deceptive trade practices. Your complaint is the trigger that puts a non-compliant broker on their radar.

How this stops catalog mail

Catalog companies do not build their prospect lists from scratch. They rent and buy compiled mailing lists from data brokers — Acxiom, Epsilon, Experian, and their peers — who segment consumers by purchase history, estimated income, household composition, and hundreds of other attributes. A retailer hunting for "Colorado households, income above $80,000, who bought apparel by mail in the last two years" buys that segment from a broker, and your address rides along on the list.

When you exercise your CPA deletion and opt-out rights against those brokers — and when your Universal Opt-Out Mechanism signal tells every covered site to stop selling your data — you remove your record from the source pool. Opting out of an individual catalog only stops that one mailer, and your address returns the next time that company rents a fresh list. Opting out at the broker layer is upstream intervention: every subsequent list the broker sells, to any mailer in any category, excludes your record. That is the supply-chain logic this site is built on — cut the data at the source, and the catalogs downstream stop finding you.

Keep reading

California CCPA: make data brokers delete your info — the comparable rights for California residents, including the statewide DELETE Act platform.
Remove yourself from data brokers: the complete guide — a prioritized removal sequence across the major brokers.
How data brokers get your address — the public-record and purchase sources that feed the lists in the first place.
How to opt out of Spokeo — a step-by-step removal for one of the highest-traffic people-search brokers.
External: Want to stop all junk mail, not just data-broker-fed catalogs? The OptOut.ws junk-mail and privacy pillar covers the broader opt-out landscape.