Similar to other state consumer data protection acts enacted over the past two years, the Colorado Privacy Act (CPA) allows Colorado consumers to opt out of the sale of personal data and the processing of such data for targeted advertising purposes. Beginning on July 1, 2024, companies controlling personal data that fall within the purview of the CPA must allow consumers to opt out via a universal opt-out mechanism (UOOM).

Uniquely, CPA Rule 5.07 requires the Colorado Attorney General (AG) to vet potential UOOM technologies and maintain a public list of UOOMs that meet the standards of the CPA and that organizations can employ to effectuate the opt-out process. The rule requires the AG to publish the list by January 1, 2024, and to maintain and update it thereafter. At the beginning of October, the AG’s office solicited applications for UOOM technologies to be included on the list. The office has since narrowed the candidates and recently published three potential UOOMs for inclusion, specifically Global Privacy Control, Opt-Out Machine, and OptOut Code. The widely used Global Privacy Control was developed in response to California’s Consumer Privacy Act and is essentially a “switch” that consumers can toggle to prevent sharing of their personal information. It operates on browsers such as Mozilla Firefox and Brave, or can be installed as an extension on most other browsers. Opt-Out Machine is a comprehensive mechanism that allows a consumer to opt out of personal information use for several businesses at once with just one click. OptOut Code meanwhile is a mechanism designed solely for vehicles where consumers can opt out of information vehicle manufacturers collect through consumers’ operation of their cars. Further information on these UOOMs can be found on the Colorado AG’s website, where public comment on the three candidates will be accepted until December 11. The list and comment sites can be found at

While the UOOM list requirement does not exist in most state consumer data protection acts, many acts do generally require that organizations employ data privacy controls to allow for the opt out of the sale of personal information for targeted advertising. The California Consumer Privacy Act, for example, requires that businesses provide two or more avenues for consumers to submit requests to opt out of personal information use. The Colorado, Connecticut, Delaware, Montana, Oregon, and Texas consumer data protection acts also broadly require that businesses utilize UOOMs as options for consumers. Still, this most recent Colorado AG action represents yet another state-specific measure among an increasing number that companies handling qualifying personal identifying information must consider.

Twelve states have now passed some form of a consumer data protection act, including California, Colorado, Connecticut, Delaware, Iowa, Indiana, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. There is pending legislation to enact similar laws in Massachusetts, Michigan, New Jersey, Pennsylvania, and North Carolina. Generally, these acts all allow for greater consumer control of their personal information, including the ability to access it, delete it, control its use, and discover how a company utilizes it. They also impose security standards for maintaining and protecting the data and require up-front notification to consumers on how they will collect and use their data. Despite the overall similarities, this patchwork of state privacy laws does pose compliance challenges and increased liability exposure for companies with multistate operations. Not only do these laws contain smaller substantive variations among them, many grant additional rulemaking authority to various state agencies that are subsequently promulgating rules in rapid fashion.

For example, on November 27, the California Privacy Protection Agency released its regulatory framework for the use of artificial intelligence (AI) in decision making, which includes allowing consumers the right to opt out of and access information about an organization’s use of AI. The agency plans to finalize this framework in December and begin associated rulemaking next year. Find additional details here:

As state developments in privacy regulation continue for the foreseeable future, organizations must be ever-vigilant to ensure their practices meet increasingly complex standards.

More on Artificial Intelligence + the Future of Law.

Troutman Pepper State Attorneys General Team

Ashley Taylor – Co-leader and Firm Vice Chair
Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations and enforcement actions, federal agency actions, and accompanying litigation.
Clay Friedman – Co-leader
Clayton is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice, multidisciplinary teams with decades of experience crafting effective strategies to help deter or mitigate the risk of enforcement actions and litigation.
Judy Jagdmann
Judy is a partner in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice, based in the Richmond office. She brings experience serving as chair and commissioner of the Virginia State Corporate Commission (VSCC) from 2006 through 2022, which includes regulating the utilities, insurance, banking, and securities industries. She also served as Virginia’s attorney general from 2005-2006.
Stephen Piepgrass
Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He focuses his practice on enforcement actions, investigations, and litigation. Stephen primarily represents clients engaging with, or being investigated by, state attorneys general and other state or local governmental enforcement bodies, including the CFPB and FTC, as well as clients involved with litigation, with a particular focus on heavily regulated industries.
Avi Schick
A former deputy attorney general of New York, Avi applies his experience in bet-the-company matters, representing clients in criminal and civil investigations and enforcement actions before state and federal regulators, prosecutors and enforcement agencies.
Michael Yaghi
Michael is a partner in the firm’s State Attorneys General and Regulatory Investigations, Strategy + Enforcement (RISE) Practice Groups, nationwide teams that advise clients on consumer protection enforcement matters and other regulatory issues.
Tim Bado
Tim is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, where he represents corporations and individuals facing potential civil and criminal exposure. Tim’s experience in government investigations, enforcement actions, and white-collar litigation spans a number of industries, including financial services, pharmaceutical, health care, and government contracting, among others.
Chris Carlson
Chris Carlson represents clients in regulatory, civil and criminal investigations and litigation. In his practice, Chris regularly employs his prior regulatory experience to benefit clients who are interacting with and being investigated by state attorneys general.
Natalia Jacobo
Natalia is an associate in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice. She focuses her practice on two primary areas: government contracting and state attorney general work.
Namrata Kang
Namrata (Nam) is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. She routinely advises clients on a wide variety of state and federal regulatory matters, with a particular emphasis on state consumer protection laws relating to consumer financial services and marketing and advertising.
Michael Lafleur
Michael is an associate in the firm’s Regulatory Investigations, Strategy, and Enforcement Practice Group. Based out of the firm’s Boston office, Mike has deep experience in litigation, investigations, and other regulatory matters involving state-level regulators and state attorneys general.
Susan Nikdel
Susan is an associate in the firm’s Consumer Financial Services Practice Group, and focuses her practice on consumer financial services matters. She has defended several of the nation’s largest and most influential financial institutions in individual and class action litigation involving the Telephone Consumer Protection Act (TCPA), Fair Credit Reporting Act (FCRA), Fair Debt Collection Practices Act (FDCPA), and other consumer privacy statutes.
John Sample
John is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He focuses his practice on a wide range of general and complex litigation matters, including shareholder disputes, fraud, products liability, breach of contract, and Biometric Information Privacy Act claims.
Whitney Shephard
Whitney is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. She represents clients facing state and federal regulatory investigations and enforcement actions, as well as related civil litigation.
Trey Smith
Trey is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice. He focuses his practice on helping financial institutions and consumer facing companies navigate regulatory investigations and resulting litigation.
Daniel Waltz
Daniel is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and State Attorneys General team. He counsels clients in connection with navigating complex government investigations, regulatory compliance, and transactions, involving state and federal government contracting obligations. Drawing on his broad experience as a former assistant attorney general for the state of Illinois, Daniel is a problem solver both inside and outside the courtroom.
Stephanie Kozol
Stephanie is Troutman Pepper’s senior government relations manager in the state attorneys general department.