Colorado Data Privacy & Data Broker Removal
Colorado has a comprehensive privacy law that gives you the right to access, delete, and control your personal data. Here is how those rights work in practice and how to remove yourself from data brokers.
Your rights in Colorado
Colorado residents are protected by the Colorado Privacy Act (CPA).
- Right to Access & Know — Request a copy of the personal information a company holds about you.
- Right to Correct — Request corrections to inaccurate personal information.
- Right to Delete — Ask a company to delete your personal information.
- Right to Data Portability — Get your data in a portable format you can take to another service.
- Right to Opt Out of Sale — Tell a company to stop selling your personal information.
- Right to Opt Out of Targeted Advertising — Stop companies from targeting you with ads based on your personal data.
- Right to Opt Out of Profiling — Stop companies from building a behavioral profile about you.
- Right to Appeal — Challenge a company's decision to deny your privacy request.
Does this cover the company that has my data?
Most companies that collect or sell personal data in Colorado are likely covered.
Controllers conducting business in Colorado or targeting Colorado residents that either control/process the personal data of 100,000+ consumers in a year, Or derive any revenue (or receive a discount) from selling personal data and control/process the data of 25,000+ consumers.
- Cure period sunset Jan 1, 2025.
- Biometric-data amendments (HB 24-1130) effective July 1, 2025.
- Amendments addressing minors' data and biometric identifiers continued through 2025–2026.
How to remove yourself from data brokers in Colorado
Your state law gives you the right to request deletion — but exercising it across hundreds of brokers takes real effort. Here are the most effective steps, in order.
1. Enable Global Privacy Control
Global Privacy Control is a free browser setting that automatically tells every website you visit not to sell or share your data. It takes two minutes to enable and works silently in the background on every site. Colorado law requires covered businesses to honor it — so this is not just a request, it carries legal weight.
2. Submit direct opt-out requests
For brokers not covered by the registry or GPC, you can submit requests directly. Look for the "Do Not Sell My Personal Information" link in each company's website footer — most major brokers have one. You can also submit formal access, deletion, or correction requests through each company's privacy policy page.
Under Colorado's law, covered companies must respond within the statutory deadline. If they don't, you have grounds to file a complaint with the Colorado Attorney General and district attorneys.
3. Automate ongoing removal
Here is the part nobody tells you: even after you complete every step above, brokers re-ingest your information from public records, data-sharing networks, and commercial databases. Within a few months, your profiles reappear. Staying removed from hundreds of brokers is not a one-time task — it is an ongoing commitment that most people cannot maintain manually.
Delist finds your exposed data and files removals on your behalf — then monitors so it stays down. Start with a free scan to see where your information is exposed.
Run a free scan →Colorado's data broker law: what it means for you
Colorado does not have a dedicated data-broker registry. Most national data brokers are registered in California and honor opt-out requests from residents of any state — but without a Colorado-specific law requiring it, you have no legal recourse if a broker ignores your request. Services like Delist handle this across states and brokers in one place.
Other privacy protections in Colorado
Beyond the comprehensive privacy law, Colorado has additional protections that may apply to you:
- Address Confidentiality Program for survivors of domestic violence/sexual assault/stalking (administered by the CO Secretary of State).
- C.R.S. § 18-9-313 restricts posting personal information of protected persons (law-enforcement officials, certain public servants, DV/stalking victims, human-services workers) online on request — a partial Daniel's-Law-style protection.
- Biometric notice/consent obligations (HB 24-1130).
- Heightened protections for known children's data.
- Colorado also regulates 'surveillance pricing.'
- Biometric data — No standalone biometric statute with a private right of action. The CPA's biometric amendments (HB 24-1130, effective July 1, 2025) add biometric notice/consent obligations enforced by the AG (not a private right of action).
How to file a privacy complaint in Colorado
Colorado Attorney General (Colorado Department of Law), Consumer Protection — https://coag.gov/resources/colorado-privacy-act/
Most state agencies enforce privacy laws in the aggregate — they investigate patterns of violations rather than resolving individual disputes. Filing a complaint still matters: it creates a record that helps trigger enforcement actions.
Frequently asked questions
Does Colorado have a data privacy law?
Can I sue a company for violating my privacy in Colorado?
How do I opt out of data brokers in Colorado?
Does Colorado require websites to honor Global Privacy Control?
Sources
This page is privacy-rights information, not legal advice. Privacy law changes frequently; verify current rules with your state privacy agency or a licensed attorney before acting. Last verified 2026-06-22. We re-check state privacy laws quarterly.