Colorado · CPAWordPress hosting with CPA plugin built into the platform.
Opt-out signals for sale, targeted advertising and profiling, opt-IN for sensitive data, a 45-day response workflow, and — uniquely under Colorado law — Universal Opt-Out Mechanism honoring of Global Privacy Control signals at the Cloudflare edge worker. Handled by Yovale's compliance MU-plugin. You don't install it. You don't update it. You don't pay for it. The same platform also handles CCPA, VCDPA, CT DPA and TDPSA — one stack, every US state privacy law.
Under the Colorado Privacy Act, you can opt out of the sale of personal data, targeted advertising, and profiling for legally significant decisions. We honor your browser's Global Privacy Control signal automatically. You can also access, correct, delete, or export the data we hold about you.
Six obligations you have to meet.
The Colorado Privacy Act took effect on July 1, 2023, making Colorado the third US state with a comprehensive consumer privacy law. It applies to controllers that process the personal data of 100,000+ Colorado residents annually, or 25,000+ when 50% or more of revenue comes from selling personal data. Enforcement sits with the Colorado Attorney General and the Colorado Department of Law, with civil penalties of up to $20,000 per violation under the Colorado Consumer Protection Act. The 60-day cure period sunset on January 1, 2025 — there is no longer a free pass on a first offence.
- 01
Opt-out for sale, targeted ads, profiling
Colorado consumers can opt out of the sale of personal data, targeted advertising, and profiling that produces legal or similarly significant effects. The mechanism has to be clear, conspicuous, symmetric in choice, and free of dark patterns.
- 02
Universal Opt-Out Mechanism (UOOM)
Required since July 1, 2024 and unique to Colorado at this level of specificity. Controllers must honor browser-level opt-out signals such as Global Privacy Control. The signal counts as a valid opt-out for sale and targeted advertising the moment it arrives — no banner click required.
- 03
Opt-IN for sensitive data
Processing of sensitive data requires affirmative consent. Sensitive data covers race or ethnic origin, religion, mental or physical health diagnosis, sexual orientation or sex life, citizenship or immigration status, genetic or biometric data processed to identify a person, precise geolocation, and data from a known child.
- 04
Consumer rights: access, correction, deletion, portability
Colorado residents can request access to the personal data you hold, correct inaccuracies, delete it, and obtain a portable copy in a readily usable format. You respond within 45 days, extendable once by 45 days when reasonably necessary.
- 05
Appeals process
When you deny a consumer request, you must give the consumer a clear way to appeal and respond to the appeal within 45 days, extendable by 60 days when reasonably necessary. If the appeal is denied, you provide an explanation and a link to file a complaint with the Colorado Attorney General.
- 06
Controller and processor duties
Contracts between controllers and processors must spell out processing instructions, confidentiality, deletion or return of data at end of service, and assistance with consumer requests. Yovale acts as your processor under a written contract aligned with C.R.S. § 6-1-1305.
Built into the platform. Not a plugin you install.
Yovale ships CPA compliance as a signed must-use plugin — part of the hosting itself, not something you install from the WordPress repository. It's version-pinned, fetched from R2 with SHA-256 verification, and dropped into a per-site bind-mounted mu-plugins directory at provision time. Updates ship through the same channel your hosting updates do.
GPC honored at the edge worker
Every request to a Yovale site is checked for the Sec-GPC: 1 header and any equivalent Universal Opt-Out signal at the Cloudflare edge worker. When the signal is present and the visitor is from Colorado, sale, targeted advertising and profiling are blocked before any analytics, ad pixel or third-party tag executes. The opt-out lands in your audit log automatically.
Privacy portal
/.well-known/privacy on every Yovale site. Colorado residents can submit access, correction, deletion, and portability requests without filing a support ticket. Every request shows up in your Compliance dashboard tab with a 45-day SLA timer and a one-click appeal flow attached.
Appeals workflow
When a request is denied, the consumer gets a one-click appeal link. The appeal opens a separate 45-day SLA case in your dashboard, with the original decision attached. If you deny the appeal, the platform attaches the Colorado AG complaint link automatically.
Signed processor contract
Pre-signed controller-processor contract that meets C.R.S. § 6-1-1305 requirements. Lists every sub-processor (Cloudflare, Anexia, R2), purpose limits, confidentiality, deletion at end of service, and assistance with consumer requests and data protection assessments. PDF download from the dashboard.
Why infrastructure beats a plugin.
Typical WordPress CPA plugin
- Cannot honor GPC reliably — banner JS runs after analytics and ad pixels have already fired
- Stores opt-out signals in wp_options — slow, untyped, breaks with object caching
- Updates through wp-admin — you maintain it, you break it, you debug conflicts
- Costs $49-149/year per site and rarely covers the appeals workflow
- Breaks when you migrate hosts; opt-out history and appeal records lost
Yovale's built-in approach
- GPC honored at the Cloudflare edge worker — before WordPress, before pixels, before analytics
- Audit log in a dedicated database, queryable, never blocks page render
- Updates ship through the platform — you don't see them, you don't break them
- Included on every plan ($149 / $249 / $499 per year), no per-site compliance fees
- Travels with your site forever — opt-out and appeal history is yours to export
14 regulations. One toggle each. All automatic.
- Opt-out for sale, targeted ads, profiling
- Universal Opt-Out Mechanism (GPC) honoring
- Opt-in for sensitive data
- 45-day consumer request response
- Appeals process within 45 days
CPA + Yovale, answered.
Does the CPA apply to my site?
It applies if you control or process the personal data of 100,000 or more Colorado residents in a calendar year, or 25,000 or more when you derive revenue or receive a discount on goods or services from the sale of personal data. There is no minimum revenue threshold, unlike California. Government bodies, HIPAA-covered entities, and FERPA-covered education data are out of scope. If you're below the thresholds you're not directly covered, but Yovale runs the same protections by default so your site is ready when you cross them.
How do you actually honor Global Privacy Control?
Every request to a Yovale site passes through a Cloudflare edge worker that inspects the Sec-GPC header. If the visitor is detected as a Colorado resident and Sec-GPC: 1 is set, the worker injects an opt-out state into the request before WordPress sees it. Analytics, ad pixels and third-party tags that would have set sale or targeted-advertising cookies are suppressed at HTML rendering. The opt-out is logged with timestamp and IP-derived region. No banner click required — the signal is the choice.
How is the CPA different from the CCPA and the VCDPA?
All three give Colorado, California and Virginia consumers opt-out for sale and targeted advertising plus rights to access, delete and port their data. The CPA is the strictest on Universal Opt-Out Mechanisms — controllers must honor browser signals like GPC by default. It also matches Virginia in requiring opt-IN consent for sensitive data, where California only offers a limit-the-use opt-out. The CPA's $20,000 per-violation ceiling is higher than VCDPA's $7,500. Yovale handles all three regimes from one platform.
What counts as sensitive data under the CPA?
Sensitive data covers race or ethnic origin, religion, mental or physical health diagnosis, sexual orientation or sex life, citizenship or immigration status, genetic or biometric data processed to uniquely identify a person, precise geolocation, and personal data from a known child. Yovale's MU-plugin blocks any plugin or script that touches a sensitive category until the consumer has actively opted in through the consent UI.
Is the 60-day cure period still in effect?
No. The Colorado Privacy Act's 60-day right-to-cure provision sunset on January 1, 2025. Since then, the Colorado Attorney General can pursue a violation directly under the Colorado Consumer Protection Act with civil penalties of up to $20,000 per violation. Yovale ships every site with the full compliance posture from day one, so there is nothing to cure when an inquiry lands.
What happens when I deny a consumer request?
The platform sends the consumer a denial notice with a one-click appeal link. The appeal opens a separate case in your Compliance dashboard with its own 45-day SLA, extendable by 60 days when reasonably necessary. If you deny the appeal too, Yovale automatically attaches a link for the consumer to file a complaint with the Colorado Attorney General, as required by C.R.S. § 6-1-1306.
Ship a CPA-compliant WordPress site in 60 seconds.
Every Yovale site is CPA-ready from the moment you deploy. GPC honored at the edge. Opt-in flow for sensitive data. Appeals workflow live in the dashboard. Start the free Growth trial and see your first compliance dashboard.