FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryprivacydata protectionCPA

Colorado Privacy Act, Universal Opt-Out, and the AI Profiling Implications

By Basel IsmailMay 16, 2026

Colorado Privacy Act, Universal Opt-Out, and the AI Profiling Implications

Colorado's approach to universal opt-out mechanisms is quietly becoming one of the more technically demanding privacy requirements in the U.S., and it has specific implications for anyone running AI systems that touch consumer data. The Colorado Privacy Act (CPA), which went into effect on July 1, 2023, includes provisions that go beyond what most teams initially scoped for. The universal opt-out mechanism (UOOM) requirement, in particular, creates real engineering and compliance challenges for AI-driven profiling systems.

What the CPA Actually Requires on Universal Opt-Out

Under C.R.S. 6-1-1306(1)(a)(I), Colorado consumers have the right to opt out of the processing of their personal data for targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. The profiling piece is the one that tends to get underestimated.

The Colorado Attorney General's office finalized its CPA Rules (4 CCR 904-3) on March 15, 2023, and those rules include a requirement that controllers must recognize universal opt-out mechanisms by July 1, 2024. This is distinct from the initial CPA effective date. Colorado followed California's lead here with the Global Privacy Control (GPC) signal, but the AG's rules go further in specifying technical requirements for how controllers must detect, process, and honor these signals.

Specifically, Rule 5.04 requires controllers to treat a UOOM signal as a valid opt-out request without requiring the consumer to take any additional steps. No confirmation screens. No secondary authentication. If the signal comes in, you honor it. And this applies across all three opt-out categories, including profiling.

Where AI Profiling Gets Complicated

The CPA defines "profiling" under C.R.S. 6-1-1303(17) as any form of automated processing of personal data to evaluate, analyze, or predict an individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. That definition is broad enough to capture a significant number of AI and ML systems operating in regulated industries.

Consider a few concrete scenarios:

Financial services: An ML model that scores creditworthiness or predicts default risk based on behavioral data is profiling under the CPA. If a consumer sends a UOOM signal, the controller must stop using that individual's data for those predictions, or at minimum stop using the outputs to make decisions with legal or similarly significant effects on that consumer.
Healthcare: A predictive model that triages patient outreach based on claims data and behavioral signals could qualify as profiling that produces "similarly significant effects" if it determines access to care pathways or pricing.
Education: Adaptive learning platforms that use student behavioral data to make placement or assessment decisions are squarely within scope.

The technical challenge is that most AI pipelines are not built to selectively exclude individual data subjects from model inference in real time. Training data exclusion is one problem; inference-time exclusion is another. When a UOOM signal arrives, you need a mechanism that propagates that opt-out status across every system that could use that person's data for profiling purposes. For organizations running dozens of models across multiple business units, this is a non-trivial data architecture problem.

Technical Implementation Realities

Honoring UOOM signals for AI profiling requires at least three layers of infrastructure:

Signal detection and ingestion: Your web properties and APIs need to detect GPC headers (the Sec-GPC HTTP header) and any other AG-recognized UOOM signals. This detection must happen at the edge, before data enters downstream processing pipelines.
Consent state propagation: Once an opt-out signal is received, the consumer's opt-out status must propagate to every system that processes their data for profiling, targeted advertising, or sale. This includes ML feature stores, data warehouses, CRM systems, and third-party integrations. If you are using a customer data platform, it needs to be the authoritative source of consent state, and downstream systems need to query it before processing.
Inference-time filtering: This is the hardest part. Your AI models need a mechanism to either exclude opted-out individuals from profiling-based decisions or to ensure that profiling outputs are not applied to those individuals. In practice, this usually means a policy enforcement layer between model output and decision execution. The model may still generate a score, but that score cannot be used to make decisions with legal or similarly significant effects for opted-out consumers.

One subtlety worth noting: the CPA Rules distinguish between profiling generally and profiling that produces legal or similarly significant effects. The opt-out right under C.R.S. 6-1-1306(1)(a)(I)(C) specifically targets the latter category. So you need a classification framework for your AI use cases that maps each model's outputs to their downstream decision impacts. A recommendation engine for blog content is different from a model that determines insurance eligibility. Both may be "profiling" in a general sense, but only the latter triggers the UOOM opt-out obligation under the statute's specific language.

Enforcement and Risk Exposure

Colorado's CPA is enforced by the Attorney General and district attorneys. There is no private right of action, which reduces litigation risk compared to frameworks like the Illinois BIPA. However, the AG's office has signaled that UOOM compliance will be an enforcement priority. AG Phil Weiser's office issued guidance in early 2024 emphasizing that the July 1, 2024 UOOM deadline was firm and that the office would be monitoring compliance.

Penalties under the CPA are structured through the Colorado Consumer Protection Act (C.R.S. 6-1-112), with fines up to $20,000 per violation. In a profiling context where thousands or millions of consumers send UOOM signals that go unprocessed, the per-violation math gets uncomfortable quickly. There is also a 60-day cure period, but it sunsets on January 1, 2025, after which the AG has discretion on whether to offer a cure opportunity.

The reputational risk is also worth considering. Colorado is part of a growing bloc of states with comprehensive privacy laws, alongside California, Connecticut, Virginia, Oregon, Texas, Montana, and others. Failing to honor UOOM signals in Colorado signals to regulators in other jurisdictions that your privacy infrastructure may have systemic gaps.

The Interaction with Other Frameworks

If you are already handling California's CCPA/CPRA opt-out requirements, including GPC recognition under the CPRA regulations (11 CCR 7025(b)-(c)), you have a head start. But Colorado's profiling provisions are more explicit than California's current framework. The CPRA addresses automated decision-making technology under its access right (Cal. Civ. Code 1798.185(a)(16)), but the implementing regulations on that front are still being finalized by the California Privacy Protection Agency. Colorado is already live and enforceable.

The EU's GDPR Article 22 right to not be subject to solely automated decision-making is conceptually similar, but the CPA's UOOM mechanism adds a technical layer that the GDPR does not require. Under the GDPR, the right is exercised per-request. Under the CPA, the UOOM signal is persistent and must be honored automatically across all applicable processing activities.

How FirmAdapt Addresses This

FirmAdapt's architecture treats consent state, including UOOM signals, as a first-class data attribute that propagates across all processing layers. When a universal opt-out signal is detected, FirmAdapt enforces that status at the inference layer, ensuring that AI-driven profiling outputs are not applied to opted-out individuals in any decision pathway that could produce legal or similarly significant effects. This is handled through policy enforcement rules that map model outputs to their downstream decision contexts, so the system distinguishes between low-impact personalization and high-impact profiling automatically.

For organizations operating across multiple state privacy frameworks, FirmAdapt maintains a unified consent management layer that reconciles the varying requirements of the CPA, CPRA, Connecticut's CTDPA, and other applicable statutes. The goal is straightforward: one infrastructure that handles the technical complexity of multi-jurisdictional UOOM compliance without requiring each business unit to build and maintain its own signal detection and propagation pipeline.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free