The Colorado Attorney General’s office published its final list of “valid” and “recognized” universal opt-out mechanisms (“UOOM” for short). The sole finalist was the Global Privacy Control. Buried at the bottom of the announcement, however, was a note that the AG reserves the right to update the list at any time, so we should keep our eyes out for new additions, and perhaps more importantly, this list represents the UOOMs that the AG “will prioritize for enforcement.” I would expect that, on July 1 (the day the UOOM opt out rules go into effect), the AG will begin sending compliance notices to companies that sell data under the Colorado Privacy Act and do not appear to honor Global Privacy Control signals. This gives companies who sell data six months to add GPC signal processing to their websites. And based on the AG’s public remarks that they will focus on helping companies achieve compliance, rather than penalizing “footfalls,” hopefully companies that cooperate with the AG to update their website and data-selling practices will be able to avoid penalties. In his own words, the AG said, “Our number one priority are those who are willfully noncomplying with the law, that is where our blood is going to most boil.” So, if anything, trying to avoid such boiling is Step 1.