Overview

No outside party can prove a complete internal list of what a company does not disclose. The best strategy is to map the data categories that are public, identify what is unclear, then submit Colorado CPA requests that force specific answers.

Goal

Reduce future use (opt out) and obtain the most complete copy of what exists about you (access and portability), including profiles, inferred segments, fraud or integrity signals, and sharing categories.

Colorado Privacy Act rights

Colorado residents generally have rights to access, delete, correct, obtain a portable copy, opt out of targeted advertising and sale, and appeal a denial. Exact scope depends on the business and exemptions.

Right	What you can ask for	What to demand if denied
Access	Account data, identifiers, purchase and return history, app and website logs, advertising logs, profiles and segments, risk or integrity signals.	Which categories were withheld, why, and retention periods for withheld categories.
Portability	CSV or JSON exports for transactions, events, and preference or segment data where available.	What format is available and which categories are not portable.
Correction	Fix incorrect profile fields, contact data, account attributes, and inaccurate risk flags.	Which source system created the field and what evidence they used.
Deletion	Delete data not required for security, legal, or operational reasons.	What was deleted, what was retained, the reason, and the retention schedule.
Opt out	Stop targeted advertising processing and stop sale sharing where applicable.	Written confirmation and what identifiers the opt out applies to.
Appeal	Appeal partial or full denial.	A written appeal decision and the basis used per withheld category.

Opt out in Colorado

Best practice sequence

Use the company’s privacy choices link in the footer or app settings to opt out of targeted ads and sale where offered.
Enable a recognized opt out signal like Global Privacy Control in the browser you use most for shopping.
If you shop logged in, apply opt out while logged in on the same device and browser.
Document everything with screenshots so you can appeal or complain with a timeline.

Important

Opt out reduces ad targeting and certain sharing. It does not automatically erase purchase history, returns, fraud prevention logs, or store security video.

Data map: online and in store

Online and app

Account identifiers: name, email, phone, account IDs, authentication events.
Device and browser identifiers: cookies, IP address, device IDs, app IDs.
Behavior logs: pages viewed, searches, clicks, cart events, purchase funnel events.
Advertising data: impressions, clicks, conversions, attribution events, frequency capping signals.

In store

Transactions: receipts, line items, time, store location, payment tokens, returns and exchanges.
Self checkout exception events: interventions, overrides, missed scan prompts (if used).
Security systems: camera video, incident notes, preserved clips for events.
Parking lot: perimeter video and potentially license plate references in some systems.

In store linking to you personally is the key question. Ask for the identifiers used to link store activity to your account or profile.

What is often not obvious

Linkage: A company can link events across devices, receipts, returns, and accounts using both direct and probabilistic signals.
Inferences: Profiles and segments can be more impactful than raw purchase history.
Vendor ecosystem: Analytics, measurement, fraud, and advertising can involve many service providers.
Exception and risk signals: Self checkout and returns can generate flags that are not visible to customers.

Common transparency gaps you should target

Retention periods for receipts, device logs, ad logs, store video, incident flags, and risk scores.
Whether store video is associated to customer identities, and under what conditions.
Names or categories of vendors who receive advertising or measurement related identifiers.
Exact fields shared for ad measurement (hashed email, device IDs, order IDs, timestamps, etc).
Whether risk or integrity scores influence account actions or in store interventions.

How to write it

Do not ask “Do you track me?” Ask “Provide all identifiers used to link me across systems, and provide all inferred segments and integrity signals tied to those identifiers.”

Colorado playbook

Opt out first (privacy choices link plus browser signal).
Submit an access request that lists the exact categories you want.
Ask specifically for profiles, segments, exception flags, and all identifiers.
If denied, appeal and demand: withheld categories, reason, and retention schedule.
If still unresolved, file a complaint with the Colorado AG and attach your proof timeline.

Templates

Use these templates inside the company’s privacy request form or via their listed request channel.

Tip

If you open this file locally, your browser may block automatic clipboard copying. Use Select all text, then copy manually.

FAQ

If I pay cash, can there still be a record?

Yes, store video can exist regardless of payment method. The key question is whether that video is linked to you personally through identifiers. Your access request should explicitly ask whether any association exists.

What if they give me a vague response?

Appeal and require a category level breakdown: what they searched, what they withheld, why, and how long they keep it.

Sources to cite in your writeup

Add links here to the exact pages you want this site to cite. If you tell me the URLs you used, I will plug them in and format them.

Walmart Customer Privacy Notice (Online and In Store)
Walmart Colorado Consumer Privacy Notice
Colorado AG: Colorado Privacy Act resources
Colorado AG: Universal Opt Out Mechanism program and recognized mechanisms list
Your PDF analysis (internal reference)

WELCOME TO YOUR ONE STOP SHOP AT KEEPIN GUP TO DATE WALMARTS NEWEST POLICIES.

Colorado Guide: Walmart Data Collection and Your Rights Under the Colorado Privacy Act