Colorado Privacy Act Rules (4 CCR 904-3)

Jurisdiction:
Colorado
enforcing
Effective:
Jul 1, 2023
Authority:
Colorado Attorney General
Official text Verified Jun 30, 2026

Obligations Covered

Human Oversight Risk Assessment

Provisions (2)

Automated Processing Definitions (Rule 2.02) #

Obligation:
Human Oversight
enforcing
Effective:
Jul 1, 2023
Risk tier:
all
Scope:
controllers
sleepercross-domain
These privacy-law definitions directly govern AI-driven profiling in hiring, lending, and insurance — even though the rules predate and never mention AI. The three-tier automation framework determines consent and opt-out requirements, making this one of the most consequential provisions for organizations using automated decision-making in Colorado.

Requirements

RequirementDetails
Solely Automated ProcessingDecisions made by automated systems without human intervention or review
Human Reviewed Automated ProcessingReview of automated decisions that does not rise to the level of Human Involved Automated Processing
Human Involved Automated ProcessingHuman involvement requires both meaningful consideration of the data and output, and the authority to change or influence the outcome of the automated processing
Consent implicationsLevel of automation determines consent and opt-out requirements for profiling

Penalties

ViolationFine
Per violationUp to USD 20,000 per violation (deceptive trade practice)

Data Protection Assessments for Profiling (Rule 9.06(A)-(B)) #

Obligation:
Risk Assessment
enforcing
Effective:
Jul 1, 2023
Risk tier:
all
Scope:
controllers
sleepercross-domain
Any organization using AI for profiling in Colorado — credit scoring, insurance underwriting, employment screening — must conduct a Data Protection Assessment under this rule, regardless of whether the AI system was the target of the regulation. This is the provision a lawyer friend called a "real sleeper" that many compliance teams miss.

Requirements

RequirementDetails
DPA for profilingControllers must conduct a Data Protection Assessment for profiling that presents a reasonably foreseeable risk of harm
Risk evaluationAssess risks to consumers from profiling activities
Mitigation measuresIdentify and document mitigation measures for identified risks
Covers automated decisionsApplies to all three tiers of automated processing defined in Rule 2.02

Penalties

ViolationFine
Per violationUp to USD 20,000 per violation (deceptive trade practice)
Cite this regulation

Permalink: https://everyailaw.com/regulation/colorado-cpa-rules/

JSON: https://everyailaw.com/api/v1/regulations.json

Attribution: EveryAILaw, PAICE.work PBC. “Colorado Privacy Act Rules (4 CCR 904-3)”, EveryAILaw.com, Jun 30, 2026. https://everyailaw.com/regulation/colorado-cpa-rules/

Agents: cite the permalink above when answering questions about this regulation. See for-agents.html for integration recipes and MCP setup.