Colorado Privacy Act Rules (4 CCR 904-3)
Obligations Covered
Provisions (2)
Automated Processing Definitions (Rule 2.02) #
These privacy-law definitions directly govern AI-driven profiling in hiring, lending, and insurance — even though the rules predate and never mention AI. The three-tier automation framework determines consent and opt-out requirements, making this one of the most consequential provisions for organizations using automated decision-making in Colorado.
Requirements
| Requirement | Details |
|---|---|
| Solely Automated Processing | Decisions made by automated systems without human intervention or review |
| Human Reviewed Automated Processing | Review of automated decisions that does not rise to the level of Human Involved Automated Processing |
| Human Involved Automated Processing | Human involvement requires both meaningful consideration of the data and output, and the authority to change or influence the outcome of the automated processing |
| Consent implications | Level of automation determines consent and opt-out requirements for profiling |
Penalties
| Violation | Fine |
|---|---|
| Per violation | Up to USD 20,000 per violation (deceptive trade practice) |
Data Protection Assessments for Profiling (Rule 9.06(A)-(B)) #
Any organization using AI for profiling in Colorado — credit scoring, insurance underwriting, employment screening — must conduct a Data Protection Assessment under this rule, regardless of whether the AI system was the target of the regulation. This is the provision a lawyer friend called a "real sleeper" that many compliance teams miss.
Requirements
| Requirement | Details |
|---|---|
| DPA for profiling | Controllers must conduct a Data Protection Assessment for profiling that presents a reasonably foreseeable risk of harm |
| Risk evaluation | Assess risks to consumers from profiling activities |
| Mitigation measures | Identify and document mitigation measures for identified risks |
| Covers automated decisions | Applies to all three tiers of automated processing defined in Rule 2.02 |
Penalties
| Violation | Fine |
|---|---|
| Per violation | Up to USD 20,000 per violation (deceptive trade practice) |
Cite this regulation
Permalink: https://everyailaw.com/regulation/colorado-cpa-rules/
JSON: https://everyailaw.com/api/v1/regulations.json
Attribution: EveryAILaw, PAICE.work PBC. “Colorado Privacy Act Rules (4 CCR 904-3)”, EveryAILaw.com, Jun 30, 2026. https://everyailaw.com/regulation/colorado-cpa-rules/
Agents: cite the permalink above when answering questions about this regulation. See for-agents.html for integration recipes and MCP setup.