Does Colorado Privacy Act Rules (4 CCR 904-3) require Human Oversight?
Colorado • enforcing
Yes — 1 provision
Requirements at a glance
This regulation imposes 4 specific requirements for Human Oversight across 1 provision:
- Solely Automated Processing — Decisions made by automated systems without human intervention or review
- Human Reviewed Automated Processing — Review of automated decisions that does not rise to the level of Human Involved Automated Processing
- Human Involved Automated Processing — Human involvement requires both meaningful consideration of the data and output, and the authority to change or influence the outcome of the automated processing
- Consent implications — Level of automation determines consent and opt-out requirements for profiling
Automated Processing Definitions (Rule 2.02) #
These privacy-law definitions directly govern AI-driven profiling in hiring, lending, and insurance — even though the rules predate and never mention AI. The three-tier automation framework determines consent and opt-out requirements, making this one of the most consequential provisions for organizations using automated decision-making in Colorado.
Requirements
| Requirement | Details |
|---|---|
| Solely Automated Processing | Decisions made by automated systems without human intervention or review |
| Human Reviewed Automated Processing | Review of automated decisions that does not rise to the level of Human Involved Automated Processing |
| Human Involved Automated Processing | Human involvement requires both meaningful consideration of the data and output, and the authority to change or influence the outcome of the automated processing |
| Consent implications | Level of automation determines consent and opt-out requirements for profiling |
Penalties
| Violation | Fine |
|---|---|
| Per violation | Up to USD 20,000 per violation (deceptive trade practice) |