Does Colorado Privacy Act Rules (4 CCR 904-3) require Human Oversight?

Colorado • enforcing

Yes — 1 provision

Requirements at a glance

This regulation imposes 4 specific requirements for Human Oversight across 1 provision:

Automated Processing Definitions (Rule 2.02) #

Obligation:
Human Oversight
enforcing
Effective:
Jul 1, 2023
Risk tier:
all
Scope:
controllers
sleepercross-domain
These privacy-law definitions directly govern AI-driven profiling in hiring, lending, and insurance — even though the rules predate and never mention AI. The three-tier automation framework determines consent and opt-out requirements, making this one of the most consequential provisions for organizations using automated decision-making in Colorado.

Requirements

RequirementDetails
Solely Automated ProcessingDecisions made by automated systems without human intervention or review
Human Reviewed Automated ProcessingReview of automated decisions that does not rise to the level of Human Involved Automated Processing
Human Involved Automated ProcessingHuman involvement requires both meaningful consideration of the data and output, and the authority to change or influence the outcome of the automated processing
Consent implicationsLevel of automation determines consent and opt-out requirements for profiling

Penalties

ViolationFine
Per violationUp to USD 20,000 per violation (deceptive trade practice)
View full regulation View obligation Obligation matrix