Colorado Privacy Act Rules (4 CCR 904-3)

Jurisdiction:

Colorado

enforcing

Effective:

Jul 1, 2023

Authority:

Colorado Attorney General

Official text Verified Mar 26, 2026

Obligations Covered

Human Oversight Risk Assessment

Provisions (2)

Automated Processing Definitions (Rule 2.02) #

Obligation:

Human Oversight

enforcing

Effective:

Jul 1, 2023

Risk tier:

all

Scope:

deployers

sleepercross-domain

These privacy-law definitions directly govern AI-driven profiling in hiring, lending, and insurance — even though the rules predate and never mention AI. The three-tier automation framework determines consent and opt-out requirements, making this one of the most consequential provisions for organizations using automated decision-making in Colorado.

Requirements

Requirement	Details
Solely Automated Processing	Decisions made by automated systems without human intervention or review
Human Reviewed Automated Processing	Automated decisions subject to human review before finalization
Human Involved Automated Processing	Humans involved in the decision-making loop prior to automated output
Consent implications	Level of automation determines consent and opt-out requirements for profiling

Penalties

Violation	Fine
Per violation	Up to USD 20,000 per violation (deceptive trade practice)

Data Protection Assessments for Profiling (Rule 9.06(B)) #

Obligation:

Risk Assessment

enforcing

Effective:

Jul 1, 2023

Risk tier:

all

Scope:

deployers

sleepercross-domain

Any organization using AI for profiling in Colorado — credit scoring, insurance underwriting, employment screening — must conduct a Data Protection Assessment under this rule, regardless of whether the AI system was the target of the regulation. This is the provision a lawyer friend called a "real sleeper" that many compliance teams miss.

Requirements

Requirement	Details
DPA for profiling	Controllers must conduct a Data Protection Assessment for profiling that presents heightened risk of harm
Risk evaluation	Assess risks to consumers from profiling activities
Mitigation measures	Identify and document mitigation measures for identified risks
Covers automated decisions	Applies to all three tiers of automated processing defined in Rule 2.02

Penalties

Violation	Fine
Per violation	Up to USD 20,000 per violation (deceptive trade practice)