Colorado Privacy Act Rules (4 CCR 904-3) — Human Oversight

Q: Does Colorado Privacy Act Rules (4 CCR 904-3) require Human Oversight?

Yes. Colorado Privacy Act Rules (4 CCR 904-3) addresses Human Oversight through 1 provision.

Does Colorado Privacy Act Rules (4 CCR 904-3) require Human Oversight?

Colorado • enforcing

Yes — 1 provision

Requirements at a glance

This regulation imposes 4 specific requirements for Human Oversight across 1 provision:

Solely Automated Processing — Decisions made by automated systems without human intervention or review
Human Reviewed Automated Processing — Automated decisions subject to human review before finalization
Human Involved Automated Processing — Humans involved in the decision-making loop prior to automated output
Consent implications — Level of automation determines consent and opt-out requirements for profiling

Automated Processing Definitions (Rule 2.02) #

Obligation:

Human Oversight

enforcing

Effective:

Jul 1, 2023

Risk tier:

all

Scope:

deployers

sleepercross-domain

These privacy-law definitions directly govern AI-driven profiling in hiring, lending, and insurance — even though the rules predate and never mention AI. The three-tier automation framework determines consent and opt-out requirements, making this one of the most consequential provisions for organizations using automated decision-making in Colorado.

Requirements

Requirement	Details
Solely Automated Processing	Decisions made by automated systems without human intervention or review
Human Reviewed Automated Processing	Automated decisions subject to human review before finalization
Human Involved Automated Processing	Humans involved in the decision-making loop prior to automated output
Consent implications	Level of automation determines consent and opt-out requirements for profiling

Penalties

Violation	Fine
Per violation	Up to USD 20,000 per violation (deceptive trade practice)

View full regulation View obligation Obligation matrix