AI Regulation ReferenceDoes Colorado Privacy Act Rules (4 CCR 904-3) require Risk Assessment?
Colorado • enforcing
Yes — 1 provision
Requirements at a glance
This regulation imposes 4 specific requirements for Risk Assessment across 1 provision:
- DPA for profiling — Controllers must conduct a Data Protection Assessment for profiling that presents heightened risk of harm
- Risk evaluation — Assess risks to consumers from profiling activities
- Mitigation measures — Identify and document mitigation measures for identified risks
- Covers automated decisions — Applies to all three tiers of automated processing defined in Rule 2.02
Data Protection Assessments for Profiling (Rule 9.06(B)) #
Any organization using AI for profiling in Colorado — credit scoring, insurance underwriting, employment screening — must conduct a Data Protection Assessment under this rule, regardless of whether the AI system was the target of the regulation. This is the provision a lawyer friend called a "real sleeper" that many compliance teams miss.
Requirements
| Requirement | Details |
|---|---|
| DPA for profiling | Controllers must conduct a Data Protection Assessment for profiling that presents heightened risk of harm |
| Risk evaluation | Assess risks to consumers from profiling activities |
| Mitigation measures | Identify and document mitigation measures for identified risks |
| Covers automated decisions | Applies to all three tiers of automated processing defined in Rule 2.02 |
Penalties
| Violation | Fine |
|---|---|
| Per violation | Up to USD 20,000 per violation (deceptive trade practice) |