Colorado Privacy Act (CPA profiling and ADM)
Effective date
Penalty
Up to $20,000 per violation. The 60-day cure period expired January 1, 2025. The Attorney General may enforce without offering cure. Enforced by Colorado Att…
Obligations mapped
8 obligations
Overview
Colorado profiling rules define three tiers: Solely Automated Processing, Human Reviewed Automated Processing, and Human Involved Automated Processing. Consumer opt-out applies to tiers 1 and 2. Tier 3 gets enhanced disclosure instead of opt-out. Core profiling provisions effective July 1, 2023. Universal opt-out mechanism compliance required since July 1, 2024. The 60-day cure period for CPA violations expired January 1, 2025, so the Attorney General may pursue enforcement without a cure window (distinct from the Colorado AI Act cure rule). HB 24-1130 added biometric consent requirements effective July 1, 2025. SB 24-041 added minor protections effective October 1, 2025.
This is a privacy law with automated decision-making provisions.
See if this regulation applies to your company with the free exposure scan.
Who this applies to
This regulation applies to the following roles:
- Deployers and users of covered AI systems and tools
- Organizations operating in Colorado
This regulation applies to companies that use or deploy AI tools and systems built by other vendors. If your company uses AI-powered products in the areas listed below, this regulation may apply to you.
SB 21-190
AI categories covered
- Consumer-facing AI
- Automated decision-making
- Algorithmic profiling
- Employment and hiring
Specific AI use cases:
- Customer profiling and segmentation
- Credit scoring and risk assessment
- Dynamic and algorithmic pricing
- Resume screening and ranking
- Video interview analysis
- Chatbots and virtual assistants
- Companion, relationship, or social chatbots
What this requires you to do
8 obligations identified from statutory analysis.
C.R.S. 6-1-1308(7); as amended by SB 25-276 (adding precise geolocation)
C.R.S. 6-1-1306(1)(b); 4 CCR 904-3 Rule 4.05
C.R.S. 6-1-1309; 4 CCR 904-3-9.06; 4 CCR 904-3 Part 8
C.R.S. 6-1-1308(6)
C.R.S. 6-1-1306(3)
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.
Enforcement and penalties
Up to $20,000 per violation. The 60-day cure period expired January 1, 2025. The Attorney General may enforce without offering cure. Enforced by Colorado Attorney General.
Penalty amounts are based on statutory text and may be subject to adjustment, judicial interpretation, or enforcement discretion.
Legislative history
effective
Minor protections and SB 25-276 amendments take effect
effective
Biometric provisions take effect
cure period expired
60-day cure period expires. AG may now pursue enforcement without cure.
effective
UOOM requirement takes effect
amended
SB 24-041 (minor protections) and HB 24-1130 (biometric provisions) signed
effective
CPA takes effect
rulemaking
Final CPA rules filed. First state to finalize ADM and profiling regulations.
rulemaking
Proposed CPA rules published
Related regulations
Colorado AI regulation guide lists every tracked rule for this jurisdiction with timelines and obligation tallies.
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.