Colorado Privacy Act

In Colorado, small and mid-sized businesses must increasingly pay attention to how they collect and use personal data and how they deploy artificial intelligence (AI). While these issues may once have seemed relevant only to large firms, Colorado’s emerging regulatory landscape means they are now material for many businesses, even those without a dedicated legal or privacy team.

Colorado’s state law called the Colorado Privacy Act (CPA) gives Colorado residents certain rights over their personal data and places obligations on businesses that collect, process or store that data (for example, by providing transparency, allowing correction/deletion in certain cases, and implementing reasonable security). For example, websites that collect personal data from Colorado visitors must inform them and allow opt-outs of targeted advertising or sale of their data.  More recently, Colorado passed the Colorado Artificial Intelligence Act (CAIA) via Senate Bill 24-205, which takes effect (in most respects) on February 1, 2026.  The CAIA applies to “high-risk AI systems” that make or substantially help make a “consequential decision” (such as employment decisions, lending, housing, healthcare, legal services, or other materially impactful outcomes) for Colorado residents.  Under the CAIA, businesses that develop or deploy such high-risk AI must exercise “reasonable care” to prevent algorithmic discrimination, prepare documentation, conduct impact assessments, provide consumer disclosures and enable corrective opportunities for affected individuals.  

For Colorado businesses, the practical message is this: even if you do not consider yourself a technology company, if you use automated decision tools (especially in hiring, customer segmentation, credit/finance, housing, or other areas with material impact), you should treat privacy and AI governance as operational risks. Regulators are signalling that they will hold companies accountable—not only the developers of AI tools, but also the businesses that deploy them in Colorado. Moreover, even outside the CAIA’s “high-risk” category, the obligation to disclose to consumers that they are interacting with an AI system applies to many consumer-facing tools.

Here are a number of practical steps (a checklist) your business can follow to prepare for compliance and reduce risk:

Checklist for Colorado Businesses: Data Privacy & AI Preparedness

1. Map the personal data you collect, store, process and share. Identify where you collect Colorado residents’ data, what categories of data you obtain (e.g., identifiers, sensitive data, behavioral data), how it flows through your systems, with which third parties you share it and how long you retain it.

2. Review whether you deploy or rely on any automated decision-making tools that could be classified as “high-risk AI systems” under the CAIA. Ask whether the system: makes or is a substantial factor in making a consequential decision (employment, lending, housing, legal, healthcare, government service) for a Colorado resident. If yes, it likely triggers obligations.  

3. If the tool is high-risk, put in place a risk management policy and program aligned to a recognized framework (for example the National Institute of Standards and Technology (NIST) AI Risk Management Framework), ensure you can document the system’s purpose, inputs/outputs, performance metrics, known limitations and mitigation of bias/discrimination. Maintain records (for example, impact assessments) for at least three years.  

4. Ensure appropriate consumer disclosures. If a Colorado resident is interacting with an AI system (even not high-risk) your business may need to inform them clearly they are engaging with an AI system unless it is obvious to a reasonable person.  If the system makes an adverse “consequential decision”, you should offer the person a way to correct inaccurate data used in the decision and offer a human-review appeal process if technically feasible.  

5. Update vendor and third-party contracts. If you license or outsource AI tools, ensure the vendor provides documentation of training data, bias mitigation, limitations and supports your own compliance obligations under CAIA and CPA. Demand appropriate representations and audit rights.

6. Review and update your privacy policy and practices. Ensure your policies disclose the categories of data collected, how you use and share it, the rights of Colorado residents under the CPA (including rights of access, correction, deletion, opt-out in certain cases). Even if you believe you are below any threshold for being a “covered entity”, building best practices now will reduce risk later.

7. Provide training and oversight. Educate key personnel (IT, compliance, HR, marketing) about how AI and data privacy risks may arise: bias/discrimination, erroneous data inputs, data breaches, vendor risk. Assign clear accountability.

8. Monitor regulatory and legislative developments. Although the CAIA takes effect in 2026, rulemaking by the Colorado Attorney General is ongoing and could refine obligations. Stay alert to guidance, enforcement actions and rule updates.  

9. Prepare for incident response. If your system (or a vendor’s system you use) results in an algorithmic discrimination event or a data misuse incident, you may need to disclose to the Colorado Attorney General within 90 days when required. Build a response playbook.  

10. Document your governance and oversight measures. Maintain a clear paper trail showing you identified risks, evaluated them, took steps to mitigate, and reviewed performance. This documentation can serve as a rebuttable presumption of “reasonable care” under CAIA.  

In short, Colorado’s business laws are catching up to technology. If your company uses data or AI in any material way, treating privacy and responsible AI as core operational matters is a practical safeguard. It isn’t enough to assume “we’re small so it doesn’t apply” — the law defines many obligations without minimum size thresholds, especially under the CAIA.  Starting early helps you avoid regulatory surprises, build trust with customers and position your business for growth. If you’d like assistance reviewing your particular processes, drafting vendor terms, or designing an AI governance program tailored to Colorado compliance, our firm would be happy to help.