Colorado CPA 2026 + Colorado AI Act — Profiling, Opt-Outs, and the 30 June 2026 Date
The Colorado Privacy Act has run since 2023 and meets the Colorado Artificial Intelligence Act on 30 June 2026 after a special-session delay. AI voice and chat that touch consequential decisions now answer to two regulators.
Colorado is the first US state to enforce a risk-based AI law alongside a comprehensive privacy law. The CAIA's enforcement date moved to 30 June 2026 after a 2025 special session, and the CPA's profiling rules already bite.
What the law says
The Colorado Privacy Act (CPA) — C.R.S. 6-1-1301 et seq. — has been in force since 1 July 2023 with regulations adopted by the Attorney General in March 2023 and refined since. Consumers can access, correct, delete, port, and opt out of targeted advertising, sale, and profiling in furtherance of decisions that produce legal or similarly significant effects. The CPA categorises automated processing into three buckets — solely automated, human-reviewed, and human-involved — and the opt-out reaches the first two. The Universal Opt-Out Mechanism (UOOM), in practice Global Privacy Control, has been mandatory since 1 July 2024. Data protection assessments are required for processing that presents a heightened risk of harm.
The Colorado Artificial Intelligence Act (CAIA, SB 24-205) layers a duty of care to prevent algorithmic discrimination on developers and deployers of high-risk AI systems. After a 2025 special session, the enforcement date moved to 30 June 2026. High-risk means any AI system that, when deployed, makes or is a substantial factor in making a consequential decision — education, employment, financial or lending services, healthcare services, housing, insurance, legal services, government services. Deployers must notify individuals before a consequential decision, publish a deployer notice, complete an annual impact assessment, and disclose adverse decisions with the principal reasons. Developers must publish a model card-style disclosure to deployers.
Hear it before you finish reading
Talk to a live CallSphere AI voice agent in your browser — 60 seconds, no signup.
What AI voice/chat must do
Any voice or chat agent that materially contributes to a consequential decision is a high-risk system under CAIA and a profiling-for-significant-effect controller under CPA. From 30 June 2026 the deployer must serve a notice before the decision, publish the deployer disclosure, run an annual impact assessment, and stand up an adverse-action explanation pathway. The CPA opt-out continues to apply; it covers solely automated and human-reviewed processing but exempts genuine human-involved processing. UOOM signals must be honored at every consumer surface. Sensitive-data inference still needs consent.
CallSphere posture
CallSphere — 37 agents, 90+ tools, 115+ DB tables, 6 verticals, 50+ businesses, 4.8/5, HIPAA and SOC 2 aligned — gives Colorado tenants a CAIA deployer notice generator, an impact-assessment template that maps to the AG's published criteria, an adverse-decision explanation engine that names the principal reasons, and CPA profiling opt-out flows wired to UOOM. The audit trail records every inference, tool call, and human-review touchpoint, so the agent's classification (solely automated, human-reviewed, human-involved) is provable. Pricing $149 / $499 / $1,499; 14-day trial; 22% affiliate; details at /pricing and /contact.
flowchart LR
A[CO Caller] --> B[Voice Agent]
B --> C[CAIA Pre-Notice]
C --> D[Consequential Decision]
D --> E[Adverse Reasons]
B --> F[CPA Opt-Out\nUOOM]
F --> G[Impact Assessment]
Compliance checklist
- Inventory consequential-decision workflows; mark each high-risk under CAIA.
- Publish the deployer notice and pre-decision notice surface before 30 June 2026.
- Run the annual impact assessment with discrimination, accuracy, and oversight sections.
- Build the adverse-decision explanation engine — principal reasons, data sources, contribution.
- Honor UOOM signals at every consumer-facing surface.
- Complete CPA data protection assessments for profiling-for-significant-effect.
- Document the human-review pathway clearly to escape "solely automated" classification when intended.
- Track sensitive-data inference and gate behind consent.
- Maintain the developer-to-deployer disclosure if you build models for resale.
- Watch the AG's CAIA rulemaking — the agency has signalled additional procedural rules through 2026.
FAQ
Does CAIA apply to small businesses? There are exemptions for very small deployers but the law applies broadly. Read the deployer thresholds carefully.
Is HIPAA a CAIA carve-out? HIPAA-covered processing has narrower exemptions; CAIA's healthcare-decision scope is broader than HIPAA. Many AI voice agents will be in scope.
Still reading? Stop comparing — try CallSphere live.
CallSphere ships complete AI voice agents per industry — 14 tools for healthcare, 10 agents for real estate, 4 specialists for salons. See how it actually handles a call before you book a demo.
What is "principal reason" disclosure? A plain-English explanation of why the AI contributed to the adverse outcome, the data inputs, and the magnitude of contribution.
Does CPA cover voice biometrics? Yes — biometric identifiers are sensitive data and require consent before processing.
Can the same notice cover CAIA and CPA? Often yes — design a layered notice and label which sections satisfy which statute.
Sources
- Colorado AG CPA Page: https://coag.gov/resources/colorado-privacy-act/
- Colorado AI Act SB 24-205: https://leg.colorado.gov/bills/sb24-205
- FPF Colorado AI Act Brief: https://content.leg.colorado.gov/sites/default/files/images/fpf_legislation_policy_brief_the_colorado_ai_act_final.pdf
- CPA Final Rules — Colorado AG: https://coag.gov/press-releases/3-15-23/
- DWT Mile-High Risk Analysis: https://www.dwt.com/blogs/artificial-intelligence-law-advisor/2024/05/colorado-enacts-first-risk-based-ai-regulation-law
Try CallSphere AI Voice Agents
See how AI voice agents work for your industry. Live demo available -- no signup required.