Search Colorado CPA

The Colorado AI Act (SB24-205) is effectively frozen just weeks before its June 30, 2026 effective date, following a stay in enforcement of the law by a Magistrate Judge in the District of Colorado on April 27, 2026.

Background

By way of background, on April 9, xAI filed suit in federal court seeking to enjoin the law on First Amendment, Dormant Commerce Clause, due process, and equal protection grounds, arguing that the Act’s algorithmic discrimination provisions would compel developers to reengineer model outputs to conform to state-preferred viewpoints. Two weeks later, the Trump DOJ intervened—the first time the federal government has moved to invalidate a state AI law under the President’s December 2025 executive order. xAI and the Colorado Attorney General subsequently filed a Joint Motion to Vacate Scheduling Conference and Suspend Case Deadlines and Stipulation to Temporarily Stay Enforcement (the “Motion”). The magistrate assigned to the case granted the Motion, which has the effect of preventing enforcement of the law by the Colorado Attorney General. The order also requires xAI to submit a motion for preliminary injunction and, if necessary, file an amended complaint, within 28 days after final adoption of rulemaking implementing the AI Act or any legislation that may replace or amend the AI Act.

Legislative Replacement Efforts

Due in part to pressure from the Trump Administration, there is a legislative replacement effort underway. Governor Polis’s AI Policy Work Group released a proposed framework on March 17 that would substantially narrow the Act’s scope to be closer to the CCPA’s automated decision-making technology regulations, add a 90-day cure period, and push the effective date to January 1, 2027. The effort is coming down to the wire. The legislature adjourns May 13, and no bill has been formally introduced. While Colorado can pass a bill in as few as three days, it is unclear whether the political dynamics that have stymied reform through two prior legislative cycles and a special session make nothing certain.

AG Weiser’s Non-Enforcement Commitment

Also relevant is AG Philip Weiser’s voluntary commitment not to enforce the AI Act. In the joint court filing, Weiser’s office stated it will neither promulgate implementing rules nor enforce the Act until after the legislative session concludes and any resulting rulemaking is complete. Given that rulemaking hasn’t even begun, this pushes any realistic enforcement timeline well past June 30 regardless of the litigation outcome—meaningful breathing room for companies that have been building compliance programs around the Act’s impact assessment and disclosure requirements.

Stay tuned to Privacy World for more on this and other developments.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

Stay Ahead on Consumer Privacy News

Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.

Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.

On September 25, the California Privacy Protection Agency (CPPA) Board advanced OAL-approved updates to the California Consumer Privacy Act (CCPA), the process of which we covered in detail here and here, that include long-awaited regulations on cybersecurity audits, risk assessments, and automated decision-making technology (ADMT). The CPPA Board also approved a $1.35 Million settlement with Tractor Supply Company, officially announced this week. At last week’s meeting, staff reported that there were hundreds of investigations and enforcement actions in progress, many of which were at a stage that the applicable businesses were not yet aware that they are a target. 2026 will bring new privacy obligations for businesses and greater repercussions for half-baked compliance efforts.

Continue Reading California Privacy Agency Rolls Out New Regulations and Approves $1.35 Million Penalty in Latest CCPA Enforcement Action

In another settlement of a cookie-related state consumer privacy law enforcement action, California reinforces contract requirements for making personal information available and raises questions about the scope of purpose limitation requirements, especially where the nature of the data and/or its use could run counter to consumer expectations. 

On July 1, 2025, the California Office of the Attorney General (OAG) announced a settlement against Healthline, which included the largest CCPA settlement to date – $1.55 million – and many “firsts” for public CCPA enforcement: the first involving a publisher, the first health information-related enforcement action, and the first time the purpose limitation principle has been invoked by California’s (or any other state’s) regulators in a public regulatory enforcement context. This enforcement action came just a week before Connecticut’s attorney general announced an $85,000 settlement under the Connecticut state privacy law explored in more detail here.

Continue Reading California AG Issues Highest Fine to Date for CCPA Violations

As we have previously detailed here, the latest generation of regulations under the California Consumer Privacy Act (CCPA), drafted by the California Privacy Protection Agency (CPPA), have advanced beyond public comments are closer to becoming final. These include regulations on automated decision-making technology (ADMT), data processing evaluation and risk assessment requirements and cybersecurity audits. Recently, Privacy World’s Alan Friel spoke at the California Lawyer’s Association’s Annual Privacy Summit at UCLA in Westwood, California (Go Bruins!) on the evaluation and assessment proposals. Separately, Privacy World’s Lydia de la Torre, a CPPA Board Member until recently, spoke on artificial intelligence laws and litigation. A transcript of Alan’s presentation follows:

Continue Reading Data Processing Evaluation and Risk Assessment Requirements Under California’s Proposed CCPA Regulations

Last week was a busy one for AI regulation. The week started and ended with big news from Colorado: on Monday, Colorado’s legislature passed “Concerning Consumer Protections in Interactions with Artificial Intelligence Systems” (SB 24-205) (Colorado AI Law) and, on Friday, Governor Jared Polis (D) signed the Colorado AI Law “with reservations” according to his letter to Colorado’s legislature. Although the Colorado legislature is the first U.S. lawmaker to pass general AI legislation, Colorado’s Governor has expressly invited Congress to replace the Colorado AI Law with a national regulatory scheme before the Colorado AI Law’s February 1, 2026, effective date.

Continue Reading All Eyes on AI: Colorado Governor Throws Down the Gauntlet on AI Regulation After Colorado General Assembly Passes the Nation’s First AI Law

Hundreds of lawyers and several privacy regulators from California, Washington State, Oregon, Colorado, Connecticut, and the Federal Trade Commission gathered in Los Angeles last week for the second annual California Lawyers Association Privacy Summit (“Summit”). Among many engaging sessions on pressing topics, the panels with privacy regulators stood out discussions on enforcement priorities and administrative fines and injunctions, along with punchy and newsworthy statements – including that they are “plotting” and that considering the typical investigation presents “hundreds or thousands of violations,” potential fines are “significant.”

Perhaps even more newsworthy is that due to a California Court of Appeal order laid down as the Summit wound down on Friday, the stay in enforcement of the CCPA regulations was lifted. This happened as many companies were treating March 29, 2024, the end of the stay period, as the effective and enforcement date of regulations promulgated under the CPRA’s amendments by the California Privacy Protection Agency. The appeals order also nullifies the year delay in effectiveness of issued CCPA regulations that the trial court had required, making almost certain that CCPA regulations on risk assessments, cybersecurity assessments, and automated decision-making and profiling will be promulgated and in effect sometime this year, perhaps as early as Q2 or Q3.

Will 2024 be the year of privacy enforcement? In view of signaling from California regulators and those in other jurisdictions, and in view of several upcoming effective dates and regulatory deadlines, ongoing enforcement by regulators in California and beyond, and an impending uptick in privacy enforcement, it just might be. Stay tuned for future posts on these issues. Keep reading for more detailed takeaways regarding the Summit.

Continue Reading Potential CCPA Fines “Significant”, California AG’s Office “Plotting” and Other Takeaways From Privacy Regulators during Privacy Summit in Los Angeles

On Friday, February 9, the Court of Appeal of the State of California sided with the California Privacy Protection Agency (“CPPA” or “Agency”), finding that a California Superior Court judge erred when he issued an order staying the Agency’s enforcement of the regulations promulgated pursuant to the CPRA’s amendments to the CCPA until March 29, 2024. As a result of the Court of Appeal’s order, the previously delayed regulations go into effect as of Friday, February 9, and any future regulations promulgated by the Agency – including the forthcoming regulations on cybersecurity and risk assessments, and automated decision-making technology – will not be subject to a future delay.

The order was announced as the second annual California Lawyers Association Privacy Summit in Los Angeles was wrapping up on Friday afternoon. A number of California regulators were in attendance at the event, including CPPA Executive Director Ashkan Soltani, Deputy Director of Enforcement Michael Macko, and Stacy Schesser, Supervising Deputy Attorney General for the Privacy Unit in the Consumer Protection Section.

Executive Director Soltani provided remarks while Deputy AG Schesser and Deputy Director Macko spoke on a panel together. Among the enforcement priorities announced by the regulators, including a focus beyond front-end, public-facing compliance, perhaps the punchiest statement from the Summit came from Deputy AG Schesser during a Thursday morning session: “We are plotting.”

Stay tuned for more on this from Privacy World in the coming days, and buckle up!

Last week, California Attorney General Rob Bonta announced an investigative sweep of providers of streaming services to determine whether these businesses are complying with California Consumer Privacy Act (“CCPA”) opt-out requirements for businesses that sell or share consumer personal information.

“From watching live sporting events to blockbuster movies, families increasingly use streaming platforms for entertainment, and we must make sure that their personal information is protected. Today, we are taking a close look at how these streaming services are complying with requirements that have been in place since 2020,” said Attorney General Bonta.

Continue Reading California Attorney General Announces Industry Investigative Sweep into CCPA Compliance

As many of our readers know, keeping up with new developments in the privacy landscape is sometimes like drinking from a firehose. With respect to privacy enforcement, particularly in California and Colorado, the hose was turned on June 30th and has been running all summer long. This barrage of information has left unanswered questions for many. What does the delay in enforcement of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA) (together, CCPA) regulations really mean? What am I required to comply with as of today? What are regulators already focusing on in their privacy enforcement efforts this summer?

Continue Reading Red Hot Enforcement Summer: No Vacation for California and Colorado Privacy Regulators

On March 15, 2023, after five public input sessions, a rulemaking hearing, and over 130 written comments, the Colorado Privacy Act (“CPA”) rules were officially finalized when the Colorado Attorney General’s Office completed its review and submitted them to the Secretary of State. The final rules will be published later this month and go into effect on the same day as the statute, July 1, 2023. Continue Reading Colorado Privacy Act Rules Finalized; To Be in Effect July 1