1. Overview: The AI Privacy Landscape
The regulation of artificial intelligence and automated decision-making technology (ADMT) represents one of the fastest-evolving areas in US privacy law. As organizations increasingly deploy AI systems for consequential decisions affecting employment, housing, credit, healthcare, and education, a patchwork of state laws has emerged to address algorithmic discrimination, transparency, and consumer rights.
For CIPP/US candidates, understanding this regulatory landscape is critical—these topics span multiple exam domains and reflect the cutting edge of privacy practice. The 2024-2025 period has been particularly active, with Colorado enacting the first comprehensive state AI law, California finalizing ADMT regulations under CPRA, and several states adding or strengthening profiling opt-out provisions.
AI and automated decision-making questions appear primarily in Domain II (Limits on Private-Sector Collection and Use) and Domain V (State Privacy Laws). Expect questions on profiling opt-out rights, algorithmic discrimination definitions, disclosure requirements, and comparisons between state approaches. The Colorado AI Act and California ADMT regulations are likely to feature prominently on current exams.
Key Definitions
Before diving into specific laws, understanding the foundational terminology is essential:
| Term | Definition |
|---|---|
| Automated Decision-Making Technology (ADMT) | Technology that processes personal information and uses computation to replace or substantially replace human decision-making (California definition) |
| Artificial Intelligence System | A machine-based system that infers from inputs how to generate outputs (predictions, decisions, recommendations) that can influence physical or virtual environments (Colorado definition) |
| High-Risk AI System | AI that makes or substantially contributes to consequential decisions with material legal or significant effects on consumers |
| Algorithmic Discrimination | Unlawful differential treatment based on protected characteristics resulting from AI system use |
| Profiling | Automated processing of personal data to evaluate, analyze, or predict aspects of an individual's behavior, preferences, or characteristics |
| Consequential Decision | Decision with material legal or similarly significant effect on access to education, employment, financial services, housing, insurance, or healthcare |
2. Colorado AI Act (SB 24-205)
On May 17, 2024, Colorado Governor Jared Polis signed SB 24-205 into law, making Colorado the first state to enact comprehensive legislation regulating high-risk artificial intelligence systems. The law establishes duties for both developers (those who create AI systems) and deployers (those who use AI systems for consequential decisions).
The Colorado AI Act's effective date was delayed from February 1, 2026 to June 30, 2026 following a special legislative session in August 2025 (SB 25B-004). The extension provides additional implementation time and allows for potential federal AI legislation to develop.
Scope and Applicability
The Colorado AI Act applies to high-risk AI systems—defined as AI systems that, when deployed, make or are a substantial factor in making "consequential decisions" concerning consumers. Consequential decisions include those affecting:
- Education enrollment or educational opportunities
- Employment or employment opportunities (hiring, promotion, termination)
- Financial or lending services
- Essential government services
- Healthcare services
- Housing
- Insurance
- Legal services
Developer Obligations
Developers of high-risk AI systems must:
Specific developer requirements include:
- Make available to deployers a general statement describing reasonably foreseeable uses and known harmful uses
- Provide documentation describing training data, known limitations, and capabilities
- Provide information necessary for deployers to complete impact assessments
- Disclose known risks of algorithmic discrimination to the Attorney General and known deployers within 90 days of discovery
- Maintain a publicly available statement on their website summarizing AI systems they make available
Deployer Obligations
Deployers of high-risk AI systems must use reasonable care to protect consumers from known or reasonably foreseeable risks of algorithmic discrimination. A rebuttable presumption of reasonable care exists if deployers:
- Implement a risk management policy and program
- Complete an impact assessment of the high-risk AI system
- Conduct annual reviews to ensure the system is not causing algorithmic discrimination
- Provide consumers notice of AI system use in consequential decisions
- Offer consumers opportunity to correct incorrect personal data
- Provide opportunity to appeal adverse decisions via human review (if technically feasible)
Impact Assessment Requirements
Colorado's impact assessment must include:
- Statement of purpose for deploying the high-risk AI system
- Intended benefits and uses
- Analysis of whether deployment poses risks of algorithmic discrimination
- Description of data processed as inputs and outputs produced
- Metrics used to evaluate system performance
- Known limitations of the system
- Description of transparency measures taken
- Post-deployment monitoring processes
Consumer Notice Requirements
When a deployer uses high-risk AI to make a consequential decision, they must notify consumers of:
- The fact that a high-risk AI system is being used
- The purpose of the AI system and nature of the consequential decision
- The principal reasons for the decision (including degree of AI contribution)
- Contact information for the deployer
- The consumer's right to correct personal data
- The consumer's right to appeal
Enforcement
The Colorado Attorney General has exclusive enforcement authority. Violations constitute deceptive trade practices under the Colorado Consumer Protection Act. Key enforcement features:
- No private right of action—only AG enforcement
- Affirmative defense available if violation is discovered and cured through feedback, testing, or internal review
- Compliance with recognized risk management frameworks (e.g., NIST AI Risk Management Framework) provides additional protection
Know the distinction between developers and deployers under the Colorado AI Act. Developers create AI systems; deployers use them for consequential decisions. Both have separate but complementary obligations. Also remember that the law provides a rebuttable presumption of compliance for deployers who meet all requirements—this is a favorite exam topic.
3. California ADMT Regulations
On September 22, 2025, the California Office of Administrative Law approved the California Privacy Protection Agency's (CPPA) long-awaited regulations on automated decision-making technology (ADMT). These regulations implement provisions of the California Privacy Rights Act (CPRA) and represent one of the most significant expansions of the CCPA framework since its enactment.
Key Compliance Dates
Risk assessment requirements take effect; businesses must begin compliance
ADMT notice, opt-out, and access requirements become effective
Risk assessment attestations and summaries due to CPPA; cybersecurity audit certifications due for businesses with $100M+ revenue
Cybersecurity audit certifications due for businesses with $50-100M revenue
Cybersecurity audit certifications due for businesses under $50M revenue
ADMT Definition
California's regulations define ADMT as technology that:
- Processes personal information, AND
- Uses computation to replace or substantially replace human decision-making
"Substantially replace" means the technology makes a decision without meaningful human involvement. Human involvement is meaningful when the reviewer:
- Knows how to interpret the technology's output
- Affirmatively reviews the output to make a decision
- Has actual authority to make or change the decision based on their own analysis
Significant Decisions
The ADMT requirements apply when technology is used for "significant decisions" that affect consumers':
- Financial services (including credit, lending, insurance)
- Employment (hiring, promotion, discipline, termination)
- Housing
- Education
- Healthcare
Notably, advertising was removed from the final definition of significant decisions—a major change from earlier drafts.
Business Obligations
Beginning January 1, 2027, businesses using ADMT for significant decisions must:
1. Pre-Use Notice
Provide consumers notice before using ADMT, which may be included in the business's CCPA notice at collection. The notice must include:
- Description of the ADMT and its purpose
- What personal information will be processed
- How outputs will be used in decision-making
- Consumer's right to opt out or appeal
2. Opt-Out Mechanism
Provide consumers the right to opt out of ADMT processing for significant decisions, unless an exception applies (e.g., human review with override authority exists).
3. Access Rights
Upon request, provide consumers with:
- Information about the logic of the ADMT
- Information about the ADMT output
- Explanation of how outputs are used in decision-making
Note: Businesses are not required to disclose trade secrets or information that could compromise fraud or safety defenses.
4. Appeal Rights
Provide consumers the ability to appeal ADMT-based decisions, with human review where technically feasible.
Risk Assessment Requirements
The regulations also establish mandatory risk assessments for high-risk processing activities, including:
- Selling or sharing personal information for cross-context behavioral advertising
- Processing sensitive personal information
- Using ADMT for significant decisions
- Profiling consumers in employment or education contexts
- Processing personal information to train ADMT for significant decisions
- Using facial recognition, emotion recognition, or identity verification technology
Risk Assessment Content Requirements
Each risk assessment must include:
- Detailed description of the processing purpose(s)
- Categories of personal information to be processed
- Analysis of benefits versus risks to consumer privacy
- Consideration of less intrusive alternatives
- Safeguards implemented to address identified risks
Key Requirement: Processing must be restricted or prohibited if privacy risks outweigh benefits.
For California ADMT regulations, remember the key dates: January 1, 2026 for risk assessments, January 1, 2027 for ADMT rights. Also note that "substantially replace" human decision-making requires no meaningful human involvement—if a human reviewer affirmatively reviews outputs with authority to override, the system may fall outside the definition.
4. State Privacy Law Profiling Rights
Beyond Colorado and California's specialized AI/ADMT provisions, most comprehensive state privacy laws include a consumer right to opt out of profiling that produces legal or similarly significant effects. Understanding these provisions is essential for both exam success and practical compliance.
Standard Profiling Opt-Out Rights
As of November 2025, the following states include profiling opt-out rights in their comprehensive privacy laws:
| State | Effective Date | Profiling Provision | Special Features |
|---|---|---|---|
| California | Jan 2027 (ADMT rules) | Opt-out + access + appeal | Most comprehensive; separate regulations |
| Colorado | June 2026 (AI Act) | Opt-out + impact assessment | First comprehensive AI law |
| Connecticut | July 2023 | Opt-out of profiling for significant decisions | Risk assessments required |
| Virginia | Jan 2023 | Opt-out of profiling for significant decisions | Data protection assessments |
| Oregon | July 2024 | Opt-out + transparency | Third-party disclosure list required |
| Minnesota | July 2025 | Opt-out + right to question | Can request reason for profiling decision |
| Texas | July 2024 | Standard opt-out | Applies to large data processors |
| Montana | Oct 2024 | Standard opt-out | Smaller population thresholds |
| Delaware | Jan 2025 | Opt-out + transparency | Third-party category disclosure |
| Iowa | Jan 2025 | No profiling opt-out | Exception: most business-friendly |
Minnesota's Enhanced Rights
Minnesota's Consumer Data Privacy Act (effective July 31, 2025) introduced an innovative "right to question" profiling decisions that goes beyond standard opt-out provisions:
- Right to be informed of the reason that profiling resulted in the decision
- If feasible, right to know what actions could have secured a different decision
- Right to know what actions could secure a different decision in the future
- Right to review personal data used in profiling
- If decision was based on inaccurate data, right to have data corrected and decision reevaluated
Iowa's Consumer Data Protection Act (effective January 1, 2025) is notably the only comprehensive state privacy law that does not include a consumer right to opt out of profiling. This makes Iowa's law the most business-friendly of the state privacy frameworks—a frequently tested distinction on the CIPP/US exam.
Universal Opt-Out Mechanisms
Increasingly, state laws require businesses to honor universal opt-out preference signals (like Global Privacy Control) for multiple purposes, potentially including profiling:
- California: GPC recognition required since 2023
- Colorado: Universal opt-out signal recognition required since July 2024
- Connecticut: Universal opt-out required as of 2025
- Delaware, Nebraska, Minnesota, New Hampshire, New Jersey, Maryland: All require universal opt-out mechanisms
5. AI in Employment Decisions
Employment represents a high-priority area for AI regulation, with several jurisdictions enacting specific requirements for AI tools used in hiring, promotion, and other employment decisions.
Illinois HB 3773 (Effective January 1, 2026)
On August 9, 2024, Illinois Governor Pritzker signed HB 3773, amending the Illinois Human Rights Act to address AI in employment. Illinois becomes the second state (after Colorado) to enact broad AI legislation for employment decisions.
Illinois HB 3773 Key Provisions
- Prohibition: Employers cannot use AI that has the effect of discriminating against employees based on protected classes
- Zip Code Ban: Cannot use zip codes as a proxy for protected classes
- Notice Requirement: Must notify employees when AI is used for employment decisions
- Covered Activities: Recruitment, hiring, promotion, training, discipline, discharge, or any other employment term
- Enforcement: Illinois Department of Human Rights
Notable Difference: Unlike Colorado and NYC, Illinois does not require bias audits, impact assessments, or risk management programs.
New York City Local Law 144 (Effective July 5, 2023)
NYC Local Law 144 was the first US law to require independent bias audits of automated employment decision tools (AEDTs). While limited to New York City, it has been influential in shaping subsequent legislation.
NYC Local Law 144 Requirements
Key Requirements:
- Bias Audit: Independent third-party audit within past 12 months
- Impact Ratio: Calculate selection/scoring rates across demographic groups (race/ethnicity, sex, and intersectional categories)
- Public Disclosure: Publish audit results on company website
- Candidate Notice: Inform candidates at least 10 business days before AEDT use
- Alternative Process: Offer candidates option to request alternative assessment
Illinois Artificial Intelligence Video Interview Act (Effective 2020)
Illinois was actually an early mover in AI employment regulation with the Artificial Intelligence Video Interview Act (AIVIA), which specifically addresses AI-analyzed video interviews:
- Employers must notify applicants that AI will analyze video interviews
- Must explain how the AI works and what characteristics it evaluates
- Must obtain consent before using AI analysis
- Must limit sharing of video recordings
- Must delete videos within 30 days upon applicant request
Comparison of Employment AI Laws
| Requirement | Colorado (2026) | Illinois HB 3773 (2026) | NYC LL 144 (2023) |
|---|---|---|---|
| Bias Audit | Impact assessment | Not required | Annual independent audit |
| Notice to Workers | Required | Required | 10 days advance |
| Risk Management | Program required | Not required | Not required |
| Appeal Right | Human review | IDHR process | Alternative process |
| Public Disclosure | Summary statement | Not required | Audit results |
| Enforcement | AG only | IDHR | DCWP |
NYC Local Law 144's bias audit requirement and 10-day advance notice are frequently tested topics. Remember that the law uses the four-fifths rule concept (80% impact ratio) borrowed from employment discrimination analysis. Also note that Illinois has two AI employment laws—AIVIA (video interviews, 2020) and HB 3773 (general employment AI, 2026).
6. Utah Artificial Intelligence Policy Act
Utah became the first state to enact AI-focused consumer protection legislation when Governor Cox signed SB 149 into law on March 13, 2024 (effective May 1, 2024). The Utah Artificial Intelligence Policy Act (UAIPA) takes a distinct approach focused on generative AI transparency rather than high-risk AI systems.
Key Features
The UAIPA differs significantly from Colorado's comprehensive approach:
- Focus: Applies specifically to generative AI (chatbots and content generation systems)
- Disclosure: Requires disclosure that consumers are interacting with AI, not a human
- Accountability: Companies cannot blame AI for consumer protection violations
- Innovation: Creates "AI Learning Laboratory" sandbox program
March 2025 Amendments (SB 226 & SB 332)
Utah narrowed and refined the UAIPA through amendments effective May 7, 2025:
Disclosure Requirements (Narrowed)
- Upon Request: Disclosure only required if consumer makes "clear and unambiguous request" to determine if interacting with AI
- Regulated Occupations: "Prominent" disclosure required only for "high-risk AI interactions" in regulated occupations (accounting, healthcare, etc.)
- High-Risk Defined: Interactions involving sensitive personal information OR personalized recommendations for significant personal decisions
SB 226 created a new safe harbor: A person is not subject to enforcement action if the generative AI itself clearly and conspicuously discloses it is nonhuman at the outset of and throughout the interaction.
AI Learning Laboratory Program
Utah's Office of Artificial Intelligence Policy administers an innovative regulatory sandbox that allows companies to:
- Apply for 12 months of "regulatory mitigation" (extendable once)
- Test AI products with reduced fines and cure periods
- Receive guidance on compliance approaches
- Contribute to policy development
Mental Health Chatbots (HB 452)
Utah also enacted HB 452 (effective May 7, 2025) creating specific requirements for AI-driven mental health chatbots:
- Disclosure requirements specific to mental health context
- Restrictions on advertising claims
- Privacy protections for mental health data
- Penalties of up to $2,500 per violation
Enforcement
- Utah Division of Consumer Protection has enforcement authority
- Fines up to $2,500 per violation
- Courts may order injunctions, disgorgement, and other relief
- No private right of action
7. Compliance Roadmap
For organizations using AI and automated decision-making systems, a multi-state compliance program requires addressing overlapping requirements from various frameworks. Here's a practical approach:
Phase 1: AI System Inventory (Immediate)
- Catalog all AI/ADMT systems in use or planned
- Identify systems used for "consequential" or "significant" decisions
- Map systems to jurisdictions where they're deployed
- Classify systems as developer-facing or deployer-facing
- Document data flows, inputs, and outputs for each system
Phase 2: Gap Analysis (Q1 2026)
- Compare current practices against Colorado AI Act requirements
- Assess readiness for California ADMT rules (January 2027 deadline)
- Review employment AI tools against NYC LL 144 and Illinois HB 3773
- Evaluate profiling opt-out mechanisms against state privacy laws
- Identify gaps in notice, consent, and appeal processes
Phase 3: Documentation & Assessments (Q2-Q3 2026)
- Develop impact assessment frameworks
- Create risk management policies and programs
- Establish bias audit relationships (for NYC compliance)
- Document training data, system limitations, and capabilities
- Prepare public-facing statements and disclosures
Phase 4: Consumer-Facing Changes (Q4 2026 - Q1 2027)
- Update privacy notices to include ADMT disclosures
- Implement opt-out mechanisms for profiling and ADMT
- Create appeal processes with human review capability
- Train customer service staff on AI-related inquiries
- Test and document data correction processes
Outsourcing ADMT to third-party vendors does not insulate businesses from liability. Under California regulations, service provider agreements must be amended to require assistance with risk assessments, cybersecurity audits, and ADMT compliance. Colorado similarly requires deployers to obtain necessary documentation from developers. Build vendor compliance requirements into contracts now.
Framework Alignment
Consider aligning compliance efforts with recognized frameworks:
- NIST AI Risk Management Framework (AI RMF)—Cited in Colorado AI Act as providing rebuttable presumption
- ISO/IEC 42001—AI Management System standard
- IEEE standards—Ethical AI design principles
- SOC 2 Type II—For cybersecurity audit alignment (California)
8. CIPP/US Exam Focus Areas
AI and automated decision-making topics span multiple CIPP/US exam domains. Here's what to prioritize for exam success:
Domain II: Limits on Private-Sector Collection and Use
- Consumer rights related to profiling and automated decisions
- Notice requirements for AI use
- Opt-out mechanisms and their scope
- Data minimization in AI training
Domain V: State Privacy Laws
- Colorado AI Act requirements for developers and deployers
- California ADMT regulations under CPRA
- State profiling opt-out provisions
- State-by-state comparison of AI provisions
Key Terms to Know
| Term | Definition | Source |
|---|---|---|
| Algorithmic Discrimination | Unlawful differential treatment based on protected characteristics resulting from AI use | Colorado AI Act |
| Consequential Decision | Decision with material legal or significant effect on employment, credit, housing, healthcare, education | Colorado AI Act |
| Significant Decision | Decision affecting finances, housing, education, employment, or healthcare | CA ADMT Regulations |
| Developer | Person doing business in state who develops or substantially modifies AI system | Colorado AI Act |
| Deployer | Person doing business in state who deploys high-risk AI system | Colorado AI Act |
| AEDT | Automated Employment Decision Tool | NYC LL 144 |
Common Exam Pitfalls
- Don't confuse Colorado's comprehensive AI law with Utah's generative AI-focused approach
- Remember that Iowa is the only state without profiling opt-out rights
- Know the effective dates—Colorado AI Act is June 30, 2026 (delayed from February 2026)
- Understand that California ADMT rules apply only to "significant decisions"—advertising was excluded
- Note that NYC Local Law 144 is the only law requiring independent bias audits
- Recognize that Minnesota has unique "right to question" profiling decisions
- Colorado AI Act's rebuttable presumption for deployer compliance
- California's definition of "substantially replace" human decision-making
- NYC's four-fifths rule (80% impact ratio) for bias audits
- Illinois HB 3773's zip code prohibition as proxy for protected classes
- Utah's safe harbor for AI systems that self-disclose
- Differences between developer and deployer obligations
Ready to Test Your AI Privacy Knowledge?
Practice with our CIPP/US exam questions covering automated decision-making, algorithmic discrimination, and state AI frameworks.
Start Practice Questions →Conclusion
The regulation of AI and automated decision-making represents one of the most dynamic and rapidly evolving areas of US privacy law. The patchwork of state approaches—from Colorado's comprehensive high-risk AI framework to California's ADMT regulations to Utah's generative AI transparency requirements—creates significant compliance complexity for organizations deploying AI systems.
For CIPP/US candidates, mastering these topics is essential. The intersection of consumer rights, algorithmic accountability, and emerging technology appears across multiple exam domains and reflects the current frontier of privacy practice. Pay particular attention to the distinctions between state approaches, the specific requirements for different types of AI systems, and the timeline for implementation.
As AI capabilities continue to advance and state legislatures respond to emerging concerns about algorithmic discrimination and consumer protection, this area will only grow in importance. The regulatory frameworks established in 2024-2025 will shape AI governance for years to come—making this knowledge valuable not just for exam success, but for professional practice in the privacy field.