TL;DR: Colorado has built a comprehensive facial recognition regulatory framework through multiple laws: SB 22-113 requires government agencies to file notices, produce accountability reports, and obtain warrants for surveillance uses. HB 24-1130 (effective July 2025) requires consent for biometric collection, bans selling biometric data, and mandates deletion protocols. The Colorado AI Act (effective February 2026) adds algorithmic impact assessments for high-risk AI systems. Rather than outright bans, Colorado uses transparency, consent, and accountability: a model other states are watching.

The Colorado Approach

While some cities have banned facial recognition outright, Colorado took a different path: regulate, require transparency, and mandate accountability.[1]

The result is a multi-layered framework that has evolved since 2022:

  • SB 22-113 (2022): Governs government and law enforcement use
  • HB 24-1130 (2024, effective July 2025): Strengthens biometric data protection for all entities
  • SB 25-143 (2025): Allows school use with strict conditions
  • SB 24-205 - Colorado AI Act (2024, effective February 2026): Adds AI governance requirements

SB 22-113: Government Use Requirements

This law governs how state and local government agencies (including law enforcement) can use facial recognition:[2]

Required Transparency

  • Notice of intent: Agencies must file public notice before using facial recognition
  • Accountability reports: Regular reports detailing purpose, impact, and use statistics
  • Public documentation: Information about which systems are used and why

Law Enforcement Restrictions

  • No continuous surveillance: Prohibited without a warrant or court order
  • No real-time identification: Live matching in public spaces requires judicial authorization
  • No persistent tracking: Long-term monitoring of individuals requires a warrant
  • Exceptions: Missing persons, deceased identification

Operational Requirements

  • Testing: Systems must be tested in operational conditions before deployment
  • Training: Periodic training for operators
  • Meaningful human review: Decisions based on facial recognition require human oversight
  • Records: Logging and audit trails for compliance verification

HB 24-1130: Biometric Data Protection

Effective July 1, 2025, this law amends the Colorado Privacy Act to strengthen biometric protections:[3]

Affirmative Consent

Collection of biometric identifiers (including facial recognition data) requires explicit consent. Not buried in terms of service.

No Selling Biometrics

The sale and purchase of biometric identifiers is prohibited. Your face isn't a commodity to be traded.

Retention Limits

Mandatory limits on how long biometric data can be retained, with required deletion protocols.

Employer Obligations

Employers must obtain consent before collecting employee biometric information and adopt specific biometric policies.

Note: This law does not create a private right of action: enforcement is through the Attorney General and district attorneys only.

Schools: From Ban to Conditional Use

Colorado's approach to schools evolved:[4]

  • SB 22-113 (original): Prohibited K-12 schools from new facial recognition contracts until July 2025
  • SB 25-143 (2025): Conditionally lifted the moratorium with strict requirements

Under the current framework, schools can use facial recognition only for:

  • Board-approved educational purposes
  • Narrowly defined safety scenarios (threat identification, locating missing children)

Requirements include:

  • Explicit informed consent from students/parents and staff
  • Clear policies on deployment, access, and usage
  • Deletion of biometric data within 18 months

Colorado AI Act: February 2026

The Colorado Artificial Intelligence Act (SB 24-205) takes effect February 1, 2026, adding another layer:[5]

  • High-risk AI systems: Facial recognition systems making "consequential decisions" are covered
  • Duty of care: Developers and deployers must prevent algorithmic discrimination
  • Impact assessments: Required algorithmic impact assessments before deployment
  • Risk management: Ongoing risk management plans
  • Consumer disclosure: Users must be informed when AI systems affect them
  • Individual rights: Opt-out, explanation of adverse decisions, human review appeal

This adds procedural requirements that facial recognition systems must satisfy.

How It Works in Practice

Under Colorado's framework, here's what happens when an agency wants to use facial recognition:

  1. Pre-deployment: File notice of intent, test system, train operators
  2. Transparency: Produce accountability reports, make information public
  3. For surveillance: Obtain warrant or court order (except narrow exceptions)
  4. For collection: Get affirmative consent for biometric data
  5. For decisions: Ensure meaningful human review before action
  6. Ongoing: Maintain records, conduct periodic training, file compliance reports

Violations can result in enforcement actions by the Attorney General.

Bans vs. Regulation

How does Colorado's approach compare to outright bans?

Bans (San Francisco, etc.)

Pros: Clear prohibition, no enforcement ambiguity
Cons: Can be repealed, may prevent legitimate uses, often limited to municipal government

Regulation (Colorado)

Pros: Allows controlled use, creates accountability, covers more entities
Cons: Compliance depends on enforcement, more complexity, loopholes possible

Neither approach fully solves the problem. Bans can be circumvented or reversed. Regulations depend on enforcement and can have gaps. Colorado's layered approach attempts to address multiple risks simultaneously.

What It Means for Colorado Residents

  • Government surveillance: Warrants now required for most facial recognition surveillance by law enforcement
  • Commercial collection: Companies must get your consent before collecting biometric data
  • Your children: Schools need explicit consent before using facial recognition on students
  • Your workplace: Employers need consent and policies before biometric collection
  • AI systems: Starting February 2026, consequential AI decisions require transparency and appeal rights

Limitations

Colorado's framework isn't perfect:

  • No private right of action: You can't sue directly: only the AG can enforce
  • Federal preemption: Federal agencies operating in Colorado aren't bound by state law
  • Enforcement resources: The AG's office has limited bandwidth for all privacy enforcement
  • Loopholes: Creative interpretations and technology evolution may find gaps
  • Voluntary compliance: Depends on entities actually following the rules

A Model for Other States?

Other states are watching Colorado's experiment. The approach offers:

  • A politically feasible alternative to outright bans
  • Layered protections that address multiple use cases
  • Framework that can evolve with technology (AI Act addressing new risks)
  • Consent-based approach that respects individual autonomy

Whether it actually protects residents depends on implementation and enforcement, which we'll see over the coming years.

References

  1. Colorado Legislature - SB 22-113 Facial Recognition Services
  2. Colorado Politics - State Facial Recognition Regulation
  3. Colorado Legislature - HB 24-1130 Biometric Data Protection
  4. Biometric Update - Colorado Schools Facial Recognition (2025)
  5. National Association of Attorneys General - Colorado AI Act