TL;DR: Colorado has built a comprehensive facial recognition regulatory framework through multiple laws: SB 22-113 requires government agencies to file notices, produce accountability reports, and obtain warrants for surveillance uses. HB 24-1130 (effective July 2025) requires consent for biometric collection, bans selling biometric data, and mandates deletion protocols. The Colorado AI Act (effective February 2026) adds algorithmic impact assessments for high-risk AI systems. Rather than outright bans, Colorado uses transparency, consent, and accountability: a model other states are watching.
The Colorado Approach
While some cities have banned facial recognition outright, Colorado took a different path: regulate, require transparency, and mandate accountability.[1]
The result is a multi-layered framework that has evolved since 2022:
- SB 22-113 (2022): Governs government and law enforcement use
- HB 24-1130 (2024, effective July 2025): Strengthens biometric data protection for all entities
- SB 25-143 (2025): Allows school use with strict conditions
- SB 24-205 - Colorado AI Act (2024, effective February 2026): Adds AI governance requirements
SB 22-113: Government Use Requirements
This law governs how state and local government agencies (including law enforcement) can use facial recognition:[2]
Required Transparency
- Notice of intent: Agencies must file public notice before using facial recognition
- Accountability reports: Regular reports detailing purpose, impact, and use statistics
- Public documentation: Information about which systems are used and why
Law Enforcement Restrictions
- No continuous surveillance: Prohibited without a warrant or court order
- No real-time identification: Live matching in public spaces requires judicial authorization
- No persistent tracking: Long-term monitoring of individuals requires a warrant
- Exceptions: Missing persons, deceased identification
Operational Requirements
- Testing: Systems must be tested in operational conditions before deployment
- Training: Periodic training for operators
- Meaningful human review: Decisions based on facial recognition require human oversight
- Records: Logging and audit trails for compliance verification
HB 24-1130: Biometric Data Protection
Effective July 1, 2025, this law amends the Colorado Privacy Act to strengthen biometric protections:[3]
Affirmative Consent
Collection of biometric identifiers (including facial recognition data) requires explicit consent. Not buried in terms of service.
No Selling Biometrics
The sale and purchase of biometric identifiers is prohibited. Your face isn't a commodity to be traded.
Retention Limits
Mandatory limits on how long biometric data can be retained, with required deletion protocols.
Employer Obligations
Employers must obtain consent before collecting employee biometric information and adopt specific biometric policies.
Note: This law does not create a private right of action: enforcement is through the Attorney General and district attorneys only.
Schools: From Ban to Conditional Use
Colorado's approach to schools evolved:[4]
- SB 22-113 (original): Prohibited K-12 schools from new facial recognition contracts until July 2025
- SB 25-143 (2025): Conditionally lifted the moratorium with strict requirements
Under the current framework, schools can use facial recognition only for:
- Board-approved educational purposes
- Narrowly defined safety scenarios (threat identification, locating missing children)
Requirements include:
- Explicit informed consent from students/parents and staff
- Clear policies on deployment, access, and usage
- Deletion of biometric data within 18 months
Colorado AI Act: February 2026
The Colorado Artificial Intelligence Act (SB 24-205) takes effect February 1, 2026, adding another layer:[5]
- High-risk AI systems: Facial recognition systems making "consequential decisions" are covered
- Duty of care: Developers and deployers must prevent algorithmic discrimination
- Impact assessments: Required algorithmic impact assessments before deployment
- Risk management: Ongoing risk management plans
- Consumer disclosure: Users must be informed when AI systems affect them
- Individual rights: Opt-out, explanation of adverse decisions, human review appeal
This adds procedural requirements that facial recognition systems must satisfy.
How It Works in Practice
Under Colorado's framework, here's what happens when an agency wants to use facial recognition:
- Pre-deployment: File notice of intent, test system, train operators
- Transparency: Produce accountability reports, make information public
- For surveillance: Obtain warrant or court order (except narrow exceptions)
- For collection: Get affirmative consent for biometric data
- For decisions: Ensure meaningful human review before action
- Ongoing: Maintain records, conduct periodic training, file compliance reports
Violations can result in enforcement actions by the Attorney General.
Bans vs. Regulation
How does Colorado's approach compare to outright bans?
Bans (San Francisco, etc.)
Pros: Clear prohibition, no enforcement ambiguity
Cons: Can be repealed, may prevent legitimate uses, often limited to municipal government
Regulation (Colorado)
Pros: Allows controlled use, creates accountability, covers more entities
Cons: Compliance depends on enforcement, more complexity, loopholes possible
Neither approach fully solves the problem. Bans can be circumvented or reversed. Regulations depend on enforcement and can have gaps. Colorado's layered approach attempts to address multiple risks simultaneously.
What It Means for Colorado Residents
- Government surveillance: Warrants now required for most facial recognition surveillance by law enforcement
- Commercial collection: Companies must get your consent before collecting biometric data
- Your children: Schools need explicit consent before using facial recognition on students
- Your workplace: Employers need consent and policies before biometric collection
- AI systems: Starting February 2026, consequential AI decisions require transparency and appeal rights
Limitations
Colorado's framework isn't perfect:
- No private right of action: You can't sue directly: only the AG can enforce
- Federal preemption: Federal agencies operating in Colorado aren't bound by state law
- Enforcement resources: The AG's office has limited bandwidth for all privacy enforcement
- Loopholes: Creative interpretations and technology evolution may find gaps
- Voluntary compliance: Depends on entities actually following the rules
A Model for Other States?
Other states are watching Colorado's experiment. The approach offers:
- A politically feasible alternative to outright bans
- Layered protections that address multiple use cases
- Framework that can evolve with technology (AI Act addressing new risks)
- Consent-based approach that respects individual autonomy
Whether it actually protects residents depends on implementation and enforcement, which we'll see over the coming years.