Ban Government Purchase of Personal Data from Third Party

The Bottom Line

Police and government agencies frequently buy commercially harvested data—like your phone's location or web history—to track individuals without getting a warrant. This bill would make it illegal for Colorado agencies to buy their way around the Fourth Amendment, closing a massive loophole in digital privacy.

What This Bill Actually Does

The Fourth Amendment protects us from unreasonable searches, historically requiring police to get a warrant before digging into our private lives. But the digital age created a massive loophole. Private data brokers continuously harvest our digital footprints from weather apps, online shopping, and social media. Because this data is commercially available, law enforcement and government agencies can simply buy it. This allows them to effectively skip the judge, the probable cause requirement, and the warrant process entirely.

To close this loophole, HB26-1037—officially titled the "Fourth Amendment is Not for Sale Act"—makes it explicitly illegal for state and local government entities to obtain your personal data from a third party in exchange for "anything of value." The definition of personal data in this bill is incredibly comprehensive. It covers everything from web browsing history and precise geolocation to biometric data, financial records, health information, device identifiers (like your IP or MAC address), and even inferred profiles that data brokers build about your lifestyle. The bill also prevents local agencies from acting as data laundering hubs, meaning they cannot purchase data and then pass it along to federal agencies or other local departments.

The legislation doesn't end police investigations; it just forces them back into traditional legal channels. Agencies can still legally acquire your data if they obtain a valid judicial warrant or subpoena, if there is a life-or-death emergency, or if the individual gives explicit consent. To make sure the law has teeth, the bill creates a private cause of action. If your data is bought in violation of this law, you can sue the government entity. Most importantly for the justice system, any illegally purchased data is strictly barred from being used as evidence in Colorado courtrooms.

What It Means for You

If you carry a smartphone, use map applications, or simply browse the internet, you are generating thousands of data points every day. For the average Coloradan, this bill represents one of the most significant upgrades to your digital civil rights in years. It ensures that the state cannot use your own tax dollars to buy a backdoor into your private life. For example, your precise geolocation—which reveals exactly which doctors you visit, where you sleep, and who you associate with—would be shielded from warrantless government monitoring.

The real power of this legislation is how it empowers you to fight back. By granting everyday citizens a private cause of action, the bill allows you to take state agencies or local police to court if they illegally acquire your data. Because you can seek an injunction and recover reasonable attorney fees, you don't have to be wealthy to hold the government accountable. This fundamentally shifts the power dynamic, creating a massive financial deterrent for agencies that might be tempted to cut corners on privacy.

It's also important to understand what this doesn't change about your safety. If a police officer is investigating a serious crime and needs your phone records, they can still go to a judge, explain their evidence, and secure a warrant—exactly as they do when searching a physical home. Furthermore, the bill includes common-sense carveouts, such as allowing data sharing with the National Center for Missing and Exploited Children. The goal isn't to tie the hands of law enforcement in a crisis; it's to ensure your constitutional rights aren't voided simply because you downloaded a weather app.

What It Means for Your Business

While Main Street retail and service businesses won't feel a direct impact from this legislation, companies operating in tech, software, data brokering, or government contracting are looking at a major market shift. If your business aggregates and sells consumer data, the Colorado government market is essentially closing its doors. Business models that rely on licensing app data, geolocation tracking, or targeted consumer profiles to law enforcement or state agencies will need to pivot immediately or face the loss of those contracts.

The bill's language is broad enough to catch standard software agreements, too. It defines an "exchange for anything of value" to include access fees, service fees, maintenance fees, or licensing fees. This means if you provide a Software-as-a-Service (SaaS) product to a city or state agency, and that platform pulls in external personal data for the agency's use, your contract could run afoul of these new restrictions. Tech vendors will need to carefully audit their platforms to ensure they aren't inadvertently acting as a pipeline for prohibited third-party data.

There is also a potential ripple effect for industries that rely on state data systems. For instance, the Department of Revenue routinely sells driver and vehicle records through its Bulk Electronic Data Vending Program to commercial vendors, which supports background checks, auto dealers, and insurance companies. While the bill specifically targets the government buying data, state agencies have raised concerns that strict new prohibitions on how data is handled could slow down or complicate existing public-private data partnerships. If you rely on state databases for your business operations, you'll want to watch how agencies adjust their compliance frameworks in response to this policy.

Follow the Money

The financial debate behind this bill is unusually contentious. The official legislative fiscal note estimates a relatively modest cost to the state: about $407,000 in the first year. This money would come from the General Fund to hire three policy advisors across the Department of Public Safety, the Department of Revenue, and the Judicial Department. Their job would be to review data governance policies and ensure current operations—which the state assumes mostly fall under the bill's exemptions—remain compliant.

However, the state agencies themselves paint a vastly different and far more expensive picture. The departments argue the bill's restrictions are so severe that they would have to completely abandon their use of third-party platforms and manually source every piece of data they need. They project a staggering $17.1 million price tag to hire over 170 new employees to handle the manual workload. Worse, the Judicial Department claims the bill would cripple their ability to use data to track down individuals who owe court fines, projecting a massive $61 million loss in state revenue annually. While nonpartisan analysts rejected these apocalyptic estimates as an overreaction, the massive gap between the two fiscal projections highlights just how deeply embedded commercial data has become in modern government operations.

Where This Bill Stands

HB26-1037 is currently Dead. The latest official action came on 04/22/2026: House Committee on Judiciary Postpone Indefinitely.

That means the bill is no longer advancing this session. In practice, measures that are postponed indefinitely or otherwise declared lost generally stay dead unless they are reintroduced in a future session.