As Colorado’s “right to repair” law takes effect, it’s an important moment to underscore what protecting consumers really means: expanding repair options while also ensuring we do not create new vulnerabilities for critical infrastructure, cybersecurity, or sensitive personal data.
When a business or customer needs to fix a digital device — whether it’s an office router or medical imaging equipment — they should feel confident that protections against hacking or misuse are fully integrated throughout the repair process and that trained service providers are using the right parts and tools.
Across the country, including in Colorado, lawmakers are considering “right to repair” policies to expand access to parts, tools, and repair information. While these proposals are often framed as expanding repair options, many are not drafted with adequate safeguards, and poorly designed laws can create serious unintended consequences for security, privacy, and reliability. That matters because granting unrestricted access to sensitive personal data, source code, security keys, and intellectual property of hardworking businesses and American innovators can create significant risks.
That could open the door to untrained technicians, allow unauthorized third parties to access and exploit trade secrets and private information, and create new risks for cybersecurity, privacy, and system reliability — at a time when threat actors and their tactics are constantly evolving.
For example, Colorado’s “right to repair” law does not currently account for the very different security, operational, and resilience considerations presented by digital equipment used in critical infrastructure. Although a lot of the focus of repair laws is on consumer products, loosely written policies could allow unauthorized third parties to access and exploit trade secrets and private information for systems protecting critical infrastructure, such as power grids, financial networks, and healthcare systems that Coloradans and all Americans rely on every day. When legislation takes a one-size-fits-all approach, it can miss the realities of how these systems actually function and how much people depend on them.
Critical infrastructure technologies operate in highly sensitive settings and support systems that millions of people in Colorado and across the country rely on every day, managing enormous volumes of data and requiring the highest cybersecurity protocols. They are not standalone devices in ordinary settings; they are often part of larger, interconnected systems where a single vulnerability can have much broader consequences. They require highly skilled engineering support because people and businesses depend on them around the clock.
This is why Colorado should revisit and refine its “right to repair” law by passing Senate Bill 90. The framework introduced in Senate Bill 90 would preserve repair access for consumers and independent repair providers, while exempting digital equipment used in critical infrastructure. The law would still require manufacturers to provide consumer device owners and independent repair shops with the same parts, tools, and documentation that authorized repair networks receive. But it would also ensure that repair access does not expose sensitive data, weaken cybersecurity protections, or compromise the integrity of the systems people rely on every day.
Colorado has an opportunity to demonstrate that repair access and security do not have to be in conflict. Lawmakers can support consumers, protect critical infrastructure, encourage competition, and expand legitimate repair options while also recognizing that not every type of equipment poses the same risks.
Colorado’s future depends on secure, resilient, and innovative technology ecosystems. Poorly designed “right to repair” laws could damage this foundation and put the state, nation, and the world at risk.
We can protect Colorado consumers while also avoiding unintended consequences that threaten safety, national security, intellectual property, and America’s competitiveness. Let’s work together to get repair policies right.