Colorado AI Law: What to Know

Michelle Ma
May 22, 2024

AI Talk

Last week, Colorado’s legislature passed their Colorado AI Law, called “Concerning Consumer Protections in Interactions with Artificial Intelligence Systems”, and Governor Jared Polis signed the law that same week. This makes Colorado the first state legislature to pass general AI legislation. Here, I’ll outline this legislation’s objectives, who it regulates, and general compliance requirements. 

Objectives

The overarching goal is to protect consumers by requiring certain technologies to avoid “algorithmic discrimination” in the deployment of “high risk” AI systems. Notably, these laws do not require intent for liability.

When This Takes Effect

Developers and Deployers must comply by February 1, 2026, giving about 18 months for companies to create compliant policies and processes for AI design.

Who is Protected

Consumers who are CO residents. They have certain transparency rights, the right to correct data used to make certain decisions, and the right of appeal to a human reviewer in certain scenarios.

Who Must Comply & Affected Technology

Legal and natural persons (i.e. humans and companies) operating in Colorado who develop and/or use “High-Risk Artificial Intelligence Systems” must comply with these laws. These include Developers (those who develop or intentionally and substantially modify an AI System), and Deployers (a user of an HAIS).

Developer Compliance Obligations

Some key obligations imposed on Developers include: 

  • Make certain documentation available for Deployers, which include high-level summary of training data used, known and reasonably foreseeable limitations of the HAIS, including risks of Algorithmic Discrimination arising from the intended uses, data governance applicable to training data, and others. 
  • Make available sufficient documentation for a Deployer to conduct an Impact Assessment.
  • Publish on its own website info about the types of HAIS the Developer has developed and other disclosures. 
  • Notify the Attorney General and known Deployers within 90 days of discover of, or credible report about risks of Algorithmic Discrimination.

Deployer Compliance Obligations 

Some key obligations imposed on Deployers include:

  • Implement risk management policy and program for HAIS use.
  • Complete an impact assessment for deployed HAIS at least annually and within 90 days of any intentional and substantial modification to the HAIS.
  • Consumer transparency obligations: 
    • Notify affected Consumers pre-deployment about the HAIS, purpose, contact info. 
    • Direct notice sent to a Consumer who was the subject of an adverse Consequential Decision.
    • Website statement that is updated periodically about the currently deployed HAIS.
  • Notify the Attorney General within 90 days of discovery of Algorithmic Discrimination caused by the HAIS.

Exemptions

The legislation does not apply to an HAIS that is approved, developed or otherwise used or acquired by a US federal agency.

Enforcement

There is no private right of action; only the Colorado Attorney General has the authority to enforce the Colorado AI Law, with a violation being an unfair trade practice under Colorado’s consumer protection laws.

Some Clarifying Definitions

  • High-Risk Artificial Intelligence Systems: AI systems that when deployed make or is a “substantial factor” in making a “consequential decision.”
    • A consequential decision is a decision that affects a CO resident when it comes to education, employment, financial or lending services, essential government services, health care services, housing, insurance or a legal service.
    • What’s not an HAIS: an AI System that performs narrow procedural tasks or detects decision-making patterns, and 17 types of common tech, such as fraud detection that does not use facial recognition, anti-malware, anti-virus, video games, cybersecurity, and others.
  • Algorithmic Discrimination occurs when use of an AI system results in unlawful, undifferentiated treatment or impact disfavoring individuals or groups of individuals on the basis of actual or perceived, age, color, disability, ethnicity, genetic information, limited proficiency in English language, national origin, race, religion, reproductive health or other classifications protected under Colorado or federal law.

In my next post, I’ll compare the Colorado AI law with the Colorado Privacy Act and EU AI Act, as well as how this may affect or serve as a model for federal legislation.