Privacy & Information Security Law Blog

On May 17, 2024, Colorado became the first U.S. state to enact comprehensive artificial intelligence (“AI”) legislation. The new law imposes requirements on companies to protect Colorado residents against harms that may result from the use of AI, with a particular focus on discrimination in the context of certain decisionmaking. The law will go into effect on February 1, 2026.

The law requires developers and deployers of high-risk AI systems to use reasonable care to protect against any known or reasonably foreseeable risks of algorithmic discrimination. The following key definitions apply:

• “Consumer” means an individual who is a Colorado resident.
• “Developer” means a person doing business in Colorado that develops or intentionally and substantially modifies an AI system.
• “Deployer” means a person doing business in Colorado that deploys (uses) a high-risk AI system.
• “High-risk AI system” means a system that when deployed, makes, or is a substantial factor in making, a consequential decision.
• “Consequential decision” means a decision that has material legal or similarly significant effect on the provision or denial to any consumer of, or the cost or terms of: educational enrollment or an education opportunity; employment or an employment opportunity; a financial or lending service; an essential government service; health-care services; housing; insurance; or a legal service.

The law imposes a number of specific obligations on developers and deployers to protect against algorithmic discrimination. For example, developers must provide instructions on how an AI system should be used and monitored, while deployers must conduct a detailed impact assessment on their use of the AI system. Certain obligations apply to both developers and deployers, with both subject to various transparency, disclosure, and reporting requirements. The law also provides an affirmative defense for developers and deployers that can show they have taken steps to address any discovered violations and that they are in compliance with a recognized risk management framework for AI, such as the National Institute of Standards and Technology (“NIST”) AI Risk Management Framework.

The law includes a number of exemptions. For example, the law specifically excludes certain technologies, ranging from calculators to some types of chatbots. It also exempts companies that employ fewer than 50 full-time employees from certain deployer responsibilities; however, this exemption is subject to various conditions. The law also includes a number of exemptions that are common in other consumer protection laws, such as an exemption for enabling compliance with law enforcement and exemptions for companies subject to similar requirements under sector-specific laws.

The law does not include a private right of action. The Colorado Attorney General has exclusive enforcement authority and may seek up to $20,000 per violation. The Colorado Attorney General is also authorized to promulgate rules under the law on certain topics.