Skip to content

Privacy

Colorado Enacts Groundbreaking AI Legislation

Why This Alert Is Important

The Colorado AI Act represents a significant advancement in the regulation of artificial intelligence within the United States. Signed into law by Governor Jared Polis on May 17, with its major provisions set to take effect on February 1, 2026, this pioneering legislation specifically addresses the deployment of high-risk AI systems within the public sector, setting a new precedent in the regulatory landscape.

Overview of the Colorado AI Legislation 

The Colorado AI Act is notable for being the first state-level legislation in the U.S. targeting AI systems deployed in the public sector. The Act defines a covered high-risk AI system as one that "makes, or is a substantial factor in making a consequential decision." Such decisions are characterized by their material legal or significant impact on services such as education, employment, financial services, government services, healthcare, housing, insurance, or legal services.

Under this legislation, both developers and deployers of AI systems are assigned specific duties. Developers must ensure their AI systems are free from algorithmic discrimination, providing necessary disclosures and documentation about the system, including the type of data used for training, known limitations, and risk mitigation measures. Deployers, on the other hand, are required to implement a robust risk management policy and program, which must be planned, implemented, and continually reviewed and updated throughout the lifecycle of the AI system.

The law mandates transparency from both developers and deployers, requiring them to post statements online or in a public use case inventory that summarize how they manage the risks associated with algorithmic discrimination. Compliance with these requirements is crucial, as violations are treated as breaches of Colorado's general consumer protection statute and can result in civil penalties of up to USD 20,000 per violation.
 

What Colorado AI Act Covers

The Colorado AI Act introduces several critical requirements:
- Definition of High-Risk AI Systems: The Act focuses on high-risk AI systems, defined as those making consequential decisions impacting essential services. Organizations deploying such systems carefully evaluate their AI applications to determine if they fall under this category.

Prevention of Algorithmic Discrimination: To prevent algorithmic discrimination, developers are obliged to use reasonable care during the creation of AI systems. They must provide deployers with comprehensive documentation detailing the AI system’s training data, known limitations, and risk mitigation strategies to ensure that AI systems do not unlawfully discriminate based on protected characteristics such as age, race, gender, disability, and more.

Risk Management Policies: Deployers must establish and maintain a risk management policy and program. This program must be iterative, systematically reviewed, and updated regularly throughout the AI system's lifecycle. 

Transparency Requirements: Both developers and deployers must publicly disclose how they manage algorithmic discrimination risks. This transparency fosters trust and accountability, ensuring that stakeholders understand the measures in place to prevent discrimination.

Penalties for Non-Compliance: Non-compliance with the Colorado AI Act is subject to stringent penalties, treated as violations of Colorado's consumer protection laws. Organizations found in breach of the Act could face civil penalties of up to USD 20,000 per violation, underscoring the importance of adherence to the new regulations.
 

The Colorado AI Act signifies a pivotal moment in AI governance within the United States, marking a trend toward stringent AI regulations. Businesses must now prioritize robust risk management and transparency to avoid hefty penalties. This law aligns with global movements, notably the EU AI Act approved on May 21, 2024, reflecting a growing emphasis on ethical AI deployment. Companies operating in multiple jurisdictions must navigate these complex frameworks to ensure compliance, highlighting the importance of proactive governance and continuous monitoring to mitigate risks and prevent algorithmic discrimination in high-stakes decision-making processes.

Fahad Diwan, JD, FIP, CIPP/M, CIPP/C, Director of Product, Privacy, Exterro

Data Alert Tip

Want to discuss data privacy issues with fellow professionals in a more casual setting? Check out Exterro’s Privacy Bytes series of brown bag lunch webinars and in-person discussions and sign up for one today. 

Ready to Get Started?

Get an Exterro data risk management platform demo today.

Get a Demo