Colorado Passed the Artificial Intelligence Act (“CAIA”)

Colorado Passed the Artificial Intelligence Act (“CAIA”)

On May 8, 2024, the Colorado Legislature passed the Colorado Artificial Intelligence Act (“CAIA”), SB 205, which is awaiting Governor Jared Polis’s signature to become law. This groundbreaking legislation would make Colorado the first state to comprehensively regulate the use of artificial intelligence (“AI”), especially in high-risk applications. If the CAIA becomes law, it will take effect on February 1, 2026. The Attorney General may choose to create regulations, although it’s not mandatory. The bill lists specific topics that could be covered by these regulations.
The Act introduces Part 16 into Colorado’s Consumer Protection Act, focusing primarily on anti-discrimination in high-risk AI systems. It applies to developers and deployers of these systems within Colorado. “Developers” are those who create or significantly modify AI systems, while “deployers” are those who put high-risk AI systems into operation.
High-risk AI systems are defined as those that significantly influence consequential decisions, such as those impacting education, employment, financial services, healthcare, housing, insurance, or legal services. Notably, certain technologies like anti-fraud tools without facial recognition, anti-malware, databases, and AI-enhanced video games are exempt unless they directly influence such decisions.
The Act defines “consequential decisions” as those with significant legal or similar effects on consumers, such as access to education or employment opportunities, financial services, healthcare, housing, insurance, or legal services.
The CAIA outlines specific duties for developers of high-risk AI systems within Colorado. Developers are required to exercise reasonable care to protect consumers from potential algorithmic discrimination resulting from the intended and agreed-upon uses of their AI systems. Which include:
  • Algorithmic Discrimination Definition. The Act defines “algorithmic discrimination” as any unlawful differentiation or adverse impact on individuals or groups based on protected characteristics such as age, race, disability, or other legally protected statuses.
  • Duty of Care. Developers must adhere to a standard of care to mitigate algorithmic discrimination risks. They are presumed to have exercised reasonable care if they comply with the requirements laid out in this section.
  • Documentation Requirements. Developers must provide deployers (those who implement AI systems) with comprehensive documentation, including:
    • A statement detailing foreseeable and harmful uses of the AI system.
    • Information on data used for training, system limitations, and evaluation methods for performance and discrimination mitigation.
    • Additional necessary documentation for monitoring and impact assessment.
  • Public Transparency. Developers must maintain a public inventory or website section outlining the types of high-risk AI systems they develop and how they manage potential discrimination risks.
  • Disclosure Obligation. If a developer becomes aware that their AI system has caused or may cause algorithmic discrimination after deployment, they must promptly notify the Attorney General and all affected deployers within ninety days.
The CAIA outlines the responsibilities of deployers. Similar to developers, deployers are required to exercise reasonable care in safeguarding consumers against potential algorithmic discrimination. Compliance with the section’s requirements establishes a rebuttable presumption of reasonable care. This includes:
  • Risk Management Program. Deployers must establish and implement a risk management policy and program specific to their deployment of high-risk artificial intelligence systems. The Act specifies detailed requirements for this program.
  • Impact Assessment. Deployers must conduct an impact assessment for each high-risk AI system deployed, or contract with a third party to perform this assessment. The assessment guidelines are outlined in the legislation.
  • Consumer Notifications. When a high-risk AI system influences consequential decisions about consumers, deployers must notify affected consumers. This notification should include details about the system’s purpose, the nature of the decision, and information on opting out of profiling under the Colorado Privacy Act if applicable.
  • Appeal Process. If a high-risk AI system makes an adverse consequential decision about a consumer, the deployer must inform the consumer of this decision and provide an opportunity to appeal. The appeal process should ideally include a mechanism for human review, where technically feasible.
  • Website Disclosures. Deployers must maintain public disclosures on their websites. This includes summarizing the types of high-risk AI systems they currently deploy and how they manage foreseeable risks of algorithmic discrimination.
  • Exemptions. Certain small businesses are exempt from specific requirements like comprehensive risk management, impact assessments, and detailed website disclosures as outlined in the Act.
  • Reporting Obligation. Deployers must promptly inform the Attorney General if they discover that a deployed high-risk AI system has caused algorithmic discrimination, within a ninety-day period.
The CAIA mandates that deployers or developers making available an AI system designed to interact with consumers must disclose to consumers that they are interacting with such a system. This disclosure is required unless it is reasonably obvious to a typical person. Deployers or developers must inform consumers when they are interacting with an AI system. This disclosure ensures transparency in consumer interactions, except when the AI’s nature is apparent to the average person.
The CAIA details various exemptions, spanning over five pages in the legislation. Notably, the exemptions do not provide blanket immunity at the entity level. Instead, they hinge on whether the developer or deployer’s use of a high-risk AI system is already governed by other regulatory frameworks or comparable stringent laws and regulations.
The CAIA states that enforcement is exclusively overseen by the Colorado Attorney General, with no provision for private lawsuits.  The Attorney General is empowered to request specific documentation from developers and deployers during enforcement actions. During enforcement proceedings, the Attorney General can compel developers, deployers, or other relevant parties to provide documentation and information related to their compliance with the Act.
Entities accused of violations may assert an affirmative defense if they discover and promptly rectify the violation. Alternatively, compliance with recognized artificial intelligence risk management frameworks, such as NIST’s framework or other designated frameworks endorsed by the Attorney General, can also serve as a defense.
It will be interesting to see if other states follow Colorado in enacting AI legislation.
Explore our comprehensive CLIClaw Compliance Library for in-depth resources and insights.

(Image Credit: iStock Photo)

This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.

Stay Ahead of What's Coming Next

CLIClaw helps you see regulations early, understand what it means, and act before it becomes a problem. Members get plain-English analysis, practical guidance, and early warnings on privacy and compliance issues that directly impact your business. If you work with consumer data, waiting is the riskiest option.
Become a CLIClaw Member
JOIN TODAY