Insights
From Code to Compliance: Essential Steps to Adapt to Colorado’s New AI Law
Oct 01, 2024Summary
On May 17, 2024, Colorado’s Governor Jared Polis signed into law The Colorado AI Act (SB205). SB205 will take effect on February 1, 2026, and regulates the use of certain high-risk artificial intelligence (AI) systems. While the 2026 effective date could lull companies into thinking that preparing for the law can wait, its complex requirements will demand timing and planning to address. Additionally, Colorado is not the only US state to step into the ring of AI regulation and enforcement, and many of the steps needed to prepare for the SB205 will help build a compliance foundation for meeting other emerging laws.
To help companies begin this process, we have prepared an overview of the law and identified essential compliance steps businesses should take now.
Applicability and Key Definitions
SB205 applies to all Colorado businesses that develop or deploy AI systems. The law requires developers (with the exception of certain small businesses with fewer than 50 employees) and deployers of “high-risk” AI systems to use “reasonable care” to protect consumers from risks of “algorithmic discrimination.”
Developers are generally the organizations that develop/create AI products subject to the law, and the deployers are users of such technology. “Algorithmic discrimination” means any condition that results in unlawful differential treatment or impact based on actual or perceived age, color, disability, ethnicity, genetic information, language barriers, national origin, race, religion, reproductive health, sex, veteran status, or other classification. Finally, a “High-Risk AI System” means any AI system that makes, or is a substantial factor in making, a decision that materially affects the provision or denial, or the cost or terms of:
- Educational enrollment or an education opportunity
- Employment or an employment opportunity
- A financial or lending service
- An essential government service
- Healthcare services
- Housing
- Insurance
- A legal service
These definitions are key in terms of understanding not only what AI systems would be within the scope of the law, but also because SB205 imposes different obligations on developers and deployers, as summarized below.
Developers | Deployers | |
Duty of Care | Use reasonable care to protect consumers from known or foreseeable risks of algorithmic discrimination by complying with SB205 | |
Risk Management Policy & Program | Implement a risk management program to manage algorithmic discrimination risks | |
Public Disclosures | Provide documentation that discloses the purpose, intended use, data used, and potential risks of the AI system | |
Disclosures to Consumers | Disclose to consumers who interact with the AI system that they are interacting with an AI system. |
|
Disclosures to Deployers | Make available statements on the AI system’s uses, limitations, and governance measures to ensure compliance with state and federal laws | |
Impact Assessments | Make available to a deployer of a high-risk system the necessary documentation and information to complete impact assessments | Conduct impact assessments of the high-risk systems, both annually and following a substantial modification |
Annual Review | Conduct annual reviews of the deployment of each high-risk system to ensure the system is not causing algorithmic discrimination | |
Notification of Algorithmic Discrimination | Disclose to the Colorado Attorney General and all known deployers within 90 days of discovering that the high-risk system is likely to cause or has caused algorithmic discrimination | Disclose to the Colorado Attorney General within 90 days of discovering a high-risk system has caused algorithmic discrimination |
SB205 will be enforced exclusively by the Colorado Attorney General, with certain exceptions and safe harbors. There is no private right of action, but substantial penalties of up to $20,000 per violation of the law may be imposed.
How to Prepare
Although SB205 does not take effect until February 1, 2026, companies should not delay in preparing particularly because competing laws will certainly come into play and also demand time and resources.
Key steps should include:
Develop Institutional AI Literacy
Roll-out foundational training, AI 101, for your core business and operational functions. This step will ensure a shared understanding of the technology, its advantages, and potential risks. This foundational education will also empower every employee, within their respective roles, to engage with AI responsibly and effectively.
Building on this foundation, we also recommend that organizations provide specialized training tailored to specific roles. For example, training for HR professionals should focus on leveraging AI for talent acquisition, performance evaluation, and employee engagement while emphasizing ethical considerations and bias mitigation, as well as applicable legal requirements.
Develop an AI Inventory for Your Business
Meaningful compliance cannot begin until organizations understand what AI systems are developed, used, or deployed in their business. Creating a comprehensive AI inventory should begin with gathering stakeholders from various departments to gain a factual understanding of how AI plays a role in their business lines. Assemble stakeholders from Human Resources, Information Technology, and other relevant departments to assess their current AI usage, and utilize experience gained from the similar exercise of data mapping to help streamline the process.
This effort is particularly important in the HR space, where AI fueled tools gained early traction. According to research from SHRM (Society for Human Resource Management), nearly half of the surveyed HR professionals say that using AI as a support tool has become a greater priority over the last 12 months. One in four employers use AI for HR-related activities, with talent acquisition being the primary area for its use. Additionally, 33% of HR professionals use AI to review or screen applicant resumes. Despite this relatively high rate of AI adoption for HR tasks, many in-house legal departments are often not informed or consulted about the use of these tools. Therefore, it is crucial to collaborate with HR stakeholders to identify which AI tools are currently deployed.
Risk-Rate Your AI Inventory
Evaluate the AI tools identified in your inventory to determine whether they are classified as "high-risk" and understand how they are utilized. Businesses must then ensure compliance with the new law depending on their classifications as developers and/or deployers. This assessment should include the potential impact of each AI system on privacy, fairness, and transparency. Implementing risk mitigation strategies, such as regular audits, will be essential. Additionally, consider establishing a framework/governance model for ongoing monitoring of AI tools to address emerging risks as technology evolves.
Be Prepared for Change
The steps outlined above are important starting points for address this complex law, but companies should adopt an approach that allows for flexibility. Governor Polis stated in his signing letter that he was signing the bill into law “with reservations” due to provisions of the law that in his assessment could hinder development and innovation. Thus, it will be important for organizations to be ready for updates to the law (and/or the passage of additional laws) and start with baseline steps that will support their compliance efforts.
We will continue to monitor and provide updates on this topic. If you have any questions about Colorado AI Act and how it affects your business, please contact our experienced attorneys at BCLP. Our team is prepared to help your business navigate these new regulations.
Celeste Charlet contributed to this article.
Related Practice Areas
-
Data Privacy & Security