Insights

From Code to Compliance: Essential Steps to Adapt to Colorado’s New AI Law

From Code to Compliance: Essential Steps to Adapt to Colorado’s New AI Law

Oct 01, 2024
Download PDFDownload PDF
Print
Share

Summary

On May 17, 2024, Colorado’s Governor Jared Polis signed into law The Colorado AI Act (SB205).  SB205 will take effect on February 1, 2026, and regulates the use of certain high-risk artificial intelligence (AI) systems. While the 2026 effective date could lull companies into thinking that preparing for the law can wait, its complex requirements will demand timing and planning to address. Additionally, Colorado is not the only US state to step into the ring of AI regulation and enforcement, and many of the steps needed to prepare for the SB205 will help build a compliance foundation for meeting other emerging laws.

To help companies begin this process, we have prepared an overview of the law and identified essential compliance steps businesses should take now.

Applicability and Key Definitions

SB205 applies to all Colorado businesses that develop or deploy AI systems. The law requires developers (with the exception of certain small businesses with fewer than 50 employees) and deployers of “high-risk” AI systems to use “reasonable care” to protect consumers from risks of “algorithmic discrimination.”

Developers are generally the organizations that develop/create AI products subject to the law, and the deployers are users of such technology.   “Algorithmic discrimination” means any condition that results in unlawful differential treatment or impact based on actual or perceived age, color, disability, ethnicity, genetic information, language barriers, national origin, race, religion, reproductive health, sex, veteran status, or other classification. Finally, a “High-Risk AI System” means any AI system that makes, or is a substantial factor in making, a decision that materially affects the provision or denial, or the cost or terms of:

  • Educational enrollment or an education opportunity
  • Employment or an employment opportunity
  • A financial or lending service
  • An essential government service
  • Healthcare services
  • Housing
  • Insurance
  • A legal service

These definitions are key in terms of understanding not only what AI systems would be within the scope of the law, but also because SB205 imposes different obligations on developers and deployers, as summarized below.

  Developers Deployers
Duty of Care Use reasonable care to protect consumers from known or foreseeable risks of algorithmic discrimination by complying with SB205  
Risk Management Policy & Program   Implement a risk management program to manage algorithmic discrimination risks
Public Disclosures Provide documentation that discloses the purpose, intended use, data used, and potential risks of the AI system  
Disclosures to Consumers Disclose to consumers who interact with the AI system that they are interacting with an AI system.
  • Disclose to consumers who interact with the AI system that they are interacting with an AI system and
  • Inform consumers when high-risk systems are involved with consequential decisions and explain the system’s purpose and process
Disclosures to Deployers Make available statements on the AI system’s uses, limitations, and governance measures to ensure compliance with state and federal laws  
Impact Assessments Make available to a deployer of a high-risk system the necessary documentation and information to complete impact assessments Conduct impact assessments of the high-risk systems, both annually and following a substantial modification
Annual Review   Conduct annual reviews of the deployment of each high-risk system to ensure the system is not causing algorithmic discrimination
Notification of Algorithmic Discrimination Disclose to the Colorado Attorney General and all known deployers within 90 days of discovering that the high-risk system is likely to cause or has caused algorithmic discrimination Disclose to the Colorado Attorney General within 90 days of discovering a high-risk system has caused algorithmic discrimination

SB205 will be enforced exclusively by the Colorado Attorney General, with certain exceptions and safe harbors. There is no private right of action, but substantial penalties of up to $20,000 per violation of the law may be imposed.

How to Prepare

Although SB205 does not take effect until February 1, 2026, companies should not delay in preparing particularly because competing laws will certainly come into play and also demand time and resources. 

Key steps should include:

Develop Institutional AI Literacy

Roll-out foundational training, AI 101, for your core business and operational functions.  This step will ensure a shared understanding of the technology, its advantages, and potential risks.  This foundational education will also empower every employee, within their respective roles, to engage with AI responsibly and effectively. 

Building on this foundation, we also recommend that organizations provide specialized training tailored to specific roles.  For example, training for HR professionals should focus on leveraging AI for talent acquisition, performance evaluation, and employee engagement while emphasizing ethical considerations and bias mitigation, as well as applicable legal requirements.

Develop an AI Inventory for Your Business

Meaningful compliance cannot begin until organizations understand what AI systems are developed, used, or deployed in their business.  Creating a comprehensive AI inventory should begin with gathering stakeholders from various departments to gain a factual understanding of how AI plays a role in their business lines. Assemble stakeholders from Human Resources, Information Technology, and other relevant departments to assess their current AI usage, and utilize experience gained from the similar exercise of data mapping to help streamline the process.

This effort is particularly important in the HR space, where AI fueled tools gained early traction.  According to research from SHRM (Society for Human Resource Management), nearly half of the surveyed HR professionals say that using AI as a support tool has become a greater priority over the last 12 months. One in four employers use AI for HR-related activities, with talent acquisition being the primary area for its use.  Additionally, 33% of HR professionals use AI to review or screen applicant resumes.  Despite this relatively high rate of AI adoption for HR tasks, many in-house legal departments are often not informed or consulted about the use of these tools. Therefore, it is crucial to collaborate with HR stakeholders to identify which AI tools are currently deployed.

Risk-Rate Your AI Inventory

Evaluate the AI tools identified in your inventory to determine whether they are classified as "high-risk" and understand how they are utilized. Businesses must then ensure compliance with the new law depending on their classifications as developers and/or deployers. This assessment should include the potential impact of each AI system on privacy, fairness, and transparency. Implementing risk mitigation strategies, such as regular audits, will be essential. Additionally, consider establishing a framework/governance model for ongoing monitoring of AI tools to address emerging risks as technology evolves.

Be Prepared for Change

The steps outlined above are important starting points for address this complex law, but companies should adopt an approach that allows for flexibility.   Governor Polis stated in his signing letter that he was signing the bill into law “with reservations” due to provisions of the law that in his assessment could hinder development and innovation.  Thus, it will be important for organizations to be ready for updates to the law (and/or the passage of additional laws) and start with baseline steps that will support their compliance efforts.  


We will continue to monitor and provide updates on this topic. If you have any questions about Colorado AI Act and how it affects your business, please contact our experienced attorneys at BCLP. Our team is prepared to help your business navigate these new regulations.


Celeste Charlet contributed to this article.

Related Practice Areas

  • Data Privacy & Security

This material is not comprehensive, is for informational purposes only, and is not legal advice. Your use or receipt of this material does not create an attorney-client relationship between us. If you require legal advice, you should consult an attorney regarding your particular circumstances. The choice of a lawyer is an important decision and should not be based solely upon advertisements. This material may be “Attorney Advertising” under the ethics and professional rules of certain jurisdictions. For advertising purposes, St. Louis, Missouri, is designated BCLP’s principal office and Kathrine Dixon (kathrine.dixon@bclplaw.com) as the responsible attorney.