On May 17, 2024, Governor Jared Polis signed into law Colorado Senate Bill 24-205 (SB205), pioneering a comprehensive regulatory framework for artificial intelligence (AI) systems. This landmark legislation, among the first of its kind in the United States, imposes rigorous standards on businesses employing "high-risk" AI tools in critical sectors like employment, housing, finance, education, and healthcare. In his signing statement, Governor Polis expressed concerns about potential impacts on technological innovation, calling for further refinement of the bill's provisions and advocating for a cohesive federal approach to AI regulation. Understanding this new law is crucial for entities operating in Colorado looking to minimize their legal risk and promote compliance.
Key Provisions of SB205
Under this new law, entities using high-risk AI systems must establish and implement risk management policies, conduct thorough impact assessments, and provide specific notices to consumers by February 1, 2026. These new requirements are intended to promote transparency, accountability, and equity in the use of AI technology by companies doing business in the state of Colorado.
The law grants exclusive enforcement authority to the Colorado attorney general, categorizing violations as unfair and deceptive trade practices. The attorney general is also authorized to promulgate rules for implementation and enforcement of the law's provisions, including the design and content of required consumer notices.
This approach to AI governance reflects broader regulatory trends emerging nationally, and similar legislation has been proposed in other states this year, including California, Connecticut, and Virginia.
What Is a High-Risk AI System?
The new law broadly defines a "high-risk artificial intelligence system" as one that "makes, or is a substantial factor in making, a consequential decision," and a "consequential decision" is defined as one having a "material legal or similarly significant effect" on the availability or cost of a variety of different services available to consumers, including housing, financial, employment, or government services.
New Obligations for Developers and Deployers of AI
SB205 also imposes new obligations on persons or organizations that are developers or deployers of high-risk AI systems. AI developers must provide documentation and public disclosures about their AI systems, including reporting any detected or reasonably foreseeable algorithmic discrimination to the Colorado attorney general. Most critically, to be considered a developer under the new law, a person does not have to be the original creator of an AI system; that term includes a person doing business in the state of Colorado who either develops or "intentionally and substantially modifies" an AI system.
Deployers of a high-risk AI system have similar obligations. They must establish rigorous risk management protocols, conduct annual impact assessments, and inform consumers about the use and impact of high-risk AI tools, providing opt-out options and avenues for redress. The law permits deployers to leverage internationally recognized standards to meet many compliance requirements, including the AI Risk Management Framework established by the National Institute of Standards and Technology (NIST).
Navigating Exemptions and Compliance Challenges
SB205 includes exemptions and exclusions tailored for small businesses and specific AI tools. Small businesses using high-risk AI systems may qualify for exemption if they do not train AI with their own data. There are many technologies that may utilize AI but are nonetheless excluded from being classified as "high-risk" under certain conditions. These include technologies used in cybersecurity, identity management, and daily business operations. However, navigating these provisions will be intricate.
The enactment of SB205 marks a significant regulatory shift in AI technologies, and even Colorado's elected leadership is uncertain about its ultimate impact on the Colorado business community. In his signing statement, Governor Polis expressed concerns about potential impacts on technological innovation, calling for further refinement of the bill's provisions and advocating for a cohesive federal approach to AI regulation. Prompt action by businesses may be necessary to align operations with these new requirements.
Given the complexity and wide-ranging implications of this new law, businesses operating in Colorado or utilizing modern technology systems impacting Colorado residents should seek expert legal counsel. Our team of experienced attorneys and policy advisors can provide tailored guidance, aiding in understanding SB205's intricacies, devising compliance strategies, and mitigating potential risks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.