UPDATE — JULY 2025: Colorado’s AI consumer protection law—Senate Bill 24-205 (Colorado Artificial Intelligence Act)—was passed in May 2024, but its implementation remains under review as of mid-2025.

• The law is set to take effect February 1, 2026, but Governor Jared Polis and state leaders have voiced concerns and sought to delay implementation to January 2027. A follow-up bill (SB 25-318) to push back the effective date and ease some requirements was defeated in May 2025, leaving the original law intact for now.

• The law creates first-in-the-nation AI compliance obligations for developers and deployers of high-risk systems and will be enforced by the Colorado Attorney General.

• Industry groups continue to seek refinements via rulemaking and guidance ahead of the 2026 enforcement date.

• Colorado’s law has become a national model for algorithmic fairness and AI accountability, although its future remains shaped by regulatory negotiations and public feedback.

ORIGINAL NEWS STORY:

Colorado Lawmakers Pass Bill on Consumer Protection from AI

State lawmakers in Colorado have passed a bill that would protect customers from artificial intelligence (AI). The bill, titled “Concerning Consumer Protections in Interactions with Artificial Intelligence Systems”, establishes regulations and requirements for developers and deployers of high-risk AI systems in Colorado to protect consumers from algorithmic discrimination. 

Algorithmic discrimination is defined as when an AI system results in unlawful differential treatment or impact that disfavors individuals based on protected characteristics like race, gender, age, and other traits. A high-risk AI system is defined as any AI system that makes, or is a substantial factor in making, a consequential decision that has a material legal or significant effect on areas such as education, employment, financial services, healthcare, housing, and more. The bill outlines separate requirements for developers, who create or substantially modify AI systems, and deployers, who use or deploy high-risk AI systems.

Developers

For developers of high-risk AI systems, the bill mandates that they use reasonable care to avoid algorithmic discrimination arising from the intended uses of their systems. They must provide documentation to deployers detailing the AI system’s capabilities, limitations, purpose, intended uses, training data, evaluations for discrimination risks, and more. Developers must also publicly disclose the types of high-risk AI systems they have developed and how they manage risks of algorithmic discrimination. Additionally, developers must disclose any known risks of algorithmic discrimination to the Colorado Attorney General and deployers within 90 days of discovery.

Deployers

As for deployers of high-risk AI systems, the key requirements are that they use reasonable care to avoid algorithmic discrimination and implement a risk management program to identify and mitigate discrimination risks. Deployers must conduct impact assessments of their deployed high-risk AI systems at least annually. When using a high-risk AI system to make consequential decisions about consumers, deployers must notify those consumers. For any adverse decisions, impacted consumers must be provided the reasons for the AI decision and an opportunity to correct data or appeal the decision. Deployers must also publicly disclose the types of high-risk AI systems they deploy and how discrimination risks are managed, as well as notify the Attorney General of any discovered algorithmic discrimination within 90 days.

The bill outlines exemptions for compliance with other laws, research activities, national security applications, regulated financial institutions following equivalent AI governance frameworks, and more. Enforcement is designated as an unfair trade practice violation under the authority of the Colorado Attorney General, with a transitional notice period in the first year for violators to correct issues before enforcement action. Affirmative defenses are allowed if developers and deployers adhere to designated AI risk management frameworks and self-correct violations through feedback mechanisms, testing, or internal reviews. The Attorney General can require documentation from developers and deployers, as well as promulgate rules to implement the bill’s provisions related to documentation, notices, impact assessments, risk management programs, and establishing requirements for rebuttable presumptions and affirmative defenses.

Need Help?

If you’re wondering how Colorado’s bill, or any other AI bill around the world, could impact you, don’t hesitate to reach out to BABL AI. Their Audit Experts are ready to provide valuable assistance while answering your questions and concerns.