UPDATE — AUGUST 2025: Colorado’s groundbreaking AI law — Senate Bill 24-205, the Colorado Artificial Intelligence Act — was signed by Governor Jared Polis on May 17, 2024. It remains set to take effect on February 1, 2026.
This first-in-the-nation law requires developers and deployers of high-risk AI systems to meet strict accountability standards. Obligations include transparency disclosures, annual impact assessments, consumer notifications, and safeguards against discrimination.
In 2025, lawmakers tried to delay and revise the Act through Senate Bill 25-318. That effort failed in May, leaving the original provisions intact. Rulemaking and stakeholder consultations continue as the state prepares for rollout.
ORIGINAL NEWS STORY:
Colorado Governor Signs Landmark AI Consumer Protection Bill into Law
In an update to a story we brought to you earlier this month, state lawmakers in Colorado have successfully passed and the Governor has signed into law a bill aimed at protecting customers from artificial intelligence (AI). The bill, titled “Concerning Consumer Protections in Interactions with Artificial Intelligence Systems”, establishes regulations and requirements for developers and deployers of high-risk AI systems in Colorado to safeguard consumers from algorithmic discrimination.
Algorithmic discrimination is defined as instances where an AI system results in unlawful differential treatment or impacts that disfavor individuals based on protected characteristics like race, gender, age, and other traits. A high-risk AI system is identified as any AI system that plays a substantial role in making consequential decisions that have material legal or significant effects on areas such as education, employment, financial services, healthcare, housing, and more. The bill outlines distinct requirements for developers, who create or substantially modify AI systems, and deployers, who use or deploy high-risk AI systems.
Developer Duties
Developers must take reasonable care to prevent algorithmic discrimination. They must also provide deployers with detailed documentation. This includes the system’s purpose, intended uses, data sources, and results of discrimination testing. Public disclosure is required. Developers must identify the high-risk systems they build and explain how they manage risks. If they discover discrimination risks, they must notify the Colorado Attorney General and affected deployers within 90 days.
Deployer Duties
Deployers of high-risk AI also face strict requirements. They must create risk management programs, perform annual impact assessments, and use reasonable care to avoid algorithmic discrimination. When AI makes a consequential decision about a consumer, the deployer must notify the individual. If the decision is adverse, the consumer has a right to know why and to appeal or correct the data used. Deployers must also disclose the high-risk systems they use, explain risk management practices, and report discrimination to the Attorney General within 90 days.
Exemptions and Enforcement
The law provides exemptions for research, national security, and regulated financial institutions that already follow equivalent frameworks. Enforcement falls under the Colorado Attorney General. In the first year, violators will receive a notice period to fix issues before penalties apply. The law also allows affirmative defenses. Developers and deployers can avoid liability if they show compliance with approved risk frameworks and correct problems through testing, feedback, or internal review. The Attorney General has rulemaking power to shape requirements on documentation, notices, impact assessments, and risk management.
Need Help?
If you’re wondering how Colorado’s new law, or any other AI legislation around the world, could impact you, don’t hesitate to reach out to BABL AI. Their Audit Experts are ready to provide valuable assistance while answering your questions and concerns.
