Search for:
Cybersecurity, Data and Tech

North America: From Brussels to Boulder – Colorado enacts comprehensive AI law on the heels of European Union’s AI Act with significant obligations for businesses and employers

By , , , and 4 Mins Read

In brief

On 17 May 2024, Colorado Governor Polis signed the landmark Colorado AI Act (Senate Bill 24-205) (“SB 205“) into law. Colorado is now the first US state with comprehensive AI regulation, adopting a classification system like the EU’s recent AI Act. The law will take effect 1 February 2026. 

The law exempts small employers (less than 50 full-time employees) from some of its requirements, but it otherwise requires organizations to take extensive measures to protect Colorado residents against harms such as algorithmic discrimination.
 

In detail

SB 205 requires “developers” and “deployers” of “high-risk artificial intelligence systems” to use “reasonable care” to protect Colorado resident consumers from any known or reasonably foreseeable risks of “algorithmic discrimination.” As written, the law most likely applies to both creators of high-risk AI systems and employers adopting high-risk AI technologies within their organization.

Key definitions in SB 205

  • High-risk AI system: a system that, when deployed, makes, or is a substantial factor in making, a “consequential decision”
  • Consequential decision: a decision that has “material legal or similarly significant effect” on the provision or denial to any consumer of, or the cost or terms of, the following:
    • Educational enrolment or an education opportunity
    • Employment or an employment opportunity
    • A financial or lending service
    • An essential government service
    • Healthcare services
    • Housing
    • Insurance
    • A legal service
  • Deployer: a person doing business in Colorado that deploys a high-risk AI system (presumably including employers with more than 50 employees in the state)
  • Developer: a person doing business in Colorado that develops or intentionally and substantially modifies an AI system 
  • Consumer: an individual who is a Colorado resident

Classification system: SB 205 adopts similar classifications as those under the EU AI Act, classifying entities as either a developer or a deployer. The role of an entity impacts the attendant obligations. 

Risk management framework: Highlighting the importance of aligning AI governance to a standardized risk management framework, such as the NIST AI Risk Management Framework, the new law requires organizations to comply with a standard risk management framework in order to assert an affirmative defense in response to an enforcement action. 

Enforcement: SB 205 does not have a private right of action. The Colorado Attorney General has exclusive enforcement authority and may seek up to USD 20,000 per violation of the law. In the case of an enforcement action, the law creates an affirmative defense for businesses that can show they have taken steps to address any discovered violations and that they comply with a national or international risk management framework for AI.

Next steps

We recommend that organizations that develop or deploy AI systems in Colorado perform the following actions: 

  • Review existing AI governance to confirm it conforms to a standardized risk management framework
  • Draft and implement a risk management policy and program if deploying a high-risk AI system in the organization 
  • Identify AI systems that the company is developing or using that make “consequential decisions” pursuant to SB 205 (e.g., this may include deploying AI technologies in HR decision-making activities like recruiting, hiring and performance management)
  • Establish processes for detecting and mitigating algorithmic bias arising from their use of AI systems
  • Prepare documentation required by SB 205 based on the role of the entity as set forth above

The Colorado Attorney General is authorized to promulgate rules on the legislation, and we will continue to monitor and report updates. We note that it is likely the law may serve as a model for other state legislatures across the US or for states with pending regulation to move forward quickly. 

Our cross-functional team of experts is available to support your organization in developing or deploying AI systems in a responsible manner. Please contact your Baker McKenzie attorney with questions.

Categories:
Author

Adam Aft helps global companies navigate the complex issues regarding intellectual property, data, and technology in M&A and technology transactions. He is the lead of the Firm's North America Technology Transactions group and co-leads the group globally. Adam also served as a law clerk to the Honorable Leslie H. Southwick of the US Court of Appeals for the Fifth Circuit and the Honorable Theresa L. Springmann of the US District Court for the Northern District of Indiana.

Author

Cynthia Cole is an Intellectual Property Partner in Baker McKenzie's Palo Alto office, as well as a former CEO and General Counsel. Before joining the Firm, Cynthia was Deputy Department Chair of the Corporate Section in the California offices of Baker Botts where she built the technology transactions and data privacy practice. An intellectual property transactions attorney, Cynthia also has expertise in digital transformation, data privacy, and cybersecurity strategy. She advises clients across a wide range of industries including Technology, Media & Telecoms, Energy, Mining & Infrastructure, Healthcare & Life Sciences, and Industrials, Manufacturing & Transportation. Cynthia has deep experience in complex cross-border, IP, data-driven and digital transactions, creating bespoke agreements in novel technology fields. She acts as outside general counsel to a number of executive teams and boards of directors.

Author

Susan Eandi is the Chair of Baker McKenzie's North America Employment and Compensation Practice Group, head of the Global Employment and Labor Law Practice for North America, and a member of the North America Regional Management Council. She also serves on the Firm's Antiracism Legal Impact Board.
Susan speaks regularly for organizations including ACC, Tech GC, Silicon Valley AGC and World Business Council for Sustainable Development. Susan publishes extensively in various external legal publications in addition to handbooks/magazines published by the Firm.
Susan is a recognized leader in employment law by International Employment Lawyer, The Daily Journal, Legal 500 PLC and is a Chambers-ranked attorney.

Author

Brian Hengesbaugh is Chair of the Firm's Global Data Privacy and Security Business Unit, a Member of the Firm's Global IP Tech Steering Committee, and a Member of the Firm's Financial Institutions' Group. Brian is listed in The Legal 500 Hall of Fame and was recognized as a Regulatory & Compliance Trailblazer by the National Law Journal. He is also listed as a Leading Lawyer for Cyber law (including data protection and privacy) in The Legal 500 and is listed in Chambers. Formerly Special Counsel to the General Counsel of the US Department of Commerce, Brian played a key role in the development and implementation of the US Government’s domestic and international policy in the area of privacy and electronic commerce. In particular, he served on the core team that negotiated the US-EU Safe Harbor Privacy Arrangement (Safe Harbor), and earned a Medal Award from the US Department of Commerce for this service. In addition, Brian participated on behalf of the United States in the development of a draft Council of Europe Treaty on Cyber Crime, and in the negotiation of a draft Hague Convention on Jurisdiction and the Recognition of Foreign Judgments. Brian has been quoted in the Wall Street Journal, New York Times, Forbes, CNET, Slate Magazine, Compliance Weekly, BNA Bloomberg, PCWorld and other news publications on global privacy and security issues.

Author

Cristina G. Messerschmidt is an associate in the Privacy and Security practice group based in Chicago, advising global organizations on privacy and data security compliance requirements, as well as data security incident response.

Related Posts