Analyzing critical legal trends and developments across data, cyber, AI and digital regulations from around the world and beyond borders

In Brief

On May 17, 2024 Colorado Governor Polis signed the landmark Colorado AI Act (Senate Bill 24-205) into law. Colorado is now the first US state with comprehensive AI regulation, adopting a classification system like the European Union’s recent AI Act. The law will take effect February 1, 2026.

The law exempts small employers (fewer than fifty full-time employees) from some of its requirements but otherwise requires companies to take extensive measures to protect Colorado residents against harms such as algorithmic discrimination.

In Detail

SB 205 requires “developers” and “deployers” of “high-risk artificial intelligence systems” to use “reasonable care” to protect Colorado resident consumers from any known or reasonably foreseeable risks of “algorithmic discrimination.” As written, the law most likely applies to both creators of high-risk AI systems, as well as employers adopting high-risk AI technologies within their organization. 

Key definitions in SB 205

  • High-Risk AI System: A system that when deployed, makes, or is a substantial factor in making, a “consequential decision.”
  • Consequential Decision: A decision that has “material legal or similarly significant effect” on the provision or denial to any consumer of, or the cost or terms of:
    • Educational enrolment or an education opportunity;
    • Employment or an employment opportunity;
    • A financial or lending service;
    • An essential government service;
    • Health-care services;
    • Housing;
    • Insurance; or
    • A legal service.
  • Deployer: A person doing business in Colorado that deploys a high-risk AI system. This presumably includes employers (with more than 50 employees) in the state.
  • Developer: A person doing business in Colorado that develops or intentionally and substantially modifies an AI system.
  • Consumer: An individual who is a Colorado resident.
  • Classification system: SB 205 adopts similar classifications as exist under the EU AI Act, classifying entities as either a Developer or a Deployer. The role of an entity impacts the attendant obligations.
Obligations under SB 205DevelopersDeployers
Detailed documentation requirementsRequiredNot required
Risk management policy specifying and incorporating the principles, processes and personnel that the deployer uses to identify, document and mitigate known or reasonably foreseeable risks of algorithmic discriminationNot requiredRequired
Detailed impact assessment completed pursuant to the requirements of SB 205Not requiredRequired
Direct notice to the consumer in plain languageRequiredRequired
Disclosure of consequential decisionsNot requiredRequired
Reporting to the state Attorney GeneralRequiredRequired
Disclosure of AI systems that interact with consumersRequiredRequired
  • Risk Management Framework: Highlighting the importance of aligning AI governance to a standardized risk management framework, such as the NIST AI Risk Management Framework, the new law requires companies to comply with a standard risk management framework in order to assert an affirmative defense in response to an enforcement action.
  • Enforcement: SB 205 does not have a private right of action. The Colorado Attorney General has exclusive enforcement authority and may seek up to $20,000 per violation of the law. In the case of an enforcement action, the law creates an affirmative defense for businesses that can show they have taken steps to address any discovered violations, and that they are in compliance with a national or international risk management framework for AI.

Next Steps

We recommend that organizations that develop or deploy AI systems in Colorado:

  • Review existing AI governance to confirm it conforms to a standardized risk management framework.
  • Draft and implement a risk management policy and program if deploying a high-risk AI system in the organization.
  • Identify AI systems that the company is developing or using that make “consequential decisions” pursuant to SB 205 (e.g. this may include deploying AI technologies in HR decision-making activities like recruiting, hiring and performance management).
  • Establish processes for detecting and mitigating algorithmic bias arising from their use of such AI systems.
  • Prepare documentation required by SB 205 based on the role of the entity as set forth above.

The Colorado Attorney General is authorized to promulgate rules on the legislation and we will continue to monitor and report updates. We note that it is likely the law may serve as a model for other state legislatures across the US, or for states with pending regulation to move forward quickly.

Our cross-functional team of experts is available to support your organization in developing or deploying AI systems in a responsible manner. Please contact your Baker McKenzie attorney with questions.

Author

Adam Aft helps global companies navigate the complex issues regarding intellectual property, data, and technology in product counseling, technology, and M&A transactions. He leads the Firm's North America Technology Transactions group and co-leads the group globally. Adam regularly advises a range of clients on transformational activities, including the intellectual property, data and data privacy, and technology aspects of mergers and acquisitions, new product and service initiatives, and new trends driving business such as platform development, data monetization, and artificial intelligence.

Author

Caroline Burnett is a Knowledge Lawyer in Baker McKenzie’s North America Employment & Compensation Group. Caroline is passionate about analyzing trends in US and global employment law and developing innovative solutions to help multinationals stay ahead of the curve.

Author

Cynthia J. Cole is Chair of Baker McKenzie’s Global Commercial, Tech and Transactions Business Unit, a member of the Firm’s global Commercial, Data, IP and Trade (CDIT) practice group steering Committee and Co-chair of Baker Women California. A former CEO and General Counsel, just before joining the Firm, Cynthia was Deputy Department Chair of the Corporate Section in the California offices of Baker Botts where she built the technology transactions and data privacy practice. An intellectual property transactions attorney, Cynthia also has expertise in AI, digital transformation, data privacy, and cybersecurity strategy.

Author

Susan Eandi is the head of Baker McKenzie's Global Employment and Labor Law practice group for North America, and chair of the California Labor & Employment practice group. She speaks regularly for organizations including ACC, Bloomberg, and M&A Counsel. Susan has been published extensively in various external legal publications in addition to handbooks/magazines published by the Firm. Susan has been recognized as a leader in employment law by The Daily Journal, Legal 500, PLC and is a Chambers ranked attorney.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.

Author

Avi Toltzis is a Knowledge Lawyer in Baker McKenzie's Chicago office.