Proposed Amendments to the Colorado AI Act

As the regulatory landscape for AI continues to evolve, Colorado is considering significant changes to its recently enacted AI Act (our broader summary of the Act is available here).  Senate Bill 318 - which follows nearly a year-long effort by the state’s Artificial Intelligence Impact Task Force to address concerns that the AI Act was so far-reaching that it would stifle innovation – would overhaul the AI Act, narrowing its focus and materially reducing the compliance burden on in-scope businesses.

Key Proposed Changes:

• Revised Definitions: The bill amends several key definitions. For example, “algorithmic discrimination” has been redefined to mean “the use of an artificial intelligence system that results in a violation of any applicable local, state, or federal anti-discrimination law…”. The definition of "developer" is amended to exclude persons offering systems with open model weights or meeting specified conditions, e.g., if they do not engage in material conduct or statements promoting the use of the system in making consequential decisions and include specific disclaimers in contracts and documentation stating the system is not designed for consequential decisions, and that deployers are responsible for compliance if they use it for such purposes. Certain specified technologies are exempted from the definition of "high-risk artificial intelligence system" unless they make or are a substantial factor in making a consequential decision.
• New & Broadened Exemptions: Perhaps the most impactful of the amendments is the new exemption for deployers using high-risk AI systems solely for recruitment, sourcing, or hiring of external candidates, provided that certain conditions regarding employee count and disclosures are met. Given the prevalence of AI-powered recruitment tools, and the high-rate of adoption across human resource departments, many businesses stand to benefit from this exemption. Certain developer disclosure requirements do not apply to a developer that meets specific financial criteria (less than $10M from third-party investors, less than $5M annual revenue, operating less than 5 years) and that sells or distributes high-risk AI systems that deployers use to make a limited number of consequential decisions per year, with the limit decreasing annually from 10,000 in 2027 to 2,500 in 2029. Also, compliance with the Fair Credit Reporting Act or federal prudential regulators for banks/credit unions also provides exemptions or deems compliance with the AI Act.
• Modified Duties: A prior requirement for developers/deployers to notify the attorney general of known/foreseeable risks of algorithmic discrimination appears to have been eliminated.
• Enhanced Deployer Obligations (with limitations): While the amendments would water down a number of the requirements of the AI Act, particularly those applicable to developers, deployers would now face certain heightened obligations. In-scope AI deployers must implement a risk management policy and program and complete annual impact assessments. The required content of impact assessments now explicitly includes analyzing risks of limiting accessibility, unfair trade practices, labor law violations, or Colorado Privacy Act violations. Deployers using high-risk AI systems for consequential decisions must provide consumers with disclosures about the system's purpose, name, developer, deployer contact, and a plain language description of the system's role and data evaluation process. For adverse consequential decisions, deployers must provide a single notice disclosing the principal reasons, the system's contribution, categories/sources of adverse data, consumer rights regarding personal data correction, and an opportunity to appeal non-time-limited/non-competitive adverse decisions based on incorrect data or unlawful information/inferences. Importantly, many of the deployer obligations apply only to high-risk AI systems that make, or are the principal basis for making, consequential decisions. "Principal basis" means making a decision without meaningful human involvement. This is a materially narrower concept than the current “substantial factor” standard.
• New Notification Requirement for Withheld Information: In-scope businesses that withhold information that would otherwise be subject to disclosure under the AI Act, will be required to notify the individual that would otherwise have a right to receive the information stating the basis for the withholding, and provide non-exempt information.
• Delayed Enforcement: The attorney general has exclusive authority to enforce the Act, but this authority does not begin until January 1, 2027. Affirmative defenses are available for businesses that discover and cure a curable violation within seven days or that were otherwise compliant and meet specific criteria, including inadvertence, affecting fewer than 1,000 consumers, and no negligence.

This proposed bill represents a significant refinement of Colorado's approach to AI regulation, exempting more businesses from its scope, and adjusted compliance timelines and requirements for developers and deployers. With similar broad AI algorithmic bias laws pending in other states, these amendments offer a potential blueprint for how states may navigate the complexities of governing AI systems moving forward.