Colorado Artificial Intelligence Law: Enforcement and Exceptions
Melissa Krasnow | June 20, 2024
The Colorado artificial intelligence (AI) law ("Colorado AI law") will take effect on February 1, 2026. This article discusses enforcement of and exceptions to the Colorado AI law.
Enforcement of the New Colorado AI Law
Notwithstanding C.R.S. § 6-1-103, the Colorado attorney general has exclusive authority to enforce the Colorado AI law. C.R.S. § 6-1-1706(1).
In any action commenced by the Colorado attorney general to enforce the Colorado AI law, it is an affirmative defense that the developer, deployer, or other person (a) discovers and cures a violation of the Colorado AI law as a result of (i) feedback that the developer, deployer, or other person encourages deployers or users to provide to the developer, deployer, or other person, (ii) adversarial testing or red teaming, as those terms are defined or used by the National Institute of Standards and Technology, or (iii) an internal review process, and (b) is otherwise in compliance with (i) the latest version of the "Artificial Intelligence Risk Management Framework" published by the National Institute of Standards and Technology in the US Department of Commerce and Standard ISO/IEC 42001 of the International Organization for Standardization, (ii) another nationally or internationally recognized risk management framework for AI systems, if the standards are substantially equivalent to or more stringent than the requirements of the Colorado AI law, or (iii) any risk management framework for AI systems that the Colorado attorney general, in the Colorado attorney general's discretion, may designate and, if designated, shall publicly disseminate. C.R.S. § 6-1-1706(3). A developer, a deployer, or other person bears the burden of demonstrating to the Colorado attorney general that the requirements in § 6-1-1706(3) have been satisfied. C.R.S. § 6-1-1706(4).
Nothing in the Colorado AI law, including the enforcement authority granted to the Colorado attorney general under C.R.S. § 6-1-1706, preempts or otherwise affects any right, claim, remedy, presumption, or defense available at law or in equity. C.R.S. § 6-1-1706(5).
A rebuttable presumption or affirmative defense established under the Colorado AI law applies only to an enforcement action brought by the Colorado attorney general pursuant hereto and does not apply to any right, claim, remedy, presumption, or defense available at law or in equity. C.R.S. § 6-1-1706(5).
Except as provided in C.R.S. § § 6-1-1706(3), a violation of the requirements in the Colorado AI law constitutes an unfair trade practice pursuant to C.R.S. § 6-1-105(1)(hhhh), and, according to C.R.S. § 6-1-105(1)(hhhh), a person engages in a deceptive trade practice when, in the course of the person's business, vocation, or occupation, the person violates the Colorado AI law. C.R.S. § 6-1-1706(2). C.R.S. § 6-1-113(1) provides for a civil action for any claim against any person who has engaged in or caused another to engage in any deceptive trade practice listed in this article. C.R.S. § 6-1-113(1). But according to C.R.S. § 6-1-1706(6), the Colorado AI law does not provide the basis for, and is not subject to, a private right of action for violations of the Colorado AI law or any other law. C.R.S. § 6-1-1706(6).
The Colorado attorney general may promulgate rules as necessary for the purpose of implementing and enforcing the Colorado AI law. C.R.S. § 6-1-1706(6).
Exceptions to the New Colorado AI Law
Nothing in the Colorado AI law restricts a developer's, a deployer's, or other person's ability to (a) comply with federal, state, or municipal laws, ordinances, or regulations, (b) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, a state, a municipal, or other governmental authority, (c) cooperate with a law enforcement agency concerning conduct or activity that the developer, deployer, or other person reasonably and in good faith believes may violate federal, state, or municipal laws, ordinances, or regulations, (d) investigate, establish, exercise, prepare for, or defend legal claims, (e) take immediate steps to protect an interest that is essential for the life or physical safety of a consumer or another individual, (f) by any means other than the use of facial recognition technology, prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or illegal activity; investigate, report, or prosecute the persons responsible for any such action; or preserve the integrity or security of systems, (g) engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is conducted in accordance with 45 C.F.R. 46, as amended, or relevant requirements established by the federal Food and Drug Administration (FDA), (h) conduct research, testing, and development activities regarding an AI system or model, other than testing conducted under real-world conditions, before the AI system or model is placed on the market, deployed, or put into service, as applicable, or (i) assist another developer, deployer, or other person with any of the obligations imposed under the Colorado AI law. C.R.S. § 6-1-1705(1).
The obligations imposed on developers, deployers, or other persons under the Colorado AI law do not restrict a developer's, a deployer's, or other person's ability to (a) effectuate a product recall, or (b) identify and repair technical errors that impair existing or intended functionality. C.R.S. § 6-1-1705(2).
The obligations imposed on developers, deployers, or other persons under the Colorado AI law do not apply where compliance with the Colorado AI law by the developer, deployer, or other person would violate an evidentiary privilege under the laws of Colorado. C.R.S. § 6-1-1705(3).
Nothing in the Colorado AI law imposes any obligation on a developer, a deployer, or other person that adversely affects the rights or freedoms of a person, including the rights of a person to freedom of speech or freedom of the press that are guaranteed in (a) the First Amendment to the US Constitution, or (b) Section 10 of Article II of the Colorado Constitution. C.R.S. § 6-1-1705(4).
Nothing in the Colorado AI law applies to a developer, a deployer, or other person (a) insofar as the developer, deployer, or other person develops, deploys, puts into service, or intentionally and substantially modifies, as applicable, a high-risk AI system (i) that has been approved, authorized, certified, cleared, developed, or granted by a federal agency, such as the federal Food and Drug Administration (FDA) or the Federal Aviation Administration (FAA), acting within the scope of the federal agency's authority, or by a regulated entity subject to the supervision and regulation of the Federal Housing Finance Agency (FHFA), or (ii) in compliance with standards established by a federal agency, including standards established by the federal Office of the National Coordinator for Health Information Technology, or by a regulated entity subject to the supervision and regulation of the FHFA, if the standards are substantially equivalent or more stringent than the requirements of the Colorado AI law, (b) conducting research to support an application for approval or certification from a federal agency, including the FAA, the Federal Communications Commission, or the federal FDA or research to support an application otherwise subject to review by the federal agency, (c) performing work under, or in connection with, a contract with the US Department of Commerce (DOC), the US Department of Defense (DOD), or the National Aeronautics and Space Administration (NASA), unless the developer, deployer, or other person is performing the work on a high-risk AI system that is used to make, or is a substantial factor in making, a decision concerning employment or housing, or (d) that is a covered entity within the meaning of the federal Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. §§ 1320d to 1320d-9, and the regulations promulgated under the federal act, as both may be amended from time to time, and is providing healthcare recommendations that (i) are generated by an AI system, (ii) require a healthcare provider to take action to implement the recommendations, and (iii) are not considered to be high risk. C.R.S. § 6-1-1705(5).
Nothing in the Colorado AI law applies to any AI system that is acquired by or for the federal government or any federal agency or department, including the US DOC, the US DOD, or NASA, unless the AI system is a high-risk AI system that is used to make, or is a substantial factor in making, a decision concerning employment or housing. C.R.S. § 6-1-1705(6).
An insurer, as defined in C.R.S. § 10-1-102(13); a fraternal benefit society, as described in C.R.S. § 10-14-102; or a developer of an AI system used by an insurer is in full compliance with the Colorado AI law if the insurer, the fraternal benefit society, or the developer is subject to the requirements of C.R.S. § 10-3-1104.9 and any rules adopted by the commissioner of Insurance pursuant to C.R.S. § 10-3-1104.9. C.R.S. § 6-1-1705(7).
A bank, out-of-state bank, credit union chartered by Colorado, federal credit union, out-of-state credit union, or any affiliate or subsidiary thereof is in full compliance with the Colorado AI law if the bank, out-of-state bank, credit union chartered by Colorado, federal credit union, out-of-state credit union, or affiliate or subsidiary is subject to examination by a state or federal prudential regulator under any published guidance or regulations that apply to the use of high-risk AI systems and the guidance or regulations (i) impose requirements that are substantially equivalent to or more stringent than the requirements imposed in the Colorado AI law, and (ii) at a minimum, require the bank, out-of-state bank, credit union chartered by Colorado, federal credit union, out-of-state credit union, or affiliate or subsidiary to (a) regularly audit the bank's, out-of-state bank's, credit union chartered by Colorado's, federal credit union's, out-of-state credit union's, or affiliate's or subsidiary's use of high-risk AI systems for compliance with state and federal antidiscrimination laws and regulations applicable to the bank, out-of-state bank, credit union chartered by Colorado, federal credit union, out-of-state credit union, or affiliate or subsidiary, and (b) mitigate any algorithmic discrimination caused by the use of a high-risk AI intelligence system or any risk of algorithmic discrimination that is reasonably foreseeable as a result of the use of a high-risk AI system. C.R.S. § 6-1-1705(8)(a). As used herein, (i) "affiliate" has the meaning set forth in C.R.S. § 11-101-401(3.5), (ii) "bank" has the meaning set forth in C.R.S. § 11-101-401 (5), (iii) "credit union" has the meaning set forth in C.R.S. § 11-30-101 (1)(a), and (iv) "out-of-state bank" has the meaning set forth in C.R.S. § 11-101-401 (50). C.R.S. § 6-1-1705(8)(b).
If a developer, a deployer, or other person engages in an action pursuant to any such exemption, the developer, deployer, or other person bears the burden of demonstrating that the action qualifies for the exemption. C.R.S. § 6-1-1705(9).
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
