Signed by Governor Jared Polis

Vote Smart's Synopsis:

Vote to concur with house amendments and pass a bill that authorizes broad artificial intelligence (AI) regulations over employment decisions in Colorado.

Highlights:

• Authorizes broad artificial intelligence (AI) regulations over employment decisions and establishes requirements for both developers and deployers of “high-risk” AI systems in Colorado (Sec. 1-3).

• Defines “high-risk” as AI systems that make or significantly influence “consequential decisions” in areas such as employment, housing, credit, education, and healthcare (Sec. 1-3).

• Requires that disclosure requirements apply broadly to Colorado consumers affected by AI-driven consequential decisions, encompassing both Colorado consumers in the traditional sense and Colorado residents applying for jobs (Sec. 1-3).

• Establishes provisions related to AI explainability and transparency (Sec. 1-3).

• Requires AI deployers to provide Colorado consumers, including job applicants, with a statement disclosing the principal reasons for any adverse consequential decision made by a high-risk AI system, including the degree and manner in which the AI contributed to the decision, the type and source of data processed in making the decision, and an opportunity to correct any personal data used (Sec. 1-3).

• Specifies that AI deployers are also required to post a public statement on their website, summarizing the types of high-risk AI systems they currently deploy, how they manage risks of algorithmic discrimination, and the nature, source, and extent of information collected and used (Sec. 1-3).

• Authorizes exceptions to these disclosure requirements for certain deployers, such as those with fewer than 50 employees who meet specific criteria, and allows for the withholding of trade secrets or information protected from disclosure by law (Sec. 1-3).

• Requires that when an AI system is intended to interact with Colorado consumers, the deployer or developer must disclose to each consumer that they are interacting with an AI system unless it would be obvious to a reasonable person that they are interacting with AI (Sec. 1-3).

• Specifies that the  required notices, statements, contact information, and descriptions must be provided directly to consumers in plain language, in the same languages used by the deployer in the ordinary course of business, and in a format accessible to consumers with disabilities (Sec. 1-3).

• Authorizes Colorado consumers with the right to correct erroneous personal data used in making consequential decisions, as well as the right to appeal adverse decisions (Sec. ).

• Requires AI deployers to conduct impact assessments for high-risk AI systems, impact assessments will be required under the recently passed EU AI Act, and will be conducted as part of the federal government’s own internal AI risk management processes, recently finalized by the Office of Management and Budget it requires the impact assessment to include (Sec. 1-3):

• A description of the categories of data the system processes as inputs and the outputs it produces;

• An overview of the categories of data used to customize the system, if applicable;

• The metrics used to evaluate the system’s performance and known limitations; and

• A description of transparency measures taken, including measures to disclose the use of the system to consumers.

• Requires AI developers to provide AI deployers with key information about their high-risk AI systems. This includes a general statement describing the AI system’s reasonably foreseeable uses and known harmful or inappropriate uses, as well as documentation disclosing “high-level summaries of the type of data” used to train the system, the AI system’s known limitations and risks of algorithmic discrimination, and its purpose and intended benefits (Sec. 1-3).

• Requires AI developers must also provide deployers with documentation on how the system was evaluated for performance and bias mitigation before deployment, the data governance measures used, and the steps taken to mitigate known or foreseeable risks of algorithmic discrimination (Sec. 1-3).

• Requires AI developers and AI deployers to exercise “reasonable care” to protect Colorado consumers from “reasonably foreseeable risks of algorithmic discrimination.” and incentivizes various AI risk management practices that have long been the subject of discussion at the federal level (Sec. 1-3).

• Establishes and creates a rebuttable presumption that AI deployers and AI developers have exercised reasonable care if they have implemented certain risk management practices that are closely aligned with the NIST AI Risk Management Framework or other risk management frameworks that the Colorado Attorney General’s office might identify in its rulemaking efforts (Sec. 1-3).

• Authorizes an affirmative defense for employers who discover and cure a violation as a result of proactive measures such as user feedback, adversarial testing or red-teaming, or internal reviews, and who demonstrate compliance with these recognized AI risk management frameworks (Sec. 1-3).

• Specifies this combination of a rebuttable presumption and an affirmative defense creates strong incentives for employers to prioritize AI risk management and to proactively identify and address potential issues (Sec. 1-3).

Full Bill Text

Vote Smart's Synopsis:

Vote to amend and pass a bill that authorizes broad artificial intelligence (AI) regulations over employment decisions in Colorado.

Highlights:

• Authorizes broad artificial intelligence (AI) regulations over employment decisions and establishes requirements for both developers and deployers of “high-risk” AI systems in Colorado (Sec. 1-3).

• Defines “high-risk” as AI systems that make or significantly influence “consequential decisions” in areas such as employment, housing, credit, education, and healthcare (Sec. 1-3).

• Requires that disclosure requirements apply broadly to Colorado consumers affected by AI-driven consequential decisions, encompassing both Colorado consumers in the traditional sense and Colorado residents applying for jobs (Sec. 1-3).

• Establishes provisions related to AI explainability and transparency (Sec. 1-3).

• Requires AI deployers to provide Colorado consumers, including job applicants, with a statement disclosing the principal reasons for any adverse consequential decision made by a high-risk AI system, including the degree and manner in which the AI contributed to the decision, the type and source of data processed in making the decision, and an opportunity to correct any personal data used (Sec. 1-3).

• Specifies that AI deployers are also required to post a public statement on their website, summarizing the types of high-risk AI systems they currently deploy, how they manage risks of algorithmic discrimination, and the nature, source, and extent of information collected and used (Sec. 1-3).

• Authorizes exceptions to these disclosure requirements for certain deployers, such as those with fewer than 50 employees who meet specific criteria, and allows for the withholding of trade secrets or information protected from disclosure by law (Sec. 1-3).

• Requires that when an AI system is intended to interact with Colorado consumers, the deployer or developer must disclose to each consumer that they are interacting with an AI system unless it would be obvious to a reasonable person that they are interacting with AI (Sec. 1-3).

• Specifies that the  required notices, statements, contact information, and descriptions must be provided directly to consumers in plain language, in the same languages used by the deployer in the ordinary course of business, and in a format accessible to consumers with disabilities (Sec. 1-3).

• Authorizes Colorado consumers with the right to correct erroneous personal data used in making consequential decisions, as well as the right to appeal adverse decisions (Sec. ).

• Requires AI deployers to conduct impact assessments for high-risk AI systems, impact assessments will be required under the recently passed EU AI Act, and will be conducted as part of the federal government’s own internal AI risk management processes, recently finalized by the Office of Management and Budget it requires the impact assessment to include (Sec. 1-3):

• A description of the categories of data the system processes as inputs and the outputs it produces;

• An overview of the categories of data used to customize the system, if applicable;

• The metrics used to evaluate the system’s performance and known limitations; and

• A description of transparency measures taken, including measures to disclose the use of the system to consumers.

• Requires AI developers to provide AI deployers with key information about their high-risk AI systems. This includes a general statement describing the AI system’s reasonably foreseeable uses and known harmful or inappropriate uses, as well as documentation disclosing “high-level summaries of the type of data” used to train the system, the AI system’s known limitations and risks of algorithmic discrimination, and its purpose and intended benefits (Sec. 1-3).

• Requires AI developers must also provide deployers with documentation on how the system was evaluated for performance and bias mitigation before deployment, the data governance measures used, and the steps taken to mitigate known or foreseeable risks of algorithmic discrimination (Sec. 1-3).

• Requires AI developers and AI deployers to exercise “reasonable care” to protect Colorado consumers from “reasonably foreseeable risks of algorithmic discrimination.” and incentivizes various AI risk management practices that have long been the subject of discussion at the federal level (Sec. 1-3).

• Establishes and creates a rebuttable presumption that AI deployers and AI developers have exercised reasonable care if they have implemented certain risk management practices that are closely aligned with the NIST AI Risk Management Framework or other risk management frameworks that the Colorado Attorney General’s office might identify in its rulemaking efforts (Sec. 1-3).

• Authorizes an affirmative defense for employers who discover and cure a violation as a result of proactive measures such as user feedback, adversarial testing or red-teaming, or internal reviews, and who demonstrate compliance with these recognized AI risk management frameworks (Sec. 1-3).

• Specifies this combination of a rebuttable presumption and an affirmative defense creates strong incentives for employers to prioritize AI risk management and to proactively identify and address potential issues (Sec. 1-3).

Full Bill Text