Big Week for AI Regulation as Colorado Governor Passes First AI Regulation in the US

AI Regulation

This week was quite eventful for AI regulation. It kicked off and wrapped up with major updates from Colorado. On May 20, 2024, the Colorado state legislature passed a bill titled “Concerning Consumer Protections in Interactions with Artificial Intelligence Systems” (SB 24-205), now known as the Colorado AI Law. Then, on Friday, Governor Jared Polis signed the bill into law, albeit with some reservations, as he mentioned in his letter to the legislature. While Colorado is the first in the U.S. to pass such broad AI legislation, Governor Polis has urged Congress to step in with a national regulatory framework before the state law takes effect on February 1, 2026.

The week also saw other significant moves. On May 21, 2024, Senate Intelligence Committee Chairman Mark Warner reached out to companies involved in the AI Elections Accord, seeking details about their efforts to prevent AI from being used for election interference. Wednesday, May 22, brought the release of a comprehensive report from the Bi-Partisan Senate AI Working Group, outlining their vision for federal AI policy. The U.S. Department of Labor also issued guidelines on “Artificial Intelligence and Worker Well-being.”

There’s still uncertainty about whether Congress can establish a federal AI regulatory regime that overrides emerging state and local laws. Meanwhile, Colorado’s proactive stance sets a benchmark that others might follow if Congress doesn’t take charge.

Meanwhile, over a dozen of the world’s leading artificial intelligence firms made fresh safety commitments at a global summit in Seoul, conducted by the UK and South Korea this week. The agreement – “Frontier AI Safety Commitments” – was signed by 16 tech firms – which include ChatGPT-maker OpenAI, Google DeepMind and Anthropic. It builds on the consensus reached at the inaugural global AI safety summit at Bletchley Park in Britain last year.

Colorado AI Law Overview

Despite bipartisan support in Congress for AI legislation, it’s state and local lawmakers who are leading the charge, much like they did with consumer privacy laws. Just in the first six weeks of 2024, over 400 AI-specific bills were introduced across U.S. state legislatures. While many of these were put on hold, Colorado’s AI Law stands out. It places Colorado alongside New York City as a pioneer in AI regulation.

Who’s Affected by the Colorado AI Law?

The law applies to any entity operating in Colorado that develops or uses “High-Risk Artificial Intelligence Systems” (HAIS). This includes both “Deployers” and “Developers” of AI systems, with specific duties for each. Notably, nonprofits and government bodies are also covered under this law.

Compliance Timeline

Organizations have until February 1, 2026, to comply with the new regulations.

What AI Technologies Are Covered?

The law targets AI systems that significantly influence decisions with major legal or other significant impacts, like those affecting education, employment, and financial services. However, it excludes certain routine AI applications and systems that don’t replace human decision-making without proper review.

Consumer Protections

The law aims to protect Colorado residents, granting them transparency rights, the ability to correct data used in significant decisions, and the right to appeal such decisions to a human reviewer.

Developer and Deployer Obligations

Developers must document and disclose information about their AI systems, including training data, intended uses, and potential risks. They must also notify the Attorney General about any known risks of algorithmic discrimination.

Deployers must implement risk management programs and conduct impact assessments. They also have transparency obligations, such as notifying consumers about the use of AI in consequential decisions and providing a clear statement on their website about their AI practices.

Exemptions and Enforcement

Certain AI systems regulated by federal agencies or used by the federal government are exempt. Healthcare recommendations generated by AI and used by covered entities under HIPAA also have specific exemptions.

The Colorado Attorney General has the sole authority to enforce the law, with potential penalties for violations including significant civil fines.

Broader Context and Comparisons

The Colorado AI Law is part of a broader trend toward regulating AI, echoing efforts seen in the European Union’s AI Act. While the EU’s regulations are more comprehensive and prescriptive, Colorado’s law represents a significant step in the U.S.

Meanwhile, the federal government is also moving forward, with the bipartisan Senate AI Working Group releasing a roadmap for AI policy. This group, led by key Senate leaders, aims to push forward AI legislation, particularly concerning election interference.

Key Takeaways

Colorado’s AI Law emphasizes responsible AI development and proactive risk management. It builds on the state’s existing privacy laws but extends beyond personal data to include broader AI risks. While it sets a new standard, the law also leaves much up to the Attorney General’s rulemaking, adding some uncertainty for developers.

This law could serve as a national model unless Congress steps in with overarching federal regulations. For now, Colorado’s approach, alongside the NIST AI Risk Management Framework, provides a benchmark for responsible AI practices.

If you need help or have any questions, please get in touch with Allan RooneyTim DavisSteve WilanskySumangali Rudrakumaror Lauri O’Callaghan, or call us at +1 212 545 8022.

 

Read more insights from the Rooney Law team here.

© 2024 Rooney Law. All rights reserved. Rooney Law PC is an international corporate law firm. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner or equivalent in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome. Nothing herein shall create an attorney-client relationship between the reader and Rooney Law PC.

 

 

Related Articles

Scroll to Top
gdpr