The Colorado AI Act ushers in European-style AI legislation across the pond

Just as Europe pushed comprehensive privacy laws to America through the General Data Protection Regulation, European principles in the EU AI Act, enacted in March, are now in the United States. Colorado has become the first U.S. state with comprehensive artificial intelligence (AI) legislation, SB 24-205, effective Feb. 1, 2026. The Act is a harbinger of comprehensive AI legislation that will soon dominate the U.S. landscape. Over a quarter of U.S. states have proposed AI legislation, including California, which is currently drafting regulations on automated decision-making.

The Colorado AI Act applies to all "developers" and "deployers" of "high-risk AI systems" that do business in Colorado, even non-profits, and protects all Colorado residents (consumers), including employees. Similar to the EU AI Act, Colorado takes a risk-based approach and follows other principles of the EU AI Act, including transparency, preventing algorithmic discrimination, and imposing differing obligations for developers and deployers.
The Act defines "artificial intelligence systems" as any machine-based system that infers from the inputs the system receives how to generate outputs, including content, decisions, predictions, or recommendations that can influence physical or virtual environments.
"High-risk artificial intelligence systems" are defined as any AI system that makes or is a substantial factor in making a consequential decision. High-risk AI systems exclude those that are intended to (i) perform narrow procedural tasks or (ii) detect decision-making patterns or deviations from prior decision-making patterns and are not intended to replace or influence human assessment or review. The statute also excludes certain technologies, such as anti-fraud, anti-malware, anti-virus, firewalls, cybersecurity software, and spam filtering.
"Consequential decisions" are decisions that have a material legal or similarly significant effect on the provision or denial to any Colorado consumer of, or the cost or terms of, (a) education enrollment or opportunity, (b) employment or employment opportunity, (c) financial or lending services, (d) essential government services, (e) healthcare services, (f) housing, (g) insurance, or (h) legal services.

DEVELOPERS VERSUS DEPLOYERS

"Developers" are those doing business in Colorado that develop or intentionally and substantially modify an AI system, while "deployers" are those doing business in Colorado that deploy a high-risk AI system. Both developers and deployers of high-risk AI systems must use reasonable care to protect consumers from any algorithmic discrimination and report such discrimination to the Colorado Attorney General (AG) within 90 days of discovery. "Algorithmic discrimination" means use of an AI system that results in an unlawful differential treatment or impact that disfavors an individual or group of individuals on the basis of any actual or perceived classification protected under Colorado or federal laws.
Companies using high-risk AI systems are also subject to a number of transparency, disclosure, reporting, and other obligations depending on their role as a developer or deployer.
Developers must:
• Make available a general statement describing the reasonably foreseeable uses and known harmful or inappropriate uses of the high-risk AI system and documentation that includes certain disclosures.
• Provide information to assist deployers in completing impact assessments.
• Provide a notice on its website including certain disclosures of high-risk AI systems developed or intentionally and substantially modified by the developer.
Deployers must, with limited exceptions:
• Implement and maintain a risk management policy and program regarding algorithmic discrimination.
• Complete an impact assessment annually and within 90 days after any intentional and substantial modification to the high-risk AI system is made available.
• Annually review the deployment of each high-risk AI system so that there is no algorithmic discrimination.
• Provide notices to consumers containing specific disclosures.
• Provide consumers with certain rights where the high-risk AI system makes or is a substantial factor in making a consequential decision that is adverse to the consumer.

ENFORCEMENT

Violations of the Colorado AI Act constitute an unfair trade practice under State law. However, the Act provides several affirmative defenses for violations, including complying with the latest AI Risk Management Framework published by the National Institute of Standards and Technology or another substantially equivalent nationally recognized risk management framework for AI systems or any risk management framework for AI systems that the Colorado AG may designate.
The Act does not provide for a private right of action; instead providing the Colorado AG with exclusive enforcement authority, including the right to audit entities and the authority to issue rules as necessary for the purpose of implementing and enforcing the Act.

KEY TAKEAWAYS

• The Colorado AI Act may spur other states to push through AI laws. In preparation for this growing trend, companies should proactively:
• Identify whether any high-risk AI systems are being or will be developed or used by the company;
• Develop or update existing AI governance policies and procedures to comply with a nationally or internationally recognized AI risk management framework;
• Draft and implement a risk management policy and program if deploying a high-risk AI system;
• Prepare public-facing notices on the development or use of a high-risk AI system;
• Establish processes for detecting and mitigating algorithmic bias arising from use of high-risk AI systems;
• Establish processes for impact assessments, if deploying a high-risk AI system; and
• Establish processes to notify authorities of algorithmic discrimination caused or reasonably likely caused by a high-risk AI system.
The push to use AI and the corresponding influx of regulations affects all companies. Currently, required assessments and other documentation fall heavily on the shoulders of AI developers, but all companies using high-risk AI systems may soon be subject to increased regulatory scrutiny and should analyze their exposure in anticipation of expanding AI legislation.

Sharon R. Klein, Alex C. Nisenbaum, and Karen H. Shin are California-based members of Blank Rome's Privacy, Security & Data Protection team. They can be reached at sharon.klein@blankrome.com, alex.nisenbaum@blankrome.com, and karen.shin@blankrome.com.