Colorado’s Artificial Intelligence Act (CAIA) Updates: A Summary of Consumer Protections
The Colorado General Assembly passed Senate Bill 24-205, known as the Colorado Artificial Intelligence Act (CAIA), during the 2024 legislative session. This law, effective February 1, 2026, mandates that developers and deployers of high-risk AI systems must safeguard Colorado residents, referred to as “consumers,” from the risks of algorithmic discrimination.
Importantly, the Act requires that consumers be informed when they are interacting with an AI system. Concerns raised by Colorado Governor Jared Polis in 2024 suggest that legislators may refine key definitions and update compliance structures before the Act’s enforcement.
Background
A high-risk AI system is defined as any machine-based system that derives outputs from data inputs and significantly impacts the provision, denial, cost, or terms of a product or service. The statute outlines various sectors where consequential decisions are made, such as healthcare, employment, financial or credit, housing, insurance, and legal services.
CAIA includes exemptions for technologies performing specific functions, such as cybersecurity, data storage, and chatbots. Developers of AI systems are obligated to prevent algorithmic discrimination and protect consumers from foreseeable risks associated with these systems. Developers are required to provide documentation outlining both intended uses and potential harmful uses of high-risk AI systems.
Similarly, deployers—entities doing business in Colorado that utilize high-risk AI systems—face stricter regulations. They must inform consumers when AI is involved in significant decisions, implement risk management policies, and report any identified discrimination to the Attorney General’s Office within 90 days. Consumers must also have the ability to appeal AI-based decisions or request human review when feasible.
Data Privacy and Consumer Rights
Under CAIA, consumers possess the right to opt out of data processing related to AI-based decisions, impacting subsequent automated decision-making and the processing of personal data profiling. Deployers must disclose to consumers when a high-risk AI system influences a decision leading to an adverse outcome.
Exemptions
The CAIA outlines several exemptions, particularly for entities operating under existing regulatory frameworks, such as insurers, banks, and HIPAA-covered entities. However, HIPAA-covered entities are exempt only when providing healthcare recommendations generated by AI systems that do not qualify as high risk. Small businesses employing fewer than 50 full-time employees are also exempt, provided they do not train the system using their own data.
Updates
In its February 1, 2025, report, the Colorado AI Impact Task Force highlighted the need for additional changes to CAIA before its enforcement. Current concerns revolve around ambiguities, compliance burdens, and stakeholder feedback. The Governor has expressed worries that existing guardrails may stifle innovation and AI advancement within the state.
The report advocates for refining documentation and notification requirements but reveals less consensus on adjusting the definition of consequential decisions. Both industry representatives and the public seek revisions to the exemptions for covered systems.
Potential changes to CAIA may depend on how interconnected sections are revised concerning related provisions. For instance, redefining algorithmic discrimination could influence the obligations of developers and deployers to prevent such discrimination. The intervals for impact assessments might also be significantly affected by modifications to the definition of intentional and substantial modification to high-risk AI systems.
Furthermore, disagreements persist regarding several definitions, including “substantial factor” and “duty of care,” which are critical in determining the scope of AI technologies subject to CAIA. Other contentious topics include the small business exemption, opportunities for rectifying compliance incidents, trade secret exemptions, consumer appeal rights, and the scope of attorney general rulemaking.
Guidance
Given the consensus among stakeholders that changes are essential, any business affected by CAIA should closely monitor legislative developments that could significantly alter the scope and requirements of the Act.
Takeaways
Businesses should evaluate whether they or their vendors utilize AI systems that might be classified as high-risk under CAIA. Recommendations include:
- Assessing AI usage to ascertain compliance with CAIA definitions, including available exemptions.
- Conducting an AI risk assessment aligned with the Colorado AI Act.
- Developing an AI compliance plan consistent with CAIA consumer protections regarding notification and appeal processes.
- Continuing to monitor updates to CAIA.
- Reviewing contracts with AI vendors to ensure necessary documentation is provided by developers or deployers.
Colorado is at the forefront as one of the first states in the U.S. to implement comprehensive AI legislation. Other states are likely to observe Colorado’s progress and may enact similar laws or improvements as needed. Thus, monitoring CAIA and its implementation is crucial in the rapidly evolving landscape of consumer-focused AI systems affecting significant decisions in areas such as healthcare, finance, education, housing, and employment.
