Proposed Amendments to the Colorado AI Act
As the regulatory landscape for artificial intelligence (AI) continues to evolve, Colorado is considering significant changes to its recently enacted AI Act. Following nearly a year-long effort by the state’s Artificial Intelligence Impact Task Force, the proposed Senate Bill 318 aims to address concerns that the AI Act was too broad and could stifle innovation. The bill seeks to overhaul the AI Act by narrowing its focus and materially reducing the compliance burden on in-scope businesses.
Key Proposed Changes
- Revised Definitions: The bill amends several key definitions, including the redefinition of “algorithmic discrimination” to mean “the use of an artificial intelligence system that results in a violation of any applicable local, state, or federal anti-discrimination law.” Additionally, the definition of developer is amended to exclude individuals offering systems with open model weights or those meeting specific conditions, such as not promoting consequential decisions and including disclaimers in documentation.
- New & Broadened Exemptions: One of the most impactful amendments is the new exemption for deployers using high-risk AI systems solely for recruitment, sourcing, or hiring of external candidates, provided certain conditions regarding employee count and disclosures are met. Given the prevalence of AI-powered recruitment tools across human resource departments, many businesses could benefit significantly from this exemption. Furthermore, certain developer disclosure requirements do not apply to developers meeting specific financial criteria—such as generating less than $10 million from third-party investors and less than $5 million in annual revenue—who sell high-risk AI systems that deployers use for a limited number of consequential decisions per year, with the limit decreasing from 10,000 in 2027 to 2,500 in 2029.
- Modified Duties: The prior requirement for developers and deployers to notify the attorney general of known or foreseeable risks of algorithmic discrimination appears to have been eliminated, simplifying compliance obligations.
- Enhanced Deployer Obligations (with limitations): In-scope deployers are now required to implement a risk management policy and program, completing annual impact assessments. The content of these assessments must explicitly analyze risks related to accessibility, unfair trade practices, labor law violations, or violations of the Colorado Privacy Act. Deployers using high-risk AI systems for consequential decisions must provide consumers with disclosures detailing the system’s purpose, developer information, and a plain language description of the system’s role and data evaluation process. For adverse consequential decisions, a single notice must disclose the principal reasons for the decision, the system’s contribution, categories of adverse data, and consumer rights regarding personal data correction.
- New Notification Requirement for Withheld Information: Businesses that withhold information otherwise subject to disclosure under the AI Act are required to notify the affected individuals, stating the basis for withholding and providing any non-exempt information.
- Delayed Enforcement: The attorney general will have exclusive authority to enforce the Act; however, this authority will not commence until January 1, 2027. Affirmative defenses are available for businesses that discover and rectify a curable violation within seven days, provided they meet specific criteria such as inadvertence affecting fewer than 1,000 consumers.
This proposed bill represents a significant refinement of Colorado’s approach to AI regulation, exempting more businesses from its scope and adjusting compliance timelines and requirements for developers and deployers. As similar broad AI algorithmic bias laws are pending in other states, these amendments may offer a potential blueprint for navigating the complexities of governing AI systems in the future.
