On May 17, 2024, Colorado Governor Jared Polis signed into law SB 24-205, entitled Consumer Protections for Artificial Intelligence, which will become effective on February 1, 2026. The law applies to developers and deployers of high-risk AI systems doing business in Colorado.

Under the statute, “developer” means a person doing business in Colorado that develops or intentionally and substantially modifies an AI system; and “deployer” means a person doing business in Colorado that uses a high-risk AI system.  Employers can qualify as deployers. The law defines “high-risk AI systems” as those that make or are a substantial factor in making consequential decisions. It further defines a “substantial factor” as a factor that assists in making a consequential decision, is capable of altering the outcome of a consequential decision, and is generated by an AI system. High-risk AI systems do not include an AI system if the AI system is intended to perform a narrow procedural task, or detect decision-making patterns or deviations from prior-decision making patterns and is not intended to replace or influence a previously completed human assessment without sufficient human review. This is the most comprehensive law to date governing US employers’ use of automated decision-making tools.  

The law prioritizes preventing algorithmic discrimination, giving rise to specific developer and deployer duties and responsibilities. Specifically, the law presents a rebuttable presumption that reasonable care was used if developers and deployers meet certain requirements and publicly disclose certain information about high-risk AI systems.

Developer Duties: Developers will be required to make available to users of their AI systems or other developers:

  • General statements on high-risk AI systems’ uses.
  • Summaries of training data, purpose, benefits, and limitations.
  • Documentation on evaluation, data governance, intended outputs, risk mitigation, and usage guidelines.

Deployer Duties:  All deployers, regardless of company size, will be required to: 

  • Review the deployment of each high-risk AI system at least annually for evidence of algorithmic discrimination.
  • Provide consumers information about consequential decisions concerning that consumer made by high-risk AI systems.
  • Provide consumers an opportunity to correct any incorrect personal data that may have been used in making such consequential decision, as well as an opportunity to appeal any adverse consequential decisions concerning the consumer from the high-risk AI system.

The statute defines “consequential decisions” to include decisions that have a “material legal or similarly significant effect on the provision or denial to any consumer of…employment or an employment opportunity.” This language suggests a broad application to employment practices beyond hiring, promotion, or termination.

Deployer Duties for Certain Organizations:  The following duties apply only tocompanies that (1) employ fewer than 50-full time employees; (2) do not use the deployers’ own data to train the high-risk AI system, and (3) use the high-risk AI system only for the intended uses disclosed by the deployer: 

  • Implement a risk management policy and program that specifies and incorporates the principles, processes and personnel that the deployer uses to identify documents and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The policy and program must be systematically reviewed and updated.
  • Complete an impact assessment for the high-risk AI system at least annually and within 90 days after any intentional and substantial modification to the high-risk AI system is made available.
  • Make available on the deployer’s website a statement summarizing the type of high-risk AI systems that are currently being used, how the deployer manages risks of algorithmic discrimination, and the extent of information collected and used by the deployer.

The law also requires both developers and deployers to comply with federal, state or municipal laws, ordinance, or regulations. The law leaves exclusive enforcement to the Colorado State Attorney General, including discretion under the statute to implement further rulemaking. Although the new law does not go into effect until February 1, 2026, developers and deployers may wish to consider preparing documentation to meet the obligations of the law before its effective date.

Ballard Spahr’s Labor and Employment group regularly works with companies to make sure their policies are in compliance with state laws. Please contact us if you have any questions or would like our assistance to review your policies.