Understanding the CAIA: Colorado's Groundbreaking Approach to AI Regulation
Thursday, June 20, 2024
Colorado AI Act Information
Print Mail Download i

The Colorado AI Act (CAIA) will take effect on Feb. 1, 2026, becoming the first comprehensive, risk-based approach to artificial intelligence (AI) regulation to be signed into law in the United States. This new legislation is intended to govern the use of AI systems in certain applications by private sector developers and deployers, with a stated goal of ensuring transparency, consumer rights, and accountability.

Scope

The CAIA primarily regulates the development and deployment AI systems in particular applications; namely, what the CAIA defines as “high-risk AI systems”. According to a press release from the Colorado General Assembly: “The bill requires a developer of a high-risk artificial intelligence system (high-risk system) to use reasonable care to avoid algorithmic discrimination in the high-risk system. There is a rebuttable presumption that a developer used reasonable care if the developer complied with specified provisions in the bill.”
 

Key Concepts

Algorithmic Discrimination: The use of an AI system that results in unlawful differential treatment or impact that disfavors an individual or group of individuals on the basis of a protected status under Colorado or federal law. However, algorithmic discrimination does not include “expanding an applicant, customer, or participant pool to increase diversity or redress historical discrimination”.

High-Risk AI System (HRAIS): Any AI system that, when deployed, makes or is a substantial factor in making a consequential decision.

Consequential Decision: A decision that has a material legal or similarly significant effect on the provision or denial to any consumer of, or the cost or terms of educational opportunities, employment opportunities, financial or lending service, essential government service, healthcare services, housing, insurance, or legal services.

Developer: Any person or entity doing business in Colorado that develops or substantially modifies an AI system.

Deployer: Any person or entity doing business in Colorado that deploys a high-risk AI system.

Substantial Factor: A factor that assists in making a consequential decision or is capable of altering a consequential decision and is generated by an AI system.

Key Provisions of the Law

Algorithmic Discrimination: The CAIA prohibits the use of high-risk AI systems in a manner that results in unlawful differential treatment based on protected classes.

Risk Management: The CAIA requires deployers to implement and regularly update risk management policies to mitigate risks of algorithmic discrimination.

Transparency and Accountability: The CAIA is intended to ensure that both developers and deployers maintain transparency about the use and impact of high-risk AI systems.

Obligations for Developers and Deployers

Generally, the CAIA imposes the following obligations on developers and deployers:

Duty of Care: Both developers and deployers are required to exercise reasonable care to protect consumers from known or foreseeable risks of algorithmic discrimination.

Documentation and Disclosure: Developers must provide detailed documentation to deployers, including intended uses, known risks, data summaries, and mitigation measures. This documentation must also be made available to the attorney general upon request.

Public Statements: Deployers must maintain on the deployer’s website, clear summaries of high-risk AI systems, including risk management strategies for algorithmic discrimination, and “in detail,” the nature, source, and extent of the information collected and used by the deployer. The deployer has an affirmative obligation to periodically update this information.

Impact Assessments: Deployers must conduct annual impact assessments, detailing the AI system's purpose, risk of algorithmic discrimination, data usage, performance metrics, and post-deployment monitoring. These assessments must be retained for at least three years.

Consumer Rights

The CAIA provides consumers with the following rights:

Notice Prior to Deployment: Consumers must be informed if a high-risk AI system will be used to make consequential decisions about them. Interestingly, a deployer must provide notice “no later than the time the deployer deploys a HRAIS,” but the notice must inform the consumer “that the deployer has deployed a HRAIS”. 

Right to Explanation: If an adverse decision is made by a high-risk AI system, consumers have the right to receive an explanation detailing the system's role in the decision, the data used, and its sources.

Right to Correct and Appeal: Consumers can correct any inaccurate personal data used by the AI system and appeal decisions for human review if feasible.

Form of Notice: Notice must be provided directly to the consumer, in plain language, in all languages in which the deployer conducts its ordinary business, and in a format that is accessible to consumers with disabilities.

Enforcement and Compliance

Attorney General Authority: The attorney general has exclusive authority to enforce the CAIA, including rulemaking and ensuring compliance.

Incident Reporting: Developers and deployers must report any discovered algorithmic discrimination to the Attorney General without unreasonable delay.

Defenses and Safe Harbors: Developers and deployers may use compliance with nationally recognized risk management frameworks as a defense against enforcement actions.

Exemptions and Special Provisions

Federal Pre-Emption: AI systems approved by federal agencies, such as the U.S. Food and Drug Administration or Federal Aviation Administration, are exempt from certain CAIA requirements.

Trade Secret: The CAIA contains an exception stating that the notice and disclosure requirements do not require a deployer to disclose a trade secret or information protected from disclosure by state or federal law. However, if a deployer withholds information under this exception, the deployer must “notify the consumer and provide a basis for the withholding”.

Small Businesses: Small businesses (employing 50 or fewer full-time employees) are exempt from maintaining a risk management program or conducting impact assessments but must still adhere to duty of care and consumer notification requirements.

Given the range and scope of the CAIA, it’s likely to generate substantial compliance costs and will likely spawn a number of similar acts in other U.S. states, unless or until a federal statute that expressly pre-empts such statutes is enacted. Given the current state of progress on federal legislation, that is unlikely to happen soon.

Johnathan H. Taylor, Joseph "Joe" Damon, Leslie Green, Jackson Parese, Richard B. Levin, Kevin Tran, and Bobby Wenner contributed to this article.

Copyright ©2024 Nelson Mullins Riley & Scarborough LLP

Current Public Notices

Current Legal Analysis

More from Nelson Mullins

Old North State Report – June 28, 2024
by: George M. Teague , Andrew Heath
Gold Dome Report - Special Alert
by: Stanley S. Jones, Jr. , Helen L. Sloat
California AG Continues Privacy Enforcement: Tilting Point Media Settles for Alleged COPPA and CCPA Violations
by: Mallory Acheson, CIPM , Jack Pringle, CIPP/US
Next Wave of U.S. State Data Privacy: Effective July 1, 2024
by: Mallory Acheson, CIPM , Daniel C. Lumm, CIPP/US
The Potential End of Chevron Agency Deference and Implications for Employers
by: Mitch Boyarsky , Kristin Ahr
The Fifth Circuit Vacates the SEC’s New Private Fund Adviser Rules in Their Entirety
by: Adam V. Sussman , Audra White
Old North State Report – June 21, 2024
by: George M. Teague , Andrew Heath
Client Alert: IARC to Evaluate Automotive Gasoline and Oxygenated Additives in Early 2025
by: Craig Dillard , Kate Skagerberg

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins