In detail

SB 205 requires "developers" and "deployers" of "high-risk artificial intelligence systems" to use "reasonable care" to protect Colorado resident consumers from any known or reasonably foreseeable risks of "algorithmic discrimination." As written, the law most likely applies to both creators of high-risk AI systems and employers adopting high-risk AI technologies within their organization.

Key definitions in SB 205

• High-risk AI system: a system that, when deployed, makes, or is a substantial factor in making, a "consequential decision"
• Consequential decision: a decision that has "material legal or similarly significant effect" on the provision or denial to any consumer of, or the cost or terms of, the following:
  • Educational enrolment or an education opportunity
  • Employment or an employment opportunity
  • A financial or lending service
  • An essential government service
  • Healthcare services
  • Housing
  • Insurance
  • A legal service
• Deployer: a person doing business in Colorado that deploys a high-risk AI system (presumably including employers with more than 50 employees in the state)
• Developer: a person doing business in Colorado that develops or intentionally and substantially modifies an AI system 
• Consumer: an individual who is a Colorado resident

Classification system: SB 205 adopts similar classifications as those under the EU AI Act, classifying entities as either a developer or a deployer. The role of an entity impacts the attendant obligations. 

Risk management framework: Highlighting the importance of aligning AI governance to a standardized risk management framework, such as the NIST AI Risk Management Framework, the new law requires organizations to comply with a standard risk management framework in order to assert an affirmative defense in response to an enforcement action. 

Enforcement: SB 205 does not have a private right of action. The Colorado Attorney General has exclusive enforcement authority and may seek up to USD 20,000 per violation of the law. In the case of an enforcement action, the law creates an affirmative defense for businesses that can show they have taken steps to address any discovered violations and that they comply with a national or international risk management framework for AI.

Next steps

We recommend that organizations that develop or deploy AI systems in Colorado perform the following actions: 

• Review existing AI governance to confirm it conforms to a standardized risk management framework
• Draft and implement a risk management policy and program if deploying a high-risk AI system in the organization 
• Identify AI systems that the company is developing or using that make "consequential decisions" pursuant to SB 205 (e.g., this may include deploying AI technologies in HR decision-making activities like recruiting, hiring and performance management)
• Establish processes for detecting and mitigating algorithmic bias arising from their use of AI systems
• Prepare documentation required by SB 205 based on the role of the entity as set forth above

The Colorado Attorney General is authorized to promulgate rules on the legislation, and we will continue to monitor and report updates. We note that it is likely the law may serve as a model for other state legislatures across the US or for states with pending regulation to move forward quickly. 

Our cross-functional team of experts is available to support your organization in developing or deploying AI systems in a responsible manner. Please contact your Baker McKenzie attorney with questions.