Colorado AI Act (SB24-205)
Effective-date update (2025 amendments): originally set to take effect on 2026-02-01, the Act was postponed to 2026-06-30 following the 2025 legislative session. Certain provisions were also adjusted in response to industry concerns.
Summary
Section titled “Summary”The Colorado AI Act (SB24-205) was signed by Colorado Governor Jared Polis on 2024-05-17; following 2025 amendments, it enters into force on 2026-06-30. It is the first US comprehensive state AI anti-discrimination law. Its structure most closely resembles the EU AI Act’s high-risk-system framework:
- A definition of High-Risk AI System: one that plays a substantial role in a “consequential decision”.
- Dual-actor obligations: Developer (developer / supplier) + Deployer (deployer / user-side).
- Safeguards against algorithmic discrimination: a duty of reasonable care, impact assessments, transparency notices.
- Consumer rights: to be notified, to appeal, to correct, and to opt out of automated decisions.
Core concepts
Section titled “Core concepts”Consequential Decision
Section titled “Consequential Decision”A decision playing a substantial role in the provision, cost, or terms of any of the following for a consumer:
- Education enrolment / opportunity
- Employment / employment opportunity
- Financial or lending services
- Essential government services
- Healthcare services
- Housing
- Insurance
- Legal services
Developer obligations (§ 6-1-1702)
Section titled “Developer obligations (§ 6-1-1702)”Provide to Deployers:
- Intended use of the system, known limitations.
- A summary of the types of training / evaluation data.
- Identified risks and mitigations.
- The impact assessment that has been conducted (of expected effects on algorithmic discrimination).
- Compliance records.
Deployer obligations (§ 6-1-1703)
Section titled “Deployer obligations (§ 6-1-1703)”- Establish a risk-management policy and procedure (with explicit reference to the NIST AI RMF / equivalent international standards).
- Conduct annual impact assessments.
- Consumer notices: that AI is used for a consequential decision, the categories of personal data on which the decision is based, and a summary of the impact-assessment results.
- Appeal channels: consumers may correct data / appeal a decision and have a right to human review (where technically feasible).
- Algorithmic-discrimination breach → report to the State Attorney General.
Safe-harbour presumption of compliance (§ 6-1-1706)
Section titled “Safe-harbour presumption of compliance (§ 6-1-1706)”Adherence to:
- The NIST AI RMF and Generative AI Profile;
- ISO/IEC 42001;
- Other “nationally or internationally recognized” frameworks;
creates a presumption of reasonable care.
Enforcement
Section titled “Enforcement”- The Colorado Attorney General has sole enforcement authority.
- Violations are deemed violations of the Colorado Consumer Protection Act.
- No private right of action.
- 40 / 60 / 90-day cure periods (depending on the provision).
Similarities and differences with the EU AI Act
Section titled “Similarities and differences with the EU AI Act”| Dimension | Colorado AI Act | EU AI Act |
|---|---|---|
| Risk tiers | A single “high-risk” tier | 4 tiers + GPAI |
| High-risk definition | Enumerated “consequential decisions” | Annex III enumeration + Annex I embedded |
| Developer / deployer obligations | Binary | Multiple roles (provider/deployer/importer/distributor/authorized representative) |
| Conformity assessment | No mandatory third-party certification | Required for some high-risk systems |
| GPAI | Not covered | Dedicated chapter, Articles 51-56 |
| Penalties | Maximum per CPA | 7% / 3% of global annual turnover |
| Enforcement | State AG | Member State MSAs + AI Office |
Practical industry impact
Section titled “Practical industry impact”- Large-model providers: as Developers, must provide “AI-Act-like” documentation to Colorado Deployers.
- US companies: if operating in CO + serving CO residents, must perform obligations under the Act.
- Spillover across states: subsequent legislation in Connecticut, Texas, Illinois, and Virginia largely follows the CO framework.
- Possible federal preemption: whether post-EO-14179 federal legislation overrides state law is an open question; there is presently no federal preemption.
Primary text and archives
Section titled “Primary text and archives”| Source | Link |
|---|---|
| Colorado General Assembly | leg.colorado.gov/bills/sb24-205 |
| Codified (C.R.S. §§ 6-1-1701 through 6-1-1707) | Colorado Revised Statutes |
| Scholarly commentary | IAPP, White & Case, Brookings continue to track |
Revision history
Section titled “Revision history”| Date | Event |
|---|---|
| 2024-05-08 | Passed by the General Assembly |
| 2024-05-17 | Signed by the Colorado Governor |
| 2025 session | Several rounds of amendments attempted |
| 2026-02-01 | Original effective date (subject to 2025/2026 amendments) |