Colorado Regulates AI-Consumer Interactions: How Will This Impact Employers?

Colorado's governor signed Colorado SB 24-205, "Concerning Consumer Protections in Interactions With Artificial Intelligence Systems," on May 17, 2024, "with reservations." https://leg.colorado.gov/sites/default/files/2024a_205_signed.pdf

The bill is the first in the country to attempt large-scale regulation of the artificial intelligence industry in the state. Connecticut, California, New York, Illinois, Rhode Island, and Washington are considering AI bills of their own.

The governor's signing statement reflects his concern about the impact this law may have on an industry that is making critical technological advancements.

He observed that state-level regulations will create a patchwork of laws across the country which could have the effect of tampering with innovation and deterring competition in an open market. However, the governor encouraged the bill's sponsors to "fine-tune" the provisions and ensure that the final product does not hamper the development and expansion of new technologies and specifically calls on the federal government to enact preemptive legislation "with a needed cohesive federal approach."

The Colorado law establishes requirements for both developers and deployers of "high-risk" AI systems, defined as systems that make or significantly influence "consequential decisions" in areas such as employment, housing, credit, education, and healthcare.

Among its many requirements the bill requires that when an AI system is intended to interact with Colorado consumers, the deployer or developer must disclose to each consumer that they are interacting with an AI system unless it would be obvious to a reasonable person that they are interacting with AI. The required notices, statements, contact information, and descriptions must be provided directly to consumers in plain language, in the same languages used by the deployer in the ordinary course of business, and in a format accessible to consumers with disabilities. Seyfarth Shaw LLP "Colorado Governor Signs Broad AI Bill Regulating Employment Decisions" lexology.com (May 18, 2024).

Commentary

If your organization chooses to use AI to interact with employees, customers, or the general public, the Colorado bill's risk management provisions should be looked at as one metric against which to refine your current risk management AI strategy.

Colorado SB 205 grants the Colorado Attorney General sole enforcement authority for violations of the law. It creates a rebuttable presumption that AI deployers and AI developers have exercised reasonable care if they have implemented certain risk management practices that are closely aligned with the U.S.'s NIST AI Risk Management Framework, which is intended for voluntary use to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems. https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf

In turn, those practices closely align with the Department of Labor's "promising practices" regarding AI, and other guidance recently issued by the EEOC and OFCCP regarding employers' use of AI. https://www.eeoc.gov/laws/guidance/select-issues-assessing-adverse-impact-software-algorithms-and-artificial; https://www.dol.gov/agencies/ofccp/ai/ai-eeo-guide?utm_medium=email&utm_source=govdelivery

Employers using or considering using AI in their employment processes should evaluate their current AI risk management practices against the requirements of Colorado SB 205, and the referenced federal guidelines. An evaluation should consider whether enhancements are necessary to align their current practices with these emerging expectations.

Finally, your opinion is important to us. Please complete the opinion survey:

What's New

Training Required For Password Best Practices

Not all employees follow cybersecurity best practices, which can put organizations at risk of a cyberattack. We examine passwords and the need for training.

Recent Data Breach Increases Risk Of A Convincing Social Engineering Scam

Cybercriminals claim to have stolen the personal financial data of more than half a billion Ticketmaster customers. Learn about the risk.

Colorado Regulates AI-Consumer Interactions: How Will This Impact Employers?

As artificial intelligence plays a larger role in everyday life, states are stepping in to regulate.