The ambit of the CAA extends to all developers and deployers—corporate entities—utilizing “high-risk artificial intelligence systems” within the state of Colorado. The term “high-risk AI systems” under the purview of the CAA encompasses those AI systems pivotal in influencing consequential decisions or substantially contributing to altering outcomes in various domains. Such systems are deemed high-risk if they impact the cost, provision, or denial of critical services such as education, employment, financial services, healthcare, housing, insurance, legal services, among others. Moreover, the legislation encompasses AI deployment involved in crafting content, decisions, predictions, or recommendations pertaining to consumers, subsequently influencing consequential determinations concerning them.

 

However, the CAA carves out exceptions, sparing AI systems tailored for narrow procedural tasks or those designed solely for detecting decision-making patterns or anomalies without supplanting human evaluation sans oversight. Furthermore, anti-fraud mechanisms devoid of facial recognition functionalities, databases, data storage, cybersecurity tools, firewalls, and generative AI tools like chatbots aimed at furnishing users with information are not classified as high-risk AI systems. This exemption is contingent upon the proviso that such generative AI tools explicitly forbid the generation of discriminatory or harmful content.

Algorithmic discrimination, as delineated by the legislation, pertains to instances where AI employment culminates in unlawful differential treatment or impacts on individuals belonging to classes protected from discrimination. These classes typically encompass race, color, ethnicity, national origin, religion, sex, age, disability, veteran status, and similar attributes. Notably, AI systems employed to enhance diversity or rectify historical discrimination are exempted from this classification. Moreover, discriminatory acts or omissions stemming from AI utilization within private clubs or non-public establishments do not fall under the purview of algorithmic discrimination as stipulated by the CAA.

 

The CAA imposes a duty of care on developers of high-risk AI systems, mandating measures to shield consumers from potential algorithmic discrimination risks inherent in their AI systems. To substantiate reasonable care, developers must adhere to specified protocols, including furnishing deployers with comprehensive information regarding the purpose, intended utility, benefits, associated risks, foreseeable algorithmic discrimination, and risk management strategies related to the AI system. Additionally, developers are obligated to supply deployers with requisite documentation facilitating impact assessments of the system, disclose any known or foreseeable risks of algorithmic discrimination within a stipulated timeframe, and furnish public summaries detailing the types of high-risk AI systems they develop or modify.

 

Concomitantly, deployers are entrusted with the responsibility of exercising reasonable care to mitigate algorithmic discrimination risks associated with high-risk AI systems. This entails periodic reviews of AI systems for evidence of discriminatory outcomes, transparent communication with consumers regarding decisions influenced by the AI system, and provision of avenues for rectifying erroneous information impacting consequential determinations. Larger companies exceeding the employee threshold stipulated by the legislation are subject to augmented obligations to fulfill their duty of care effectively.

 

Furthermore, developers and deployers employing AI systems for consumer interaction are obligated to disclose the AI-driven nature of interactions, clarifying that consumers are engaging with AI systems rather than live personnel. Enforcement of the CAA is entrusted solely to the Colorado Attorney General, empowered to promulgate additional regulations for effective enforcement. Violations of the Colorado AI Act are deemed unfair trade practices; however, the legislation precludes the provision of a private right of action.