The United States has moved slower than Europe and other places when it comes to regulating the internet and tech, but one state has emerged as a must follow when it comes to all things data privacy and protection, and it isn’t California.
California is the high profile name that tends to jumpstart conversations, but it has been Colorado that has been perhaps the most interesting state to track, due to its speed, forward-thinking mindset, ability to get laws passed, and modelability for future states to copy.
Colorado, the third state to pass comprehensive data privacy legislation after California and Virginia, has been the first US State to pass a comprehensive law on artificial intelligence. (Utah claimed this honour but in fact the Utah law was not comprehensive but very narrow. Connecticut also came close but that bill died after the Governor refused to sign it.
The Colorado AI Act is a toned down version of the EU AI Act, and whilst Colorado’s AI Act is 26 pages long against the EU AI Act which is over 150 pages, itt carries enough importance to set a meaningful precedent and takes a similar risk-based approach with the focus fully on high risk systems, being “any artificial intelligence system that, when deployed, makes, or is a substantial factor in making a consequential decision.” A consequential decision is where AI is used in relation to services to an individual relating to education enrollment or an education opportunity, employment, a financial, insurance, healthcare or legal services, housing or essential government services and potentially has huge ramifications as algorithms have been in place for years across many sectors doing this work.
The Act imposes a duty to protect consumers from algorithmic discrimination or bias being any unlawful differential treatment or impact that disfavors an individual or group of individuals on the basis of their actual or perceived age, color, disability, ethnicity, genetic information, limited proficiency in the english language, national origin, race, religion, reproductive health, sex, veteran status, or other classification protected under the laws of this state or federal law and like the EU Act, requires transparency where developers must provide extensive documentation on how the system should work and possible risks (including risks to deployers of the AI) and having mandatory reporting requierments. Under the Act, developers and deployers must also adhere to mandatory AI Governance programs that align with NIST’s new AI standards or ISO 42001 (the two specific standards called out in the law, or any future equivalent), and complete yearly data protection impact assessments (with additional DPIA requirements within 90 days of any “substantial” alteration to a high risk AI system), although there appears to be a huge hole in the legislation with a “rebuttal presumption” that companies can use if they practiced reasonable care and claim to have been in compliance with the AI Act. The Act will go into effect on February 1, 2026, but may be amended prior to enforcement.
Colorado also amended its data privacy law, the Colorado Privacy Act (CPA), to bolster children’s privacy and biometric data this year in line with other States where biometric data has been subject to extensive reining-in although Colorado has amended the CPA to include protections for biometric identifiers and data similar in scope to Illinois’s influential BIPA legislation, which is very restrictive. In contrast to California which regulates all employee data, Colorado will only regulate biometric employee data.