Colorado becomes first state to pass AI legislation

Colorado has become the first US state to pass a comprehensive artificial intelligenceThe use of computer systems to perform tasks normally requiring human intelligence, such as decision-making, speech recognition, translation etc. (AI) regulation to protect consumers. The Colorado AI ActThe EU Artificial Intelligence Act was approved by the EU Council on 21 March 2024. A world-first comprehensive AI law, intended to harmonise rules for the development, deployment, and use of artificial intelligence systems across the EU. (CAIA) was signed into law on 17 May 2024 by Governor Jared Polis and aims to mitigate the risk of algorithmic discrimination by requiring developers and users of high-risk AI models to employ strict compliance measures.  

The new legislation defines high-risk AI models as any artificial intelligence system that makes, or is a significant factor in making, ‘consequential decisions’. Under the CAIA, developers and deployers must take reasonable care to prevent discrimination, implement adequate risk management policies, conduct impact assessments of their AI models, and provide full transparency to regulators and the public. 

The CAIA comes into effect on 1 February 2026, giving organisations time to understand and implement the necessary operational changes.  

David Smith, Data Protection Officer (DPO) and AI Sector Lead at The DPO Centre, said:

‘It will be interesting to monitor the effectiveness and transparency of the algorithmic discrimination disclosures processA series of actions or steps taken in order to achieve a particular end. within the 90-day window, as this will be a key measure of the Bill’s impact on accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. and ethical AI development.  

‘The Bill’s specific mention of aligning with the latest standards set by the National Institute of Standards and Technology (NIST) provides organisations with an area for immediate focus.’ 

Vermont passes law allowing consumers private right of action

In the same week, Vermont passed one of the most comprehensive data privacy laws in the US, which allows consumers private right of action if an organisation violates their online privacy rights.  

The Vermont Data Privacy Act also puts constraints on what personal dataInformation which relates to an identified or identifiable natural person. can be collected, prohibits companies from selling consumer’s sensitive data such as social security and driving license numbers, and establishes stricter civil rights safeguards to prevent discrimination. 

The law is expected to come into force from July 2025, although the ability for consumers to sue would not take effect until 2026 and will need to be reauthorised in 2028.  

Rob Masson, CEO of The DPO Centre, said:

‘The recently passed Vermont Data Privacy Act is a significant piece of legislation that will enhance consumer privacy within the state. It will also add further complexity for organisations managing privacy compliance across the US. 

‘The growing patchwork of individual state legislation means businesses need to understand the scope, enforcement mechanisms, and data sharing rules of the various state laws, including the previously enacted California Consumer Privacy ActThe California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California. The California Privacy Rights Act (CPRA) amends and expands the CCPA by introducing new privacy rights for consumers. (CCPA) and the Virginia Consumer Data Protection Act (VCDPA).’