Colorado AI Act Readiness

---

Penalty per violation | Up to $20,000 per consumer, per transaction. 

100 affected consumers | Up to $2,000,000 in potential exposure. 

1,000 affected consumers | Up to $20,000,000 in potential exposure.

That's before reputation damage, legal fees, and the cost of emergency remediation.

Mitigating factors: Organizations that comply with NIST AI RMF, ISO 42001, or an AG-designated framework and proactively discover and cure violations can assert an affirmative defense. 

Deployers: Any person or entity doing business in Colorado that uses a high-risk AI system to make or substantially influence consequential decisions about consumers. This includes private businesses, state and local governments, vendors, nonprofits, and institutions.

You don't need to build AI to be regulated.  Using it is enough. 

• That resume screening tool your HR team loves?  A high-risk AI system.
• That chatbot on your website? Regulated if it influences consequential decisions.
• That credit scoring algorithm? High-risk AI system.

Under the Colorado AI Act, consumers have the right to:

• Know when AI is involved in decisions about them
• Understand the principal reasons for adverse decisions
• Correct inaccurate personal data used by AI systems
• Appeal adverse decisions with human review 
• Opt out of certain AI-driven profiling under the Colorado Privacy Act

The law is your opportunity to get ahead of the curve with governance.  The compliance framework is legal protection.