Here is some info from privacy law firms about two states’ AI laws.
Colorado
Odia Kagan of FoxRothschild writes:
Colorado recently enacted its Artificial Intelligence law, launching a new era of state AI laws.
What do you need to know?
- The bill is effective February 1, 2026 and enforceable by the Attorney General.
- This is a comprehensive AI bill that applies directly to the private sector.
- Like EU AI Act, the gating item is “high risk AI” defined as: an AI system that has been specifically developed and marketed or intentionally and substantially modified to make or to be a substantial factor in making a consequential decision.
- Like U.S. state privacy laws, a consequential decision is a decision that has a material legal or similarly significant effects on a consumer’s access to or availability, cost or terms of things like education, employment, essential goods or services, financial or lending service, healthcare, housing, insurance or legal services.
- Like EU AI Act, it allocates responsibility to “developers” and “deployers.” This means service providers are directly implicated.
- The focus (key violation): reasonable care to avoid algorithmic discrimination, with extensive to-do’s, for a presumption of non-discrimination.
Read more at Privacy Compliance & Data Security.
Utah
Hunton Andrews Kurth writes:
On May 1, 2024, Utah’s Artificial Intelligence Policy Act (“AI Policy Act”) entered into effect. Along with Colorado, Utah is the second state to pass legislation specifically regulating AI in the U.S. this year. The AI Policy Act introduces obligations for companies subject to Utah’s consumer protection laws with respect to use of generative AI applications. Key requirements of the law include:
- Transparency obligations: Individuals who provide services of a “regulated occupation” must prominently disclose when a person is interacting with generative AI in the provision of regulated services. This disclosure must be provided either verbally at the beginning of a conversation or through electronic messaging before a written exchange. The law also requires individuals outside of regulated occupations to disclose that a person is interacting with generative AI and not a human if asked or prompted by the person. Regulated occupations are those that require a license or state certification and are regulated by the Department of Commerce.
- Accountability obligations: Under the AI Policy Act, any company that violates a statute administered and enforced by Utah’s Division of Consumer Protection through use of generative AI will be responsible for the violation even if the generative AI application made the violative statement, undertook the violative act or was used in furtherance of the violation. In other words, the company remains responsible for violations caused by its generative AI applications.
Read more at Privacy & Information Security Law Blog.