PogoWasRight.org

Menu
  • About
  • Privacy
Menu

Colorado and Utah Artificial Intelligence laws: what you need to know

Posted on June 7, 2024 by Dissent

Here is some info from privacy law firms about two states’ AI laws.

Colorado

Odia Kagan of FoxRothschild writes:

Colorado recently enacted its Artificial Intelligence law, launching a new era of state AI laws.

What do you need to know?

  • The bill is effective February 1, 2026 and enforceable by the Attorney General.
  • This is a comprehensive AI bill that applies directly to the private sector.
  • Like EU AI Act, the gating item is “high risk AI” defined as: an AI system that has been specifically developed and marketed or intentionally and substantially modified to make or to be a substantial factor in making a consequential decision.
  • Like U.S. state privacy laws, a consequential decision is a decision that has a material legal or similarly significant effects on a consumer’s access to or availability, cost or terms of things like education, employment, essential goods or services, financial or lending service, healthcare, housing, insurance or legal services.
  • Like EU AI Act, it allocates responsibility to “developers” and “deployers.” This means service providers are directly implicated.
  • The focus (key violation): reasonable care to avoid algorithmic discrimination, with extensive to-do’s, for a presumption of non-discrimination.

Read more at Privacy Compliance & Data Security.

Utah

Hunton Andrews Kurth writes:

On May 1, 2024, Utah’s Artificial Intelligence Policy Act (“AI Policy Act”) entered into effect. Along with Colorado, Utah is the second state to pass legislation specifically regulating AI in the U.S. this year. The AI Policy Act introduces obligations for companies subject to Utah’s consumer protection laws with respect to use of generative AI applications.  Key requirements of the law include:

  • Transparency obligations: Individuals who provide services of a “regulated occupation” must prominently disclose when a person is interacting with generative AI in the provision of regulated services. This disclosure must be provided either verbally at the beginning of a conversation or through electronic messaging before a written exchange. The law also requires individuals outside of regulated occupations to disclose that a person is interacting with generative AI and not a human if asked or prompted by the person. Regulated occupations are those that require a license or state certification and are regulated by the Department of Commerce.
  • Accountability obligations: Under the AI Policy Act, any company that violates a statute administered and enforced by Utah’s Division of Consumer Protection through use of generative AI will be responsible for the violation even if the generative AI application made the violative statement, undertook the violative act or was used in furtherance of the violation. In other words, the company remains responsible for violations caused by its generative AI applications.

Read more at Privacy & Information Security Law Blog.

Category: Artificial IntelligenceFeatured NewsLaws

Post navigation

← The Privacy Patchwork: Beyond US State “Comprehensive” Laws
New York State Legislature Passes Bill Addressing Children’s Use of Social Media Platforms, Pending Governor’s Signature →

Now more than ever

Search

Contact Me

Email: info@pogowasright.org

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

Categories

Recent Posts

  • South Korea fines Temu for data protection violations
  • The BR Privacy & Security Download: May 2025
  • License Plate Reader Company Flock Is Building a Massive People Lookup Tool, Leak Shows
  • FTC dismisses privacy concerns in Google breakup
  • ARC sells airline ticket records to ICE and others
  • Clothing Retailer, Todd Snyder, Inc., Settles CPPA Allegations Regarding California Consumer Privacy Act Violations
  • US Customs and Border Protection Plans to Photograph Everyone Exiting the US by Car

RSS Recent Posts on DataBreaches.net

  • Chinese Hackers Hit Drone Sector in Supply Chain Attacks
  • Coinbase says hackers bribed staff to steal customer data and are demanding $20 million ransom
  • $28 million in Texas’ cybersecurity funding for schools left unspent
  • Cybersecurity incident at Central Point School District 6
  • Official Indiana .gov email addresses are phishing residents
©2025 PogoWasRight.org. All rights reserved.
Menu
  • About
  • Privacy