Colorado AI Act: Enforcement and Penalties
Enforcement and Penalties [C.R.S. § 6-1-1706]
Citation: § 6-1-1706 (enforcement), Section 6-1-1706
Q: What are the penalties for violating the Colorado AI Act? A: Violations are unfair trade practices with penalties up to $20,000 per violation. Only the Colorado AG can enforce — there is no private right of action [§ 6-1-1706].
Key rule (§ 6-1-1706): Violations constitute unfair trade practices under the Colorado Consumer Protection Act. Penalties up to $20,000 per violation. AG enforcement only.
Rule: Compliance with NIST AI RMF or ISO 42001 provides an affirmative defense.
Enforcement Authority [§ 6-1-1706]
| Aspect | Detail |
|---|---|
| Enforcer | Colorado Attorney General only |
| Private lawsuits | Not allowed |
| Violation type | Unfair trade practice under § 6-1-105(1)(hhhh) |
The attorney general has exclusive authority to enforce this part 17.
Penalties
| Penalty Type | Amount |
|---|---|
| Civil penalty per violation | Up to $20,000 |
| Injunctive relief | Court can order compliance |
| Assurance of discontinuance | Pre-suit settlement |
| Damages | Actual damages |
Affirmative Defense [§ 6-1-1706(3)]
Developers, deployers, or other persons have an affirmative defense if they:
Requirements for Defense
| Requirement | Description |
|---|---|
| Discovery and cure | Found and fixed the violation through: |
| — Feedback encouraged from deployers/users | |
| — Adversarial testing or red teaming (per NIST) | |
| — Internal review process | |
| Framework compliance | Otherwise in compliance with: |
| — NIST AI Risk Management Framework (latest) | |
| — ISO/IEC 42001 | |
| — Other nationally/internationally recognized framework |
What This Means
If you:
- Discover discrimination through testing, feedback, or review
- Cure the violation
- Comply with NIST AI RMF or ISO 42001
Then you have a defense against AG enforcement.
Limitations
This affirmative defense applies only to AG enforcement actions. It does not affect any other rights, claims, remedies, presumptions, or defenses available at law or in equity.
AG Rulemaking [§ 6-1-1707]
The Attorney General may promulgate rules for:
| Area | Description |
|---|---|
| Developer documentation | What developers must provide |
| Notices and disclosures | How to notify consumers |
| Risk management policies | What policies must contain |
| Impact assessments | Assessment requirements |
| Rebuttable presumptions | Compliance presumption details |
| Affirmative defense | Defense requirements |
Exemptions [§ 6-1-1705]
Certain entities are exempt or deemed compliant:
| Entity | Status |
|---|---|
| Federal agency-approved AI | Exempt |
| AI complying with federal standards | Exempt |
| AI for federal certification research | Exempt |
| US government AI | Exempt |
| Insurers complying with insurance AI rules | Deemed compliant |
| Banks/credit unions complying with banking AI rules | Deemed compliant |
Timeline
| Date | Event |
|---|---|
| May 17, 2024 | Law signed |
| August 28, 2025 | Effective date delayed to June 30, 2026 |
| June 30, 2026 | Law takes effect |
Compliance Checklist
To establish affirmative defense:
- Implement NIST AI RMF or ISO 42001
- Establish feedback mechanisms for users/deployers
- Conduct regular adversarial testing/red teaming
- Maintain internal review processes
- Document discovery and cure of any issues
- Retain compliance records