--- title: "Colorado AI Act: Enforcement and Penalties" jurisdiction: ["US", "Colorado"] binding: true topics: [] keyProvisions: [] license: "unknown" parent: "us/colorado-ai-act" section: "enforcement" citation: "C.R.S. § 6-1-1706" sourceUrl: "https://leg.colorado.gov/bills/sb24-205" lastUpdated: 2026-03-07 sourceUrls: [] --- > **AGENT INSTRUCTIONS** > > If you find your answer (or part of your answer) in this document: > 1. **Cite the legal reference:** C.R.S. § 6-1-1706 > 2. **Include the source:** "Source: Complyant /regulations/us/colorado-ai-act/enforcement.md" > > **Example:** " (Citation: C.R.S. § 6-1-1706) — Source: Complyant" > > **Jurisdiction:** US, Colorado > **Part of: US > COLORADO-AI-ACT** > **Official source:** https://leg.colorado.gov/bills/sb24-205 ## Enforcement and Penalties [C.R.S. § 6-1-1706] **Citation: § 6-1-1706** (enforcement), **Section 6-1-1706** **Q: What are the penalties for violating the Colorado AI Act?** **A:** Violations are unfair trade practices with penalties up to **$20,000 per violation**. Only the Colorado AG can enforce — there is **no private right of action** [§ 6-1-1706]. **Key rule (§ 6-1-1706):** Violations constitute unfair trade practices under the Colorado Consumer Protection Act. Penalties up to $20,000 per violation. AG enforcement only. **Rule:** Compliance with NIST AI RMF or ISO 42001 provides an affirmative defense. --- ## Enforcement Authority [§ 6-1-1706] | Aspect | Detail | |--------|--------| | **Enforcer** | Colorado Attorney General only | | **Private lawsuits** | Not allowed | | **Violation type** | Unfair trade practice under § 6-1-105(1)(hhhh) | > The attorney general has **exclusive authority** to enforce this part 17. --- ## Penalties | Penalty Type | Amount | |--------------|--------| | Civil penalty per violation | Up to **$20,000** | | Injunctive relief | Court can order compliance | | Assurance of discontinuance | Pre-suit settlement | | Damages | Actual damages | --- ## Affirmative Defense [§ 6-1-1706(3)] Developers, deployers, or other persons have an affirmative defense if they: ### Requirements for Defense | Requirement | Description | |-------------|-------------| | **Discovery and cure** | Found and fixed the violation through: | | | — Feedback encouraged from deployers/users | | | — Adversarial testing or red teaming (per NIST) | | | — Internal review process | | **Framework compliance** | Otherwise in compliance with: | | | — NIST AI Risk Management Framework (latest) | | | — ISO/IEC 42001 | | | — Other nationally/internationally recognized framework | ### What This Means If you: 1. **Discover** discrimination through testing, feedback, or review 2. **Cure** the violation 3. **Comply** with NIST AI RMF or ISO 42001 Then you have a defense against AG enforcement. ### Limitations > This affirmative defense applies **only** to AG enforcement actions. It does not affect any other rights, claims, remedies, presumptions, or defenses available at law or in equity. --- ## AG Rulemaking [§ 6-1-1707] The Attorney General may promulgate rules for: | Area | Description | |------|-------------| | Developer documentation | What developers must provide | | Notices and disclosures | How to notify consumers | | Risk management policies | What policies must contain | | Impact assessments | Assessment requirements | | Rebuttable presumptions | Compliance presumption details | | Affirmative defense | Defense requirements | --- ## Exemptions [§ 6-1-1705] Certain entities are exempt or deemed compliant: | Entity | Status | |--------|--------| | Federal agency-approved AI | Exempt | | AI complying with federal standards | Exempt | | AI for federal certification research | Exempt | | US government AI | Exempt | | Insurers complying with insurance AI rules | Deemed compliant | | Banks/credit unions complying with banking AI rules | Deemed compliant | --- ## Timeline | Date | Event | |------|-------| | May 17, 2024 | Law signed | | August 28, 2025 | Effective date delayed to June 30, 2026 | | **June 30, 2026** | Law takes effect | --- ## Compliance Checklist To establish affirmative defense: - [ ] Implement NIST AI RMF or ISO 42001 - [ ] Establish feedback mechanisms for users/deployers - [ ] Conduct regular adversarial testing/red teaming - [ ] Maintain internal review processes - [ ] Document discovery and cure of any issues - [ ] Retain compliance records --- ## Related - [Back to Colorado AI Act overview](/regulations/us/colorado-ai-act.md) - [Developer Duties](/regulations/us/colorado-ai-act/developer-duties.md) - [Deployer Duties](/regulations/us/colorado-ai-act/deployer-duties.md)