Colorado SB 24-205
June 30, 2026
Status: Active law. Repeal-and-replace draft released March 17, 2026 - not yet introduced in legislature. Prepare for the existing law.
Who's Affected
Developers and deployers of high-risk AI systems used in consequential decisions (employment, housing, lending, healthcare, education, legal services, essential government services, insurance) affecting Colorado consumers.
Required Artifacts
- Risk management policy and program (NIST AI RMF or ISO 42001 aligned)
- Impact assessment per high-risk system (within 90 days of effective date, then annually)
- Consumer pre-decision notice (AI involvement disclosed before consequential decision)
- Consumer adverse-action notice (with explanation and appeal option)
- Public website statement (types of high-risk systems deployed and discrimination risk management)
- AG discrimination discovery notice (within 90 days of discovering algorithmic discrimination)
- Annual impact assessment review and update
Penalties
$20,000 per violation (counted per consumer/transaction). AG has exclusive enforcement with 60-day cure period.
Affirmative Defense
Compliance with NIST AI RMF or ISO 42001 creates rebuttable presumption.
EU AI Act - Annex III High-Risk Systems
August 2, 2026
Status: Active regulation (entered into force August 1, 2024). Digital Omnibus proposal could delay to December 2027 - not yet adopted. Treat August 2 as binding.
Who's Affected
Providers and deployers of AI systems in Annex III domains (biometrics, critical infrastructure, education, employment, essential services/credit scoring, law enforcement, migration, justice/democracy) serving EU users - regardless of where your company is headquartered.
Required Artifacts
- Annex IV technical documentation (9 sections: system description, design specs, data requirements, human oversight, predetermined changes, validation/testing, risk management, standards mapping, post-market monitoring)
- Risk management system (Article 9)
- Data governance procedures (Article 10)
- Conformity assessment (self-assessment or third-party per Annex VI/VII)
- EU database registration (Annex VIII fields)
- Post-market monitoring plan (Article 72)
- Serious incident reporting protocol (Article 73)
- CE marking and EU declaration of conformity
- Transparency disclosures (Article 50 - applies to all AI, not just high-risk)
Penalties
Up to €35M or 7% of global turnover for prohibited practices. Up to €15M or 3% for high-risk non-compliance.
CPRA ADMT (California)
January 1, 2027
Status: Regulations effective January 1, 2026. Risk assessment submissions due April 1, 2028.
Who's Affected
Any CCPA "business" (for-profit, doing business in CA, meeting revenue/data volume thresholds) using automated decision-making technology for "significant decisions" (financial/lending, housing, education, employment, healthcare) affecting California consumers.
Required Artifacts
- Pre-use consumer notice (purpose, how ADMT works, outputs, alternative process)
- Opt-out mechanism (or documented exception: human appeal, admission/hiring, work allocation)
- Consumer access rights response procedures
- Risk assessment report (purpose, impacts, safeguards, governance signoff)
- Risk assessment 3-year review cycle with 45-day material change updates
- Annual metrics compilation and disclosure (if processing PI of 10M+ consumers)
- Anti-dark pattern UI testing documentation
- Executive management attestation for risk assessment submissions
Penalties
Standard CCPA enforcement - up to $7,500 per intentional violation.
Key Nuance
ADMT = computation + personal information + replaces or substantially replaces human decision-making. Advertising is explicitly excluded. Human involvement (3-part AND test) can take you out of scope.
NYC Local Law 144
Already Enforced
Status: Active DCWP enforcement. Effective July 5, 2023.
Who's Affected
Employers and employment agencies using automated employment decision tools (AEDTs) for hiring or promotion decisions in New York City.
Required Artifacts
- Annual independent bias audit (selection rate and impact ratio by race/ethnicity and sex)
- Published bias audit summary on employer's website
- Candidate notice (at least 10 business days before AEDT use)
- Data type disclosure (what data the AEDT collects and analyzes)
- Alternative process disclosure (how candidates can request alternative selection)
- Records retention for bias audits (minimum 4 years under DCWP rules)
Penalties
$375–$1,500 per violation (first offense: $500). Each day of non-compliance with notice = separate violation. Each person not notified = separate violation.
Illinois AI Employment Laws (AIVIA + HB 3773)
Already Enforced
Status: Both laws active. AIVIA: January 1, 2020. HB 3773: January 1, 2026.
Who's Affected
AIVIA - any employer using AI to analyze video interviews in Illinois. HB 3773 - any employer using AI for employment decisions (screening, evaluation, discipline, termination) in Illinois.
Required Artifacts (AIVIA)
- Pre-interview notice (AI analysis disclosed before interview)
- Applicant consent (affirmative consent required before AI analysis)
- Video deletion process (within 30 days of applicant request)
- AI provider certification records
Required Artifacts (HB 3773)
- Pre-decision worker notice (before AI is used in employment decisions)
- Protected characteristics disclosure (which characteristics AI could factor into decisions)
- Human review process documentation
- Adverse action notice and appeal process
Required Artifacts (Both)
- Demographic data collection and reporting to IDCEO
- Bias monitoring measures
Penalties
Enforced through Illinois Human Rights Act and Illinois Department of Labor. Civil penalties vary.