WeVote

Bill

Bill

SB 25B-004

Increase Transparency for Algorithmic Systems

2025 First Extraordinary Session Introduced by Judy Amabile and 22 co-sponsors

SB 25B-004 requires developers and deployers of algorithmic and generative AI to disclose risks, maintain impact assessments, and inform individuals affected by decisions.

Governor Signed
0
WeVote Research Nonpartisan
Bill Summary · SB 25B-004

SB 25B-004 — Increase Transparency for Algorithmic Systems

Status: Governor signed (Aug 28, 2025). Effective date: Nov 25, 2025 (assuming no referendum). Implements developer/deployer obligations no later than June 30, 2026.

Purpose / Intent

SB 25B-004 revises and reenacts the consumer-protection standards first enacted in SB 24-205 to increase transparency and risk-management for algorithmic and generative AI systems used to make or inform material decisions affecting people. The bill delays the compliance start date from Feb 1, 2026 to June 30, 2026.

Key provisions

  • Definitions

    • "Algorithmic decision system": broad definition covering machine-based systems using statistical modeling, data analytics, machine learning or AI to generate outputs (scores, classifications, recommendations) that assist, inform, or replace human decision‑making.
    • "Generative AI system": systems trained on data that interact via text/audio/visuals and produce human‑like output.
    • "Personal characteristics": personal and sensitive data, biometric identifiers, genetics, health, economic status, location, inferences, etc.
    • Lists numerous exclusions (e.g., spreadsheets, firewalls, anti‑virus, many admin/ministerial tools). A probation supervision/assessment tool in use at the time of commencement is specifically excluded.
  • Developer obligations (on/after June 30, 2026)

    • Provide deployers with disclosures and documentation (e.g., model cards, dataset cards, impact assessments) including:
    • Analysis of known or reasonably foreseeable risks of violating consumer‑protection or anti‑discrimination laws.
    • Steps taken to mitigate those risks.
    • Stated intended uses and reasonably foreseeable misuses.
    • Any information necessary for deployers to comply with the law.
    • Make public summaries (plain language) and notify the Attorney General of known risks.
  • Deployer obligations (on/after June 30, 2026)

    • Implement an iterative risk‑management policy and program.
    • Complete and (annually and after material changes) update impact assessments.
    • Provide disclosures (before and after decisions) to individuals affected by decisions that have material legal or similar effects (employment, housing, healthcare, essential government services).
    • Disclosures must include developer information and a list of up to 20 personal characteristics that influenced the decision.
    • Provide affected individuals access to personal data used and a procedure to challenge/correct inaccurate data.
  • Liability and enforcement

    • Violations are treated as deceptive trade practices under the Colorado Consumer Protection Act (enforced by the Attorney General and district attorneys).
    • No private right of action created by this bill.
    • Developers and deployers can be jointly and severally liable; developers are exempt from liability for misuse if they took reasonable preventative steps and could not have foreseen or otherwise limited the misuse in disclosures.
    • Attorney General may adopt implementing rules; certain disclosures to AG are exempt from public records (trade secrets/proprietary protections preserved).

Fiscal and administrative impact

  • Final Legislative Council Staff fiscal note (Sept 10, 2025) projects minimal ongoing state revenue and workload impacts and reports no appropriation required.
  • Earlier analyses and Joint Budget Committee materials reflected potential larger costs and proposed appropriations (JBC staff packet J.001 proposed ~$4.78 million GF in FY 2025‑26 and ~$7.14 million GF in FY 2026‑27), but those needs were ultimately not required in the enacted version.

Who is affected

  • Developers and deployers doing business in Colorado who design, sell, deploy or operate covered algorithmic decision systems and generative AI.
  • Individuals subject to influential decisions (employment, housing, healthcare, government benefits).
  • State and local agencies that deploy such systems (may need to comply, prepare impact assessments, or request budget resources through the normal process).

Procedural timeline

  • Introduced: Aug 21, 2025
  • Passed both chambers with amendments Aug 24–26, 2025
  • Sent to Governor and signed: Aug 28, 2025
  • Bill effective: Nov 25, 2025 (assuming no referendum)
  • Developer/deployer compliance start date: June 30, 2026.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.