Artificial_Intelligence_1200x600_GettyImages-2170346048

We have now had a bit of time to work with clients on the new Colorado Automated Decision-Making Technology in Consequential Decisions Bill (SB 26-189) (ADMT law” — replacing the CO AI Act). The sausage making and behind-the-scenes political machinations were interesting to watch unfold. Ultimately, the ADMT law succeeds in narrowing or eliminating many of the more onerous requirements of the CO AI Act, including disparate impact risk assessment requirements, notification obligations to the Attorney General upon discovery of algorithmic discrimination (within 90 days), and the AI framework-compliance affirmative defense.

However, as compelling (or problematic depending on your POV) is how the ADMT law significantly expanded the scope and liability risk of AI/ADMT offerings for “developers” (companies that develop and distribute ADMT products in services) in ways that aren’t obvious on the surface. This includes expanding: (1) the types of products/services regulated by the law well beyond “AI” and into common rule-based automated decisioning; and (2) the risk of liability in private rights of action for developers of ADMT that allegedly discriminates in making consequential decisions. On top of this, the CO ADMT law does not include many of the exemptions present in U.S. state privacy laws that allow thousands of companies to avoid ADMT and profiling requirements under those laws.

The verdict: Your organization, even without an “AI” product, may fall under and be regulated by this law. And if you’re a deployer, the risk of being pulled into and exposed to a private right of action has increased compared to the CO AI Act. What does this look like? More below the fold.

AI plus ADMT — rule-based systems within scope.

  • Under the CO AI Act, AI was defined as any machine-based system that “infers from the inputs the system receives how to generate outputs.” In contrast, ADMT is defined as “a technology that processes personal data and uses computation to generate output.” While ADMT is limited to the use of personal data and tied to decisions affecting individuals, the definition describes any computer, system or software. A spreadsheet using formulas and scoring tied to personal information could be considered ADMT (in fact, the drafters recognized this issue and explicitly excluded certain spreadsheets “that require human analysis” from the definition of ADMT).
  • So, unlike under the CO AI Act, certain rule-based/deterministic systems may now be regulated, including ATS applicant filters, benefits eligibility determination systems, tenant screening systems, collections and loan servicing triggers, segmented pricing engines, stack ranking spreadsheets, interview scoring scorecards, RIF/layoff selection spreadsheets, tenant scoring spreadsheets, and employee benefits eligibility calculators.
  • What to do? Companies that conducted an inventory of their services looking for “AI” may need to go back and revisit their analysis to account for the broadened ADMT definition. Products and services that were not inferential could be regulated and will have to be addressed.

Consequential decision-making involvement — a lower threshold for ADMT?

  • Under the CO AI Act, AI was regulated only if it was used as a “substantial factor” in the decision-making. “Substantial” meant a factor that (i) assists in making a consequential decision; (ii) is capable of altering the outcome of a consequential decision; and (iii) is generated by an AI system. This is a fairly expansive definition with no reference to “human involvement” unlike some ADMT privacy laws.
  • Under the ADMT Law, ADMT is regulated if it “materially influences” a consequential decision. ADMT materially influences if it represents a “non-de minimis factor” in making the consequential decision and affects the outcome of the decision. Similarly, the law does not specifically reference human involvement as nullifying “automated” decisioning.
  • Again, the ADMT materiality arguably expands the products and services that may be in scope under the ADMT Law. De minimis is not defined under the law, but Webster’s defines it as follows “lacking significance or importance: so minor as to be disregarded.” In contrast, the CO AI Act requires the system to actually “assist in making” a consequential decision.
  • However, the ADMT definition is also narrower because to be considered material, the ADMT output must actually affect the outcome of the decision. AI under the CO AI Act only needed to be “capable of altering” the outcome of a consequential decision.

“Anti-indemnification” and liability shifting between developers and deployers — developers can now be pulled into private rights of action for discrimination.

  • Developers had strong contractual protections in place to shield them from a private right of action, but those protections are eliminated if a deployer’s ADMT was responsible for the alleged discrimination. Now they can be sued more readily by deployers.
  • There was no private right of action under the CO AI Act — it could only be enforced by the Colorado AG. That still holds under the CO ADMT Law. However, under both regimes it was (and is) certainly possible to be subjected to a private right of action for a discriminatory model under the Colorado Anti-Discrimination Law (CADL).
  • Developers had strong contractual protections in place to shield them from a private right of action, but those protections are eliminated if a deployer’s ADMT was responsible for the alleged discrimination. Now they can be sued more readily by deployers.
  • The CADL prohibits discrimination in employment, housing, and public accommodations on the basis of protected characteristics including race, color, religion, sex, sexual orientation, gender identity, national origin, ancestry, disability, marital status, and familial status. It provides for a private right of action (with some procedural requirements), including the potential for class action litigation.
  • In this context, the entity using ADMT (the deployer) would be in privity with any individuals allegedly discriminated against (e.g., the entity who denies employment) and would be the target of a CADL private right of action. In contrast, the developer who produced the ADMT (often a SaaS) is not typically the direct target of litigation (although that is potentially changing).
  • One reason for this is that developers/SaaS companies enter into contracts with their deployer customers that limit developer liability, including through indemnification provisions, consequential damage disclaimers and monetary limitations of liability. So, when a deployer is sued by an individual for discrimination, these contracts can significantly limit the developer’s liability and help insulate developers from cross-claims by deployers.
  • The CO ADMT Law’s “anti-indemnification” provisions strip deployers’ contractual protections. While colloquially referred to “anti-indemnification,” when a deployer is at fault for discriminatory ADMT, the CO ADMT Law actually declares that any contract provision that purports to or “has the effect of indemnifying, defending or holding harmless” a deployer or developer for discrimination is void and contrary to public policy:

Notwithstanding any other provision of law, if a provision of a contract for the use of automated decision-making technology in making a consequential decision or any other contract between a developer and deployer purports to indemnify, defend, or hold harmless or has the effect of indemnifying, defending, or holding harmless the indemnitee from or against any liability for damages pursuant to this section resulting from the developer’s or deployer’s own acts or omissions related to the use of automated decision-making technology in making consequential decisions in violation of [CADA] …

  • The CO ADMT Law also specifies that each of the developer and deployer’s fault for ADMT-related discrimination is proportional based on relative fault for a CADA violation.
  • Furthermore, a developer is only liable for discrimination to the extent the discrimination was caused by a deployer’s failure to use the ADMT product or service “[i]n a manner that was intended, documented, marketed, advertised, configured, or contracted for by the developer.” In addition, developers’ contractual protections remain intact where a CADA violation arises from the misuse of the ADMT service by the deployer.
  • The irony of the CO ADMT Law is that developers were looking for relief from regulator reporting and scrutiny. They may have traded that relief for a much more direct route to a private right of action for discriminatory ADMT where a deployer asserts a cross-claim and the developers can no longer rely on their various contractual limits of liability.

Missing Exemptions (as compared to other U.S. privacy laws regulating ADMT or profiling).

  • ADMT and profiling are regulated under most comprehensive U.S. state privacy laws, including requirements for data protection impact assessments and certain data subject rights, among other obligations.
  • The data- and entity-level exemptions in these state privacy laws enable organizations to avoid the ADMT and profiling requirements of these laws.
  • However, the exemptions in the CO ADMT Law are more limited and organizations exempted under state privacy laws may not be under the CO ADMT Law. For example, most U.S. privacy laws do not apply to employees or job applicants, but the CO ADMT Law applies to employees, job applicants, and any individual evaluated in a consequential decision.
  • Other notable typical U.S. privacy law exemptions that either don’t apply or are limited under the CO ADMT Law: (1) GLBA entity exemption is not applicable; (2) small business thresholds not applicable; (3) FCRA data level exemption is not applicable (exemptions exist for certain adverse action notices); and (4) FERPA data level exemption is not applicable.
  • Revisit your use of and rationale for exemptions. Those exemptions may no longer apply to the CO ADMT Law or may apply in a more limited fashion.

Conclusion

While Colorado’s switch from the CO AI Act to the more business-friendly CO ADMT Law certainly eliminates or limits many of the obligations considered onerous by commercial interests, it comes with a price. Companies who were not using AI for consequential decisions may find that the products or services they’ve created or are using are now regulated. Moreover, developers of AI have fewer obligations tied to risk assessments and disparate impact but may have lost key contractual liability provisions that have helped shield them from discrimination litigation. Either way, as is typically the case in the fast-moving privacy, security, and AI legal environment, the playing field has changed again, and organizations need to take stock and develop a plan for compliance and risk mitigation around their use of ADMT.