The Consumer Technology Association is dismissing the Colorado AI Sunshine Act -- a proposal to replace the state’s first-in-the-nation AI law -- as unworkable while an “extraordinary session” gets underway to amend the policy amid broader budget issues.
“We appreciate your ongoing efforts to fix issues with the Colorado AI Act, but the Colorado AI Sunshine Act as currently drafted is not a workable solution,” CTA’s leadership wrote in an Aug. 20 letter to Colorado Senate Majority Leader Robert Rodriguez (D). “We strongly urge you to pass legislation in the upcoming special session that will delay the implementation of the Colorado AI Act until at least 2027.”
Rodriguez’s sunshine bill, to “increase transparency for algorithmic systems,” was listed by the General Assembly among those expected to be considered “during the first extraordinary session of the 75th General Assembly convening on Aug 21, 2025.”
Colorado Gov. Jared Polis (D) called the special session following pressure from tech industry groups and asked for reconsideration of the Colorado AI Act -- which he signed into law despite reservations -- while citing a need to rejigger the state’s budget following enactment of federal tax-and-spending legislation.
Rodriguez is also the primary author of the Colorado AI Act which is currently set to take effect on Feb. 26 and would require developers and deployers of artificial intelligence systems making certain “consequential” decisions to respectively disclose information about how their models are trained and assess them for discrimination risks. AI deployers would also be responsible for disclosing information to users about how their data is being used in the decision making and provide an opportunity for them to correct errors.
The legislation, which includes exemptions for decisions where there is “sufficient human review” and provisions allowing for an “affirmative defense” from liability based on testing against frameworks such as the National Institute of Standards and Technology’s AI risk management framework, received high-profile support from Workday.
The human resources company, which is being sued for discrimination in conjunction with its AI-enabled recruitment software, has been active in promoting similar bills in legislatures across the country.
But while acknowledging concerns about potential loopholes and liability shields, consumer advocates have pushed for the Colorado law to be implemented without delay, particularly in the context of efforts to pass a federal moratorium against states enforcing AI-related regulations.
Those consumer advocates said the legislation would bring much needed transparency to the use of AI in crucial decisions including whether an individual is selected for a job interview, qualifies for insurance or is approved for a loan. Currently, AI deployers are not even required to disclose their use of AI in those situations, they said.
Another, bipartisan proposal would only require companies to disclose if their users are interacting with AI systems and their developers’ identities, according to Denver-based Austin Chambers, a partner at the law firm Dorsey and Whitney.
Rodriguez’s new proposal would “limit the risk assessments” of his initial legislation and “focus instead on disclosure/transparency obligations relating to those systems,” Chambers said.
CTA notes its problems with the legislation are not fully detailed in the letter but takes particular issue with provisions requiring related companies to, “as soon as practicable, and no later than thirty days” after deploying a decision-making AI system, provide their users with a host of information on how its outcomes are reached.
Among much else, they would have to “provide an affected individual, in plain language and consistent with any form and manner prescribed by the attorney general, with … a list of the twenty personal characteristics of the individual that most substantially influenced the output of the algorithmic decision system or, if the algorithmic decision system's output was influenced by fewer than twenty personal characteristics, a list of all personal characteristics that influenced the output.”
“Many of the requirements contained in the ‘individual right to access and correct data used by an algorithmic decision system’ would very likely be infeasible to comply with,” reads the letter signed by CTA president Kinsey Fabrizio and CEO Gary Shapiro. “Other aspects of the bill, including the requirement to disclose ‘the 20 twenty personal characteristics’ that most influenced a decision, are also likely not technologically feasible.”
The Colorado AI Sunshine Act would maintain the Feb. 26 effective date and make developers and deployers jointly liable for violations -- unless the violation is a result of the deployer’s “misuse” -- under the Colorado Consumer Protection Act’s provisions against unfair or deceptive acts or practices. Although the legislation clarifies it does not provide a private right of action and can only be enforced by the state’s attorney general who is authorized to write the related rules.
Rodriguez’s new proposal would also narrow the scope of the original bill “to focus primarily on a new class of ‘algorithmic decision systems,’” Chambers said, clarifying that it would not apply to systems like those related to junk mail filters or cybersecurity, and addressing an industry complaint facing the current law.
The CTA letter threatened to lower Colorado’s rating under the organization’s scorecard ranking states based on how “friendly to innovation” they are.
“CTA appreciates that the Colorado Sunshine Act would remove problematic impact assessment requirements from the Colorado AI Act. We also appreciate that there is no new private right of action and enforcement authority is delegated to the Attorney General in the draft text. But other aspects of the bill present serious compliance issues,” it reads. “Now is the time to ensure Colorado companies, and companies considering bringing business to Colorado, have a predictable and reasonable regulatory environment.”
Colorado’s constitution doesn’t specify any length for the special session and there is no required end date, Chambers told Inside AI Policy, but they are reportedly quite short and last a minimum of three days.