Colorado and Virginia Legislators Discuss Approaches to AI

On Wednesday, the Future of Privacy Forum hosted its “DC Privacy Forum: AI Forward,” convening thought leaders, industry experts, and policymakers to explore the importance of data privacy in the age of artificial intelligence. In a panel discussion titled “AI Legislation: States to the Rescue,” FPF deputy director of US legislation Tatiana Rice spoke with Colorado Senate Majority Leader Robert Rodriguez (D-32) and Virginia Delegate Michelle Maldonado (D-20) about regulating AI at the state level.

The Colorado AI Act was signed into law by Governor Jared Polis on May 17, 2024, and is the first comprehensive state legislation for governing risky AI systems and applications. Speaking about the success of passing the Colorado AI Act, Sen. Rodriguez emphasized the importance of fostering trust and bringing diverse stakeholders together through inclusive task forces and working groups, “listening to stakeholders and trying to comply with as much as possible." He also noted that the main goal of the Colorado law is to create a foundational policy based on “disclosure, accountability, reporting, and assessments,” which can be built upon iteratively through citizen and industry feedback.

Sen. Rodriguez also spoke to the importance of public consultation in shaping specific provisions of the Colorado AI Act. For instance, during the development of the law, he spoke with smaller "mom-and-pop" AI companies to understand their perspectives. These companies raised concerns that while not consumer-facing themselves, their AI tools could still get caught up in the regulations if used by other businesses to develop products that cause harm. Sen. Rodriguez mentioned that the task force is considering such feedback on what is considered “high risk” from industry and civil society to “filter out and narrow down the definitions to clean it up.” He also mentioned that the Colorado Attorney General will be undertaking “risk assessments and the reporting requirements, which will probably happen next year because he has to go through the budget process to get funding.”

Virginia Del. Maldonado’s opening remarks focused on the importance of data privacy in the context of state-level AI legislation. Del. Maldonado emphasized that data privacy sits at the core of comprehensive AI regulation. In Virginia, this has meant pursuing legislation like HB 747, a algorithmic discrimination bill, which delineates responsibilities for developers versus deployers of AI systems and mandates impact assessments before launch and after major upgrades. Since Virginia’s state legislature is now adjourned, HB 747 will move to the next legislative session and is currently under committee.

However, Del. Maldonado noted the challenging pace of technological change, saying, "Technology moves at the speed of light," while "legislation moves at the speed of molasses."

Regarding the process of getting the bill in Virginia passed, Del. Maldonado credited state lawmakers with keeping political differences aside and working across party lines. “This is not political," she noted. "This is something that everybody really should care about.” Moreover, by gathering perspectives from academics and industry experts along with policymakers, it became clear that AI will impact multiple industries in interconnected ways. An overly narrow industry-specific approach won't suffice, she said. The goal was to find "common threads" that can apply consistently regardless of sector while also pushing back against vested interests seeking broad exemptions for their particular industry.

Both panelists were also asked about the role of global AI regulation, like the EU AI Act and GDPR, in shaping US state-level policies. Sen. Rodriguez noted that Colorado's AI Act employs a “risk-based approach” that was largely modeled on the EU’s AI Act. In Virginia, Del. Maldonado discussed the importance of seeking input from Portugal’s “dedicated asset to the EU handling the EU AI Act” to learn more about the “risk categories framework” in order to balance innovation and competitiveness with transparency, trustworthiness, and consumer protection. Regarding how the US should approach AI legislation, Del. Maldonado thinks it is worthwhile to look at “the pieces that work best for our nation and our people and our companies. And then folks who go outside our domestic borders can then kind of latch on and add the other pieces of compliance.”

Sen. Rodriguez and Del. Maldonado both highlighted the importance of bringing together diverse stakeholders – industry, civil society, academics, and policymakers across party lines – through inclusive collaboration and public input. Taking an iterative approach to policy development allows AI governance to keep up with the breakneck pace of technological change, they say. While AI moves at "the speed of light," focusing on core principles like data privacy protection and evaluating algorithmic impacts should help address harms across different AI applications and industries. And, looking to global models like the EU AI Act further aligns these efforts with emerging international norms.