Emerging AI Regulations: Preparing for the CO Act and VA Bill

According to an article by Wyrick Robbins Yates & Ponton, artificial intelligence regulation in the US is beginning to mirror the country’s fragmented privacy laws. With Colorado’s Consumer Protections in Interactions with Artificial Intelligence Systems Act (“CO Act”) and Virginia’s pending High-Risk Artificial Intelligence Developer and Deployer Act (“VA Bill”), businesses must prepare for a patchwork of AI regulations. These laws impose obligations on AI developers and deployers, particularly when AI systems influence significant consumer decisions.

Both laws establish requirements based on whether a business develops or deploys AI, with stricter provisions for “high-risk” systems that contribute to “consequential decisions” such as employment, financial services, healthcare, and housing. The CO Act applies broadly to AI development and high-risk AI deployment in Colorado, while the VA Bill focuses solely on high-risk AI systems in Virginia. Notably, Virginia’s law excludes government entities, though it expands the definition of consequential decisions to include parole and marital status determinations.

Businesses affected by these laws must comply with documentation requirements, public disclosures, and risk management mandates. Developers must document AI system data, disclose high-risk AI applications, and, in Colorado, report algorithmic discrimination incidents to the attorney general. Deployers must notify consumers when interacting with AI, explain adverse decisions, and establish risk management programs and impact assessments. While neither law allows private lawsuits, violations could result in substantial civil penalties.

With the CO Act effective in February 2026 and the VA Bill potentially following in July 2026, the article suggests businesses should proactively assess AI use cases, determine regulatory applicability, and implement compliance measures. Aligning with established frameworks and AI regulations like NIST AI RMF or ISO/IEC 42001 can facilitate readiness and mitigate enforcement risks.