(1) Nothing
in this part 17 restricts a developer's, a deployer's, or other person's ability to:
(a) Comply with federal, state, or municipal laws, ordinances, or regulations;
(b) Comply with a civil, criminal, or regulatory inquiry, investigation,
subpoena, or summons by a federal, a state, a municipal, or other governmental
authority;
(c) Cooperate with a law enforcement agency concerning conduct or activity
that the developer, deployer, or other person reasonably and in good faith believes
may violate federal, state, or municipal laws, ordinances, or regulations;
(d) Investigate, establish, exercise, prepare for, or defend legal claims;
(e) Take immediate steps to protect an interest that is essential for the life or
physical safety of a consumer or another individual;
(f) By any means other than the use of facial recognition technology,
prevent, detect, protect against, or respond to security incidents, identity theft,
fraud, harassment, malicious or deceptive activities, or illegal activity; investigate,
report, or prosecute the persons responsible for any such action; or preserve the
integrity or security of systems;
(g) Engage in public or peer-reviewed scientific or statistical research in the
public interest that adheres to all other applicable ethics and privacy laws and is
conducted in accordance with 45 CFR 46, as amended, or relevant requirements
established by the federal food and drug administration;
(h) Conduct research, testing, and development activities regarding an
artificial intelligence system or model, other than testing conducted under real-world conditions, before the artificial intelligence system or model is placed on the
market, deployed, or put into service, as applicable; or
(i) Assist another developer, deployer, or other person with any of the
obligations imposed under this part 17.
(2) The obligations imposed on developers, deployers, or other persons under
this part 17 do not restrict a developer's, a deployer's, or other person's ability to:
(a) Effectuate a product recall; or
(b) Identify and repair technical errors that impair existing or intended
functionality.
(3) The obligations imposed on developers, deployers, or other persons
under this part 17 do not apply where compliance with this part 17 by the developer,
deployer, or other person would violate an evidentiary privilege under the laws of
this state.
(4) Nothing in this part 17 imposes any obligation on a developer, a deployer,
or other person that adversely affects the rights or freedoms of a person, including
the rights of a person to freedom of speech or freedom of the press that are
guaranteed in:
(a) The first amendment to the United States constitution; or
(b) Section 10 of article II of the state constitution.
(5) Nothing in this part 17 applies to a developer, a deployer, or other person:
(a) Insofar as the developer, deployer, or other person develops, deploys,
puts into service, or intentionally and substantially modifies, as applicable, a high-risk artificial intelligence system:
(I) That has been approved, authorized, certified, cleared, developed, or
granted by a federal agency, such as the federal food and drug administration or
the federal aviation administration, acting within the scope of the federal agency's
authority, or by a regulated entity subject to the supervision and regulation of the
federal housing finance agency; or
(II) In compliance with standards established by a federal agency, including
standards established by the federal office of the national coordinator for health
information technology, or by a regulated entity subject to the supervision and
regulation of the federal housing finance agency, if the standards are substantially
equivalent or more stringent than the requirements of this part 17;
(b) Conducting research to support an application for approval or
certification from a federal agency, including the federal aviation administration,
the federal communications commission, or the federal food and drug
administration or research to support an application otherwise subject to review by
the federal agency;
(c) Performing work under, or in connection with, a contract with the United
States department of commerce, the United States department of defense, or the
national aeronautics and space administration, unless the developer, deployer, or
other person is performing the work on a high-risk artificial intelligence system that
is used to make, or is a substantial factor in making, a decision concerning
employment or housing; or
(d) That is a covered entity within the meaning of the federal Health
Insurance Portability and Accountability Act of 1996, 42 U.S.C. secs. 1320d to
1320d-9, and the regulations promulgated under the federal act, as both may be
amended from time to time, and is providing health-care recommendations that:
(I) Are generated by an artificial intelligence system;
(II) Require a health-care provider to take action to implement the
recommendations; and
(III) Are not considered to be high risk.
(6) Nothing in this part 17 applies to any artificial intelligence system that is
acquired by or for the federal government or any federal agency or department,
including the United States department of commerce, the United States
department of defense, or the national aeronautics and space administration,
unless the artificial intelligence system is a high-risk artificial intelligence system
that is used to make, or is a substantial factor in making, a decision concerning
employment or housing.
(7) An insurer, as defined in section 10-1-102 (13), a fraternal benefit society,
as described in section 10-14-102, or a developer of an artificial intelligence system
used by an insurer is in full compliance with this part 17 if the insurer, the fraternal
benefit society, or the developer is subject to the requirements of section 10-3-1104.9 and any rules adopted by the commissioner of insurance pursuant to section
10-3-1104.9.
(8) (a) A bank, out-of-state bank, credit union chartered by the state of
Colorado, federal credit union, out-of-state credit union, or any affiliate or
subsidiary thereof, is in full compliance with this part 17 if the bank, out-of-state
bank, credit union chartered by the state of Colorado, federal credit union, out-of-state credit union, or affiliate or subsidiary is subject to examination by a state or
federal prudential regulator under any published guidance or regulations that apply
to the use of high-risk artificial intelligence systems and the guidance or
regulations:
(I) Impose requirements that are substantially equivalent to or more
stringent than the requirements imposed in this part 17; and
(II) At a minimum, require the bank, out-of-state bank, credit union chartered
by the state of Colorado, federal credit union, out-of-state credit union, or affiliate
or subsidiary to:
(A) Regularly audit the bank's, out-of-state bank's, credit union chartered by
the state of Colorado's, federal credit union's, out-of-state credit union's, or
affiliate's or subsidiary's use of high-risk artificial intelligence systems for
compliance with state and federal anti-discrimination laws and regulations
applicable to the bank, out-of-state bank, credit union chartered by the state of
Colorado, federal credit union, out-of-state credit union, or affiliate or subsidiary;
and
(B) Mitigate any algorithmic discrimination caused by the use of a high-risk
artificial intelligence system or any risk of algorithmic discrimination that is
reasonably foreseeable as a result of the use of a high-risk artificial intelligence
system.
(b) As used in this subsection (8):
(I) Affiliate has the meaning set forth in section 11-101-401 (3.5).
(II) Bank has the meaning set forth in section 11-101-401 (5).
(III) Credit union has the meaning set forth in section 11-30-101 (1)(a).
(IV) Out-of-state bank has the meaning set forth in section 11-101-401 (50).
(9) If a developer, a deployer, or other person engages in an action pursuant
to an exemption set forth in this section, the developer, deployer, or other person
bears the burden of demonstrating that the action qualifies for the exemption.