u/inameandy

SB 24-205 enforcement starts June 30, 2026. Most of the conversation focuses on the $20k per consumer penalty but the more interesting part of the statute is the rebuttable presumption defense under Sec. 6-1-1706.

If you can demonstrate reasonable care, the burden shifts to the AG to prove you weren't compliant. That's a meaningful legal shield. But "reasonable care" isn't vague. The statute requires specific things to be in place before an incident:

Risk assessments documenting how your AI system could produce discriminatory outcomes across the protected classes listed in the statute (which includes reproductive health and limited proficiency in English, not just the usual federal list).

Consumer notices disclosing that AI is being used in consequential decisions.

AI system inventory with documented ownership.

Ongoing monitoring, not point-in-time documentation.

The key word is "before." Retroactive documentation doesn't satisfy the rebuttable presumption. If the AG comes asking and your evidence was assembled after the fact, the defense fails.

Curious what others are seeing. Are companies actively building toward the rebuttable presumption requirements or still treating June 30 as theoretical?

Free exposure audit at aguardic.com/colorado-ai-act-audit if anyone wants to scope where they stand. 10 questions, PDF with statute citations.

For anyone managing both GDPR and EU AI Act compliance, the classification question keeps coming up: which AI Act obligations actually apply to your system, and how do they interact with your existing GDPR program?

The biggest confusion I'm seeing is around the provider vs deployer distinction. Most companies using third-party AI models assume they're deployers with lighter obligations. In practice, embedding an LLM into your product often makes you a provider under the Act with much heavier requirements (Articles 9-17 vs Article 26).

We built a free tool that runs through the full classification logic: prohibited practices under Article 5, Annex III high-risk check, Article 6(3) exemption analysis, and GPAI provider detection. Outputs a PDF with the specific articles applying to your system and penalty exposure.

aguardic.com/compliance/eu-ai-act/roadmap

No signup, no email gate. Built it because the classification step is where most teams get stuck before they can even start mapping obligations to their existing GDPR controls.

Would value input from anyone navigating both frameworks simultaneously.

EU AI Act compliance deadlines are landing fast. Article 5 prohibitions have been in effect since February 2025. GPAI provider obligations since August 2025. High-risk systems under Annex III and Article 50 transparency obligations both kick in August 2, 2026.

Built a free classification tool that walks through the full decision tree: Article 5 prohibited practices → Annex III high-risk domains → Article 6(3) exemption check → GPAI provider detection. Outputs a PDF roadmap with the specific articles that apply (Articles 9-17 for high-risk providers, Article 26 for deployers, Article 50 transparency triggers, Articles 53-55 for GPAI providers), penalty exposure under Article 99 or 101 depending on classification, and the August 2026 deadline anchored to your specific risk tier.

aguardic.com/compliance/eu-ai-act/roadmap

Built it because every EU AI Act resource is either a 4,000-word "what is the EU AI Act" explainer or a generic checklist that doesn't tell you which obligations actually apply to your system. The classification logic is the hard part, and most resources skip it.

No signup for the classification, no email gate for the PDF download. Built as part of aguardic.com.

Would value feedback from anyone working through EU AI Act compliance — especially on the Article 6(3) exemption logic and the GPAI provider vs deployer distinction. Got both wrong twice before they worked.