Colorado Enacts Comprehensive AI Law: Key Insights for Businesses

New Colorado Law Sets Precedent for AI Consumer Protections

On May 17, 2024, Colorado Gov. Jared Polis signed Senate Bill 24-205, “Concerning Consumer Protections in Interactions with Artificial Intelligence Systems,” into law. The law, which becomes effective in February 2026, regulates creators of AI systems that do business in Colorado (Developers) and users of most AI technologies that impact Colorado consumers (Deployers). The law broadly defines the “high risk” AI systems that are subject to its regulation: apart from several narrow exceptions (such as systems that perform a narrow procedural task or certain enumerated technologies like cybersecurity applications or AI-enabled video games), the law will regulate “any artificial intelligence system that, when deployed, makes, or is a substantial factor in making, a consequential decision.” 

“Consequential decisions” are those that have “a material legal or similarly significant effect on the provision or denial to any consumer of, or the cost or terms of “health care services, financial or lending services, educational opportunities, employment matters, essential government services, housing, insurance or legal services. 

If your business operates within one of these contexts in which “consequential decisions” are made regarding consumers—e.g., health care, financial services, education, or insurance, among others—and you plan on using AI potentially impacting Colorado residents, Colorado’s Senate Bill 24-205 deserves your close attention. Even if you are sure that your use of AI in one or more of the contexts above is not going to make decisions affecting Colorado residents, Colorado’s law still deserves your attention because it will drive the conversation and perhaps serve as the blueprint for similar laws on the horizon. 

In fact, on the same day he signed the bill, Gov. Polis noted to Colorado’s General Assembly that he did so “with reservations” and that by signing the bill he “hope[s] that it furthers the conversation, especially at the national level.”

Under the newly signed bill, Deployers—those who use AI in a way that affects Colorado consumers in the manner and context discussed above—will have significant obligations that are good to keep in mind even this far in advance of the law’s effective date. The governing principle underpinning the law is preventing algorithmic discrimination. To this end, Deployers will be required to “exercise reasonable care to protect individuals from known or foreseeable risks” of such discrimination. This requires affirmative measures such as reviewing AI usage and conducting annual impact assessments; creating and abiding by an AI risk management policy; identifying and documenting risks of such discrimination; notifying consumers that an AI system has been deployed with detail regarding the system’s purposes, risks, and types of information processed; permitting consumers to opt out of the AI system; and notifying the Attorney General of any such discrimination within 90 days of discovering it. 

Developers have similarly broad obligations with regard to exercising reasonable care to protect individuals from known or foreseeable risks of algorithmic discrimination in the course of a product’s intended use. These obligations include disclosures regarding the types of AI systems that they have developed and any known or reasonably foreseeable risks of discrimination associated with such products. The law will also require Developers to extensively document assessments of the system’s data, purpose, intended benefits, governance and mitigation, limitations, and other such information that will facilitate Deployers’ assessments of their use of the system. 

Although it is unknown whether Senate Bill 24-205 will take effect in its current form, the law will certainly drive the national conversation regarding future AI governance. Businesses implementing, or planning on implementing, AI to drive “consequential decisions” such as those impacting consumers in the health care, financial, educational, or employment context, would do well to take a closer look at Senate Bill 24-205 with the goal of establishing a foundation to operationalize its requirements in the near future.

For more information on how state, federal and international AI and privacy laws may impact your business, contact your Varnum attorney.

Foreign Investment in REITs Subject to New IRS Regulations

IRS Finalizes Regulations Impacting Foreign Investment in D-REITs

The IRS recently finalized regulations (TD 9992) that stand to significantly affect foreign investment in real estate investment trusts (REITs) structured to qualify as “domestically-controlled” REITs (D-REITs). D-REITs have long been a popular investment vehicle for foreign persons due to various tax benefits. Namely, certain foreign persons can avoid filing a U.S. tax return or paying capital gains taxes under FIRPTA rules when selling stock in a D-REIT.

To qualify as a D-REIT, a majority of a REIT’s stock must be held (directly or indirectly) by U.S. persons (including business entities). Prior to the new IRS regulations, foreign investors did not affect the calculation of the D-REIT qualification threshold if such foreign investment was made through a U.S. C-corporation that owned stock in the D-REIT. IRS guidance from 2009 held that C-corporations will be treated as domestic holders of REIT stock for purposes of D-REIT qualification (PLR 200923001).

With exceptions, the new regulations generally allow the IRS to “look through” U.S. C-corporations and determine whether the corporations’ shareholders are foreign persons. If more than 50% of a U.S. C-corporation’s shareholders are foreign persons, the C-corporation will not qualify as a U.S. person for purposes of D-REIT qualification.  Accordingly, many REITS that have relied on the previous guidance may stand to lose D-REIT status under the new IRS regulations.

Luckily for foreign D-REIT investors, the new regulations provide a 10-year transition period for existing D-REITs to come into compliance. Provided such existing D-REITs do not trigger an early expiration of the transition period through certain new acquisitions, new foreign investment, or other pitfalls provided in the new regulations, U.S. C-corporations will continue to be treated as U.S. persons, despite a majority interest being held by foreign shareholders, until 2034.

Varnum’s Tax and Real Estate teams are available to assist and answer any questions about the new IRS regulations.

Get Ready But Wait: Lawsuit Filed to Block New U.S. DOL Salary Regulation

Lawsuit Filed to Block DOL's New Minimum Salary Rule

Update July 1, 2024: The Department of Labor’s new salary threshold for most white-collar exemptions is now in effect, please contact your Varnum attorney for guidance.

Employers should take note of a recent lawsuit filed to block the implementation of the U.S. Department of Labor’s (DOL) new final rule to increase minimum salary levels required to satisfy exempt status for many employees. This action is similar to an effort launched against the DOL in 2016, which resulted in a nationwide injunction preventing a proposed increase to minimum salary levels.

The lawsuit, Plano Chamber of Commerce v. U.S. Department of Labor, was filed in the Eastern District of Texas on May 23, 2024. It seeks an injunction against the DOL rule and raises similar arguments to those that were successfully asserted in the 2016 lawsuit.

The current final rule was announced in April 2024 and is scheduled to go into effect July 1, 2024, as we covered in a previous alert. It remains to be seen how the court will rule in this present legal challenge. For now, employers should continue to prepare to implement any changes that may be necessary to comply with the rule in case it goes into effect as scheduled. However, employers may wish to monitor developments for a few more weeks before the July 1, 2024, effective date prior to implementing such changes in case an injunction is issued. If you have further questions about the above legal developments, please contact a member of the Labor and Employment Team.  

NCAA Settlement Agreement Allows Schools to Pay Students-Athletes Directly

NCAA Settlement Would Allow Direct Payments to Student-Athletes

The NCAA and the Power Five conferences entered into a settlement agreement (the Settlement) last week in an effort to resolve pending antitrust litigation. The Settlement requires the NCAA and the Power Five conferences to pay almost $2.8 billion over the next 10 years to current and former student-athletes who were prohibited from receiving any revenue from endorsement and sponsorship deals.

Although the exact terms of the Settlement have not been disclosed, the Settlement also establishes a framework for the Power Five conferences to share revenue directly with their student-athletes. Under the proposed framework, the NCAA would allow schools to commit up to $21 million each year to pay student-athletes; however, the cap could rise as revenues continue to increase. Student-athletes across all sports would be eligible for these payments, and schools may decide how to divide the money between teams and athletes. Instead of having scholarship limits on each sport, there would now be roster restrictions. The Settlement must first be approved by a federal judge before it may go into effect, but if approved, schools would be permitted to pay student-athletes directly, a practice the NCAA has strictly prohibited since its inception.

The Settlement aims to resolve a class action lawsuit that was set to go to trial this January. The class-action was brought by former and current student-athletes who allege the NCAA and the Power Five conferences improperly barred student-athletes from earning compensation. The Settlement is also expected to cover two other antitrust cases currently facing the NCAA in the Northern District of California.

Importantly, the Settlement does not resolve all outstanding disputes with the NCAA. Many aspects of the relationship between the NCAA and student-athletes remain unsettled. There are other antitrust lawsuits pending against the NCAA which the Settlement is not expected cover, including the lawsuit filed by the Tennessee and Virginia attorneys general. Furthermore, the Settlement does not resolve the lawsuit which alleges that an athlete is considered an employee of the school. If student-athletes are classified as employees, they could be entitled to a minimum wage, unionization, and other employment-related rights.

The proposed Settlement also leaves many questions unanswered. It is unknown how Title IX will impact the new compensation scheme outlined in the Settlement. It is also unclear where the booster-run NIL collectives will fit within the new compensation scheme, or if the universities will seek to bring all NIL activities in-house. While uniform federal legislation governing college sports and NIL would help to clarify these issues, there are currently no efforts in Congress to enact such legislation.

The landscape of college athletics continues to evolve rapidly. Interested parties should contact Varnum’s NIL Practice Team to ensure they are in compliance with applicable (and often changing) NCAA, state, and institutional regulations.

2024 summer associate Maria Gedris contributed to this advisory. Maria is currently a student at Wayne State University Law School.

Regulated Facilities Required to Report PFAS Chemicals Under New EPA Rules

EPA Adds Seven New PFAS Chemicals to Toxics Release Inventory

The U.S. Environmental Protection Agency (EPA) has finalized regulations adding seven per- and polyfluoroalkyl substances (PFAS) to the Toxics Release Inventory (TRI) program under the Emergency under Section 313 of the Emergency Planning and Community Right-to-Know Act (EPCRA).

The seven PFAS chemicals include:

  • Perfluorohexanoic acid (PFHxA)
  • Perfluoropropanoic acid (PFPrA)
  • Sodium perfluorohexanoate
  • Ammonium perfluorohexanoate, 1,1,1-Trifluoro-N-[(trifluoromethyl)sulfonyl] methanesulfonamide (TFSI)
  • Lithium bis[(trifluoromethyl)sulfonyl] azanide, and
  • Betaines, dimethyl(.gamma.-.omega.-perfluoro-.gamma.-hydro-C8-18-alkyl).

Facilities that manufacture, process or otherwise use any of these PFAS chemicals above the 100-pound annual threshold must report releases for the 2024 reporting year (along with other chemicals subject to TRI reporting requirements). While TRI reports for the 2024 reporting year are not due until July 1, 2025, regulated facilities should be keeping track of PFAS chemicals now for future reporting.

It should also be noted that pursuant to EPA regulations entitled “Changes to Reporting Requirements for Per- and Polyfluoroalkyl Substances” the PFAS chemicals added to the TRI inventory are designated as “chemicals of special concern.” Chemical of special concern are specifically excluded from utilizing the de minimis exemption, which allows facilities to forego reporting for negligible amounts of chemicals present in mixtures when present at concentrations below 1% (or 0.1% for carcinogens). As a result, regulated facilities utilizing PFAS will be required to track and report very small quantities of PFAS that might be present in products or materials that they manufacture, process or otherwise use.

Varnum has experience assisting clients in complying with TRI reporting requirements. For more information, please contact Varnum lead environmental attorney Matt Eugster or another member of the Environmental Team.

Stark Compliance: Lease Sharing Arrangements for Providers of Designated Health Services

Ensure Stark Law Compliance in Physician Co-Working Arrangements

As co-working spaces and lease sharing arrangements have become increasingly popular, physicians may require assistance on how to implement such arrangements. Physicians contemplating a proposed arrangement must ensure that it does not run afoul of applicable health care laws. Notably federal Stark Law (Stark) generally prohibits a physician from referring Medicare or Medicaid patients for designated health services (DHS) to an entity that either the physician, or an immediate family member of such physician, has a “financial relationship” with. DHS includes services such as clinical laboratory services, physical therapy services, and inpatient/outpatient hospital services.

Stark not only prohibits such referrals for DHS, but it also prohibits an entity from billing for DHS if DHS was furnished pursuant to a prohibited referral under Stark. However, there are several regulatory exceptions. In the context of a physician involved in a lease sharing arrangement, there are three relevant exceptions that may permit such an arrangement. Please note that these exceptions contain additional nuances that should be discussed with a Varnum health care attorney.

    1. Rental of Office Space Exception

    This exception provides that certain arrangements satisfying statutory requirements are permitted as they do not qualify as a “financial relationship.” By way of example, some of the requirements include that the lease arrangement be set out in writing, signed by the parties, and specify the premises it covers. Additionally, the duration of the lease arrangement must be at least one year. The rental charges over the term of the lease arrangement must also not be determined: (I) in any manner that takes into account the volume or value or referrals or other business generated between the parties, or (II) using a formula based on certain statutorily prohibited factors. See 42 U.S.C. § 1395nn and 42 C.F.R. § 411.357 for a comprehensive list of the requirements for this first exception.

    In analyzing whether this exception may apply, the requirement that there be a lease arrangement with a term of one-year or greater may pose potential difficulties. In many co-working arrangements, there may be a desire to limit the lease to less than one year, or on an “as-needed” basis. Accordingly, it must be analyzed whether a proposed co-working/lease sharing arrangement may fall under the protection of the “Rental of Office Space Exception.”

    2. Timeshare Arrangements Exception

    This exception provides another potential avenue for certain arrangements satisfying the statutory requirements to fall outside of the general rule outlined above. For instance, an arrangement may fall under this exception if the arrangement is between a physician (or the physician organization in whose shoes the physician stands) and (I) a hospital or (II) physician organization of which the physician is not an owner, employee, or contractor. Additionally, the premises, equipment, personnel, items, supplies, and services covered by the arrangement must be used (I) predominantly for the provision of evaluation and management services to patients and (II) on the same schedule. See 42 C.F.R. § 411.357 for a comprehensive list of the requirements for this second exception.

    Although these are a mere sampling of the requirements that must be met to fall under the Timeshare Arrangements Exception, they represent potential roadblocks for health care providers seeking to rely on this exception. First, the exception only applies to hospitals and physician groups. Additionally, the exception requires that the space be used predominantly for evaluation and management services on the same schedule, rather than DHS. Again, it is recommended you contact a Varnum health care attorney to determine if this second exception may apply.

    3. FMV Compensation Exception

    The third exception was announced in November 2020, when the Centers for Medicare and Medicaid Services (CMS) issued a new final rule, in part, removing the FMV exception’s exclusion of office rental space. An arrangement may qualify under this exception, for instance, if it is in writing, signed by the parties, and covers only identifiable items, services, office space, or equipment. The writing must specify: (I) the items, services, office space, or equipment covered under the arrangement; (II) the compensation that will be provided under the arrangement; and (III) the timeframe for the arrangement.

    Additionally, this third exception permits an arrangement to be for any period of time and contain a termination clause; however, an arrangement may be renewed any number of times so long as the terms of the arrangement and the compensation for the same items, services, office space, or equipment do not change. The third exception may offer greater flexibility, as there is no “exclusive use” requirement, or a one-year term requirement. However, while an arrangement may be for any period of time, parties are generally prohibited from entering into more than one arrangement for the same items, services, office space, or equipment during the course of a year (unless it falls within a statutory exception).

    See 42 C.F.R. § 411.357 for a comprehensive list of the requirements for this third exception. The specific facts of a proposed arrangement must be analyzed to determine whether this third exception may apply.

    To ensure compliance with Stark and other applicable healthcare laws, and to determine whether an exception applies, physicians providing DHS who enter a lease sharing/co-working arrangement are encouraged to contact a member of Varnum’s health care practice team.

    Be Aware and Be Prepared: Data Privacy and Employee Benefits

    Essential Privacy Considerations for Employee Benefits

    Data privacy concerns continue to grow. For many businesses, employee benefits are a major source of sensitive data subject to growing risks. Here are some key privacy considerations from an employee benefits perspective.

    Do you know where data is coming from and going to?

    Knowing what benefits data your business has is a critical first step. Benefits information often includes names, personal contact information, beneficiary designations, Social Security Numbers, banking information, and information about spouses and dependents. This is why benefits information creates so many risks for businesses and opportunities for bad actors. Once you know what data you have, knowing who sends, receives, and accesses that data is critical to compliance and risk reduction.

    Is there a plan in place to determine if a breach has occurred and how to respond?

    Breaches happen increasingly often. Planning and having a process to follow is an essential part of a proper response. This includes processes to determine if a potential breach has occurred, and processes for responding to breach notifications from service providers.

    Do you obtain appropriate information to access your risks?

    The type and amount of data used by service providers will determine how carefully and frequently you should review their policies, procedures, and any past problems. This information can help you determine your risk and risk mitigation.

    Are necessary agreements in place with service providers?

    Privacy provisions should be added to service provider agreements. This language needs to be up-to-date and maintained for compliance purposes. Whether it is a Business Associate Agreement for HIPAA or a data privacy addendum for broader privacy compliance of language in the primary agreement, this language will be the starting point for setting expectations, assessing liability, and documenting compliance.

    Is your privacy policy consistent?

    It is important that the privacy policy you have provided to employees remains consistent with the actions you and your service providers take with employee benefits data. It is also important to ensure these privacy policies are in compliance with the applicable and regularly changing data privacy laws.

    Do you know what laws, standards, and contractual obligations apply?

    A wide array of state and federal laws provide privacy rules. Understanding which laws apply and what data they apply to is an important first step. For instance, the Department of Labor has shown an increasing focus on data privacy under ERISA, especially regarding ERISA’s fiduciary duties and personal liability.  

    Is your documentation sufficient?

    Beyond agreements, your documentation should be sufficient to record compliance if there is an audit or investigation, provide instructions if there are concerns about a data privacy incident, and reduce liability through insurance coverage and other protection.

    Does insurance cover your risks?

    Breaches and penalties are often excluded from general insurance coverage. Even when you have a rider or policy specific to data privacy, there can be exclusions if you do not have sufficient processes and procedures in place. Work with trusted advisors to ensure you have the insurance coverage you want and expect, and on how to ensure that its coverage will apply to your circumstances.

    Do you offer privacy benefits?

    Providing data monitoring, alerts and similar services can be offered as a benefit in many circumstances. However, to maximize the benefit to employees, the benefit must follow several rules, which can differ depending on the specifics of your business.

    It is never too early to address data privacy for employee benefits or otherwise. This advisory provides only a summary of some of the biggest aspects of privacy for benefits. If you have questions or need assistance, contact a member of our Employee Benefits and Executive Compensation or Data Privacy and Cybersecurity Teams.

    New Title IX Rule Offers Schools Flexibility and Discretion in Compliance

    Title IX Final Rule Provides Flexibility for Schools

    On April 19, 2024, after reviewing and responding to over 230,000 public comments, the Department of Education released its 1,577-page Final Rule under Title IX, which prohibits discrimination on the basis of sex in federally funded education. The Final Rule, originally proposed by the Biden Administration in June 2022, is expected to be published in the Federal Register in May 2024 and demands compliance by August 1, 2024, or risk losing federal funding. The Final Rule is notable in that it provides schools and institutions greater flexibility to tailor decisions based on distinctions in school size, the unique populations of students, and specific organizational dynamics.

    Among the 2024 Final Rule’s key provisions are the following:

    • Scope of Sex Discrimination and Sex-Based Harassment: The Final Rule clarified the scope of sex discrimination and sex-based harassment, providing that sex discrimination and sex-based harassment include discrimination and harassment based on sex stereotypes, sex characteristics, pregnancy or related conditions, sexual orientation, and gender identity.
    • Sex Separation and Different Treatment: The Final Rule prohibits separation or different treatment based on sex if it causes more than de minimis harm, providing that preventing an individual from participation in an educational program or activity consistent with that individual’s gender identity constitutes more than de minimis harm.  
    • Accommodations for Breastfeeding: The Final Rule requires that modifications and accommodations be given to breastfeeding students and employees, such as providing reasonable break times for lactation for employees and lactation space for students and employees.  
    • Protection for Pregnancy or Related Conditions: The Final Rule protects students and employees from discrimination based on medical conditions related to, or who are recovering from, pregnancy, childbirth, termination of pregnancy, and lactation.
    • Informal Resolution Process: The Final Rule permits complaints of sex discrimination to be adjudicated via an informal resolution process. Notably, participation in any informal resolution process cannot be mandatory.  

    Since the release of the Final Rule, 15 states have filed lawsuits against the Department of Education, arguing that the Department acted unconstitutionally in releasing the Final Rule.  

    The Department of Education’s proposed rule related to athletics, proposed in April 2023, is still under consideration, pending review of over 150,000 public comments.

    Leaders at educational institutions are encouraged to consult with legal counsel to discuss their paths to compliance with the Final Rule, including possible revisions to Title IX policies and procedures and training for employees. Varnum’s Higher Education practice team stands ready to assist with any questions or concerns about the New Rule and the application.