AI Regulation

Colorado's Legislation to Prevent Discrimination in Insurance (SB21-169) - 10 Things You Need to Know

Authored By
Airlie Hilliard
,
Published on
August 4, 2023

Like in many other sectors, personal data and algorithms are increasingly being used by insurers in their underwriting, claims, and rating practices. Whilst these advances can bring benefits, concerns have been raised about the quality of information sources and the rationale for using algorithms, particularly because insurance practices are high-risk and minority groups could be especially vulnerable to discrimination.

Colorado's (SB21-169) Legislation Addressing Discrimination in Insurance Practices

Colorado revised its insurance legislation in July 2021 to reflect these concerns, with its General Assembly enacting legislation that restricts insurers’ use of ‘external consumer data’, prohibits data, algorithms, or predictive models from unfairly discriminating, and requires insurers to test their systems and demonstrate that they are not biased. The statutes, which is enabled by Senate Bill 21-169, is beginning to inform various aspects of Colorado’s insurance policy.  

In 2023, for example, the Colorado Division of Insurance (CDI) have begun the process of engaging with stakeholders to implement elements of the law into their life insurance regulations. The CDI’s aim is to create a cross-functional group within insurers to oversee external customer data and information sources (ECDIS) and AI model usage.

Here are 10 things you need to know about this the Colorado General Assembly’s SB21-169 legislation.

1. What practices are prohibited under the Colorado SB21-169 legislation?

Insurers are prohibited from unfair discrimination in insurance practices and the use of external customer data and information sources or algorithms and predictive models that unfairly discriminate.

2. What are the requirements?

Insurers are required to:

i) outline the type of external customer data and information sources used by their algorithms and predictive models;

ii) provide an explanation of how the external consumer data and information sources, and algorithms and predictive models are used;

iii) establish and maintain a risk management framework designed to determine whether the data or models unfairly discriminate;

iv) provide an assessment of the results of the risk management framework and ongoing monitoring; and

v) provide an attestation by one or more officers that the risk management framework has been implemented.

3. How does the legislation define an algorithm?

Under the coverage of the legislation, computational or machine learning process used to inform human decision-making in insurance practices.

4. How does the statute define a predictive model?

A process of using mathematical and computational methods that examine current or historical datasets for underlying patterns and calculate the probability of an outcome.

5. How does the SB21-169 legislation define external customer data and information sources?

A data or information source that complements an insurance practice or provides lifestyle indicators. Examples of sources include credit scores, social media habits, purchasing habits, home ownership, educational attainment, locations, occupations, licensures, civil judgements, and court records.

6. What does unfair discrimination mean?

Unfair discrimination occurs when external customer data and information sources or algorithms or predictive models correlate with protected characteristics (race, colour, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity or gender expression) and result in a disproportionately negative outcome for these groups that exceeds the reasonable correlation to the underlying insurance practice (in respect to losses and underwriting costs etc.).

7. Does additional data need to be collected?

Insurers are not required to collect data relating to race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression.

8. What are the next steps?

The Colorado Division of Insurance has begun the process of establishing bespoke rules for specific types of insurance and insurance providers, starting with the life insurance sector. As of August 2023, the CDI has held multiple rounds of stakeholder meetings discussing how the law should inform their regulations on how life insurance companies use external consumer data and information sources. Liaison regarding the future of private passenger auto underwriting meanwhile began in June. Both areas are expected to undergo further revisions before they progress past the draft stage.

9. Are there any exemptions?

The SB21-169 legislation does not apply to title insurance, bonds executed by qualified surety companies, or insurers issuing commercial insurance policies. It does apply to insurers that issue business owners’ policies or commercial general liability policies if these policies have annual premiums of $10,000 or less.

10. When does this legislation come into effect?

It was originally stated that the new rules, which will be implemented on a sector-by-sector basis, would not come into effect until 1 January 2023 at the earliest. Deliberative stakeholder meetings began at the start of the year but, as yet, no new rules have come into effect. There is no forecast as to when exactly the rules will leave the draft stage, but further stakeholder meetings for both the life insurance and the private passenger auto underwriting domains are pencilled in for the coming months, as of August 2023.

Holistic AI can help your firm:

  • Establish a risk management framework for continuous monitoring of data, algorithms and predictive models
  • Examine models and data for bias (unfair discrimination), giving you a platform to revise any areas of concern.
  • Provide expert evidence for non-discriminatory practices

Speak with us to find out more about how we can support your journey towards compliance.

A look at the bigger picture

Despite, AI specific regulation on a federal level being nascent, firms in the US should heed with caution as a precedent for civil liability is slowly being built. Recent examples include an ongoing lawsuit against insurance company State Farm; where it is alleged that their automated claims processing has resulted in algorithmic bias against black homeowners.

More recently, the State of Michigan reached a $20 million USD settlement with Michigan residents wrongly accused of fraud by an automated system used by the state. State governments and agencies are not letting this go unnoticed. For example. in New York, the Department of Financial Services reserves the right to audit and examine an insurer’s underwriting criteria, programs, algorithms, and models, to ensure algorithms are not in breach of existing law and insurance regulations.

However, proposals from the federal level are also being seen. For example, the Algorithmic Accountability Act is a proposed federal law that would require companies to assess the impact of the automated systems they use and sell in terms of bias and effectiveness.

Shaping up to be the body with the most hunger to regulate AI in the US, Bloomberg has predicted that 2023 will be marked by a determined, and aggressive FTC. Backed by its three-for-three records in getting settlement orders against companies that were investigated for their use or development of algorithms through suspiciously acquired data, this prediction is likely to ring true.

Table of contents

Heading 2
Share this

Unlock the Future with AI Governance.

Get a demo

Get a demo

One platform for AI you can trust.
Holistic AI is an AI Governance platform that aims to empower enterprises to adopt and scale AI confidently.

Get a demo

Stay informed with the latest news & updates
Products

AI Governance Platform

Resources

Blog

Papers & Research

News

Events & Webinars

Red Teaming & Jailbreaking Audit

EU AI Act Risk Calculator

Privacy Policy

Terms & Conditions

© 2025 Holistic AI. All Rights Reserved