RatedWithAI

RatedWithAI

Accessibility scanner

Algorithmic DiscriminationJune 28, 2026

Colorado AI Insurance Discrimination Law: What Insurers and Insurtech Vendors Must Know

Colorado became the first state to specifically target algorithmic discrimination in insurance — before the federal government acted. If your AI-driven underwriting model operates in Colorado and you haven't audited it for disparate impact, you're already exposed.

First in the US
Colorado SB 21-169 was the first state law specifically regulating AI discrimination in insurance
Proxy Discrimination
Facially neutral AI variables that produce disparate racial outcomes are prohibited
Vendor Liability
Insurers must audit third-party insurtech AI — vendors must support compliance documentation

What Colorado SB 21-169 Actually Does

Colorado SB 21-169, signed into law in 2021 and implemented through Division of Insurance regulations, prohibits life insurers from using external consumer data and information sources — including credit scores, social media data, consumer behavior data, and AI and machine learning models — in ways that unfairly discriminate based on protected characteristics. The law covers race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, and gender expression.

Critically, the law doesn't just ban the use of protected characteristics as direct inputs. It requires insurers to ensure that their external data sources and algorithms do not produce unfairly discriminatory outcomes — even when no protected characteristic is explicitly used. This is a disparate impact standard, not merely a disparate treatment standard.

The Division of Insurance implemented regulations (Regulation 10-1-1) that create a framework for how insurers must govern and audit their use of external data and AI. These rules require documentation, testing, and ongoing monitoring — not a one-time review.

The Proxy Discrimination Problem in Insurance AI

Insurance AI models almost never use race, religion, or national origin as explicit inputs. They don't need to — other variables do the same work. ZIP code, educational attainment, employment type, credit history, and consumer behavior data are all heavily correlated with protected characteristics. An AI trained on historical claims data that was shaped by discriminatory practices can reproduce and amplify that discrimination without any programmer intending it.

Colorado's regulation requires insurers to look at outcomes, not just inputs. If your AI-driven underwriting model produces materially higher premiums for African American applicants with identical risk profiles to white applicants, the model may violate the law regardless of what variables it uses. The test is:

1. Does the model produce disparate outcomes across protected classes?

Run outcome analysis broken down by race, gender, disability status, and other protected characteristics. Disparate outcomes in premium rates, approval rates, or claims handling trigger further scrutiny.

2. Is the differential actuarially justified?

Insurance law generally permits rate differences that are actuarially justified — meaning they reflect actual differences in underlying risk. AI-driven differentials must be tied to legitimate risk factors, not proxies for protected characteristics.

3. Are less discriminatory alternatives available?

Even if a variable is actuarially correlated with risk, if a less discriminatory variable achieves comparable predictive power, the Colorado framework pushes toward using it.

What Regulation 10-1-1 Requires

Colorado's Division of Insurance implemented Regulation 10-1-1 to give SB 21-169 operational requirements. The regulation establishes a risk-based governance framework for insurers using external data and AI models. Key obligations include:

Governance Program

  • Establish a formal governance program for oversight of external data and AI use
  • Assign accountability to senior leadership for AI governance
  • Document the policies, procedures, and controls governing AI in underwriting and pricing
  • Ensure board-level or senior management awareness of material AI risks

Risk Assessment

  • Conduct risk assessments for each external data source and AI model used in insurance decisions
  • Document the intended purpose, data inputs, and potential for discriminatory outcomes
  • Assess correlations between model variables and protected characteristics
  • Evaluate whether differential outcomes are actuarially justified

Testing and Monitoring

  • Test AI models for disparate impact before deployment in Colorado
  • Conduct ongoing monitoring of model outcomes during production
  • Establish thresholds for when disparate impact triggers review or remediation
  • Document testing methodology, results, and any remediation actions taken

Vendor Due Diligence

  • Exercise reasonable oversight of third-party AI vendors — cannot outsource compliance
  • Review vendor documentation of testing, bias audits, and explainability
  • Include AI governance requirements in vendor contracts
  • Obtain representations from vendors about model accuracy and non-discrimination

What Insurtech AI Vendors Must Prepare For

Insurtech vendors don't have direct obligations under SB 21-169 — but their insurer customers do, and those customers are passing requirements downstream through procurement. If you sell AI underwriting, pricing, claims, or fraud detection tools to Colorado insurers, expect to be asked for:

Bias audit reports

Insurers will ask for documentation of disparate impact testing across protected classes. You need third-party or internally documented results showing your model's outcomes by race, gender, and other protected characteristics.

Model explainability documentation

Insurers need to understand what variables drive model outputs. Black-box models with no explainability documentation will face increasing resistance from compliant Colorado insurers.

Data lineage documentation

Where does your training data come from? Has it been audited for historical bias? Insurers need to know that the data feeding your model doesn't encode historical discrimination.

Contractual representations

Expect insurers to ask for contractual warranties that your model has been tested for disparate impact and that you will notify them of material changes to model logic or retraining.

Ongoing monitoring data

Not a one-time audit. Insurers need assurance that outcomes are monitored after deployment. Vendors who can provide production monitoring reports have a significant competitive advantage.

The National Pattern: Colorado Won't Be Alone Long

Colorado's framework is already influencing insurance regulators nationally. The National Association of Insurance Commissioners (NAIC) published AI Principles and a Model Bulletin that tracks Colorado's approach. New York's Department of Financial Services has issued guidance on insurance AI governance. Illinois has enacted laws touching AI in employment that insurance companies operating there must observe.

Insurtech vendors building to Colorado's requirements are building to a practical national standard. The vendors that wait for each state to finalize its specific rules before developing bias audit capabilities will find themselves locked out of procurement cycles that move faster than legislative timelines.

Frequently Asked Questions

Does Colorado's law apply to property and casualty insurance or only life insurance?

SB 21-169 was enacted under the life insurance code, and Regulation 10-1-1 initially focused on life insurance. However, the broader unfair discrimination principles in Colorado insurance law — which predate SB 21-169 — apply across insurance lines. The Division of Insurance has signaled interest in applying similar AI governance expectations to property/casualty and health insurance, and insurers across lines should treat the Colorado framework as indicative of regulatory direction regardless of line.

We use a credit score in our underwriting model. Is that prohibited under Colorado law?

Not automatically, but it requires scrutiny. Credit scores are correlated with race and ethnicity due to historical discrimination in credit markets. Under Colorado's framework, an insurer using credit score data must assess whether its use produces disparate outcomes across protected classes and whether those outcomes are actuarially justified. Simply claiming credit score is a valid risk predictor is insufficient — the insurer must document the analysis and maintain records showing the differential is not unfair discrimination under Colorado law.

How does Colorado's law interact with FCRA if we use credit data?

The federal Fair Credit Reporting Act (FCRA) governs the use of consumer reports (including credit data) for insurance underwriting. FCRA requires adverse action notices when insurance is denied or priced unfavorably based on credit data. Colorado's SB 21-169 adds a disparate impact layer — compliance with FCRA's procedural requirements doesn't discharge Colorado's substantive anti-discrimination obligation. Both apply.

We're an insurtech vendor, not an insurer. Do we need to register or file anything with the Colorado Division of Insurance?

Insurtech vendors generally don't register directly with state insurance departments. Your obligations flow through contract with your insurer customers. However, the Division of Insurance has market conduct examination authority that can reach vendor practices when examining an insurer's AI governance. Vendors have been subject to indirect regulatory scrutiny in market conduct exams — a practical reason to maintain your own documentation even without a direct filing requirement.

Colorado Set the Template — Build to It Now

Colorado's AI insurance discrimination framework is the clearest signal the industry has about where state insurance regulation is heading. The requirements — outcome testing, vendor due diligence, governance programs, ongoing monitoring — are operationally demanding but achievable. Insurers and insurtech vendors that build these capabilities now aren't just complying with Colorado; they're positioning for the multi-state landscape that's assembling around them.

The practical starting point is a bias audit of every AI model currently used in underwriting or pricing decisions for Colorado policyholders. Run outcome analysis across protected class proxies, document your methodology, and set up the monitoring infrastructure to catch drift. That audit is both your Colorado compliance foundation and your sales document for every insurer that asks.