Skip to main content
Mais Lidos
Em Destaque
View All Services
Ver Todas as Indústrias
About Us Overview
  • Insights
  • Virginia Legislature Passes Comprehensive Artificial Intelligence Act
fevereiro 24 2025

Virginia Legislature Passes Comprehensive Artificial Intelligence Act

Author:
Baixar PDF
Share

At A Glance

On February 20, 2025, the Virginia legislature passed the High-Risk Artificial Intelligence Developer and Deployer Act (Virginia AI Act), a comprehensive artificial intelligence bill focused on preventing algorithmic discrimination. We examine the core tenets of the Virginia AI Act in this Legal Update.

On February 20, 2025, the Virginia legislature passed the High-Risk Artificial Intelligence Developer and Deployer Act (Virginia AI Act), a comprehensive artificial intelligence (AI) bill focused on preventing algorithmic discrimination. If signed into law by Governor Glenn Youngkin, Virginia will become the second state, after Colorado, to have a comprehensive state-level AI law. Below are the key points regarding the Virginia AI Act.

  • Who does the act apply to?
    • The Virginia AI Act applies to deployers and developers of AI systems that do business in Virginia. A deployer is a person that deploys or uses a high-risk AI system that makes a consequential decision, while a developer is a person that develops or intentionally and substantially modifies a high-risk AI system, which is offered, sold, leased, given, or otherwise made available to deployers or Virginia residents.
    • Unlike Colorado’s Anti-Discrimination in AI Law (Colorado AI Act), the Virginia AI Act is intended to protect Virginia residents acting only in an individual or household context (referred to as consumers), instead of individuals operating in a commercial or employment context. As such, in this respect, the Virginia AI Act is narrower in scope than the Colorado AI Act.
    • Notably, in assessing whether an entity is a developer, companies should be mindful that if they make any deliberate change to an AI system that results in a new material risk of algorithmic discrimination or integrates with a general-purpose AI model (e.g., foundation models), they could be subject to the law.
  • What does the act regulate?
    • The Virginia AI Act regulates high-risk AI systems. An AI system is defined as “any machine learning-based system that, for any explicit or implicit objective, infers from the inputs such system receives how to generate outputs, including content, decisions, predictions, and recommendations, that can influence physical or virtual environments.”
    • For an AI system to be considered high-risk, it must specifically be intended to autonomously make, or be a substantial factor in making, a consequential decision. A consequential decision means that the AI system makes a “decision that has a material legal, or similarly significant, effect on the provision or denial to any consumer of (i) parole, probation, a pardon, or any other release from incarceration or court supervision; (ii) education enrollment or an education opportunity; (iii) access to employment; (iv) a financial or lending service; (v) access to health care services; (vi) housing; (vii) insurance; (viii) marital status; or (ix) a legal service.”
    • The Virginia AI Act adds two new categories of high-risk decisions that are not present in the Colorado AI Act, which are (i) and (viii) above. However, unlike the Colorado AI Act, the Virginia AI Act does not include within its scope AI systems that make decisions regarding essential government services.
    • The Virginia AI Act’s standard for an AI system being a “substantial factor” in making a consequential decision is narrower than the Colorado AI Act. The Virginia AI Act requires the output to be a “principal basis” for decisions, while the Colorado AI Act just needs the output to “assist” in making a consequential decision to trigger the high-risk obligations. Based on this standard, if companies apply significant human oversight and consider other factors besides the AI’s output, they may be able to avoid triggering the Virginia AI Act.
  • When does the law go into effect?
    • If signed into law, the Virginia AI Act goes into effect July 1, 2026, which is five months after the Colorado AI Act’s effective date. This gives companies about 16 months to comply.
  • What do developers and deployers need to do to comply with the Virginia AI Act?
    • Like the Colorado AI Act, the obligations under the Virginia AI Act are demarcated based on party roles. The chart below provides an overview of developer and deployer obligations under the Virginia AI Act.

Developer Obligations

Deployer Obligations

Avoid algorithmic discrimination

Developers and deployers must use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination arising from the intended and contracted uses. There is a rebuttable presumption that developers and deployers discharged this obligation if they comply with the Virginia AI Act requirements.

Provide information regarding the AI system to the deployer

A developer must furnish information and documents regarding the AI system, including:

  • A statement regarding the intended uses
  • Limitations and risks
  • The purpose and intended benefits
  • How it was evaluated for performance
  • Measures taken to mitigate risks
  • Instructions for use and how it should be monitored
  • Intended outputs
  • Other information to help the deployer understand the output, monitor performance and complete an AI impact assessment.

Complete an AI impact assessment

A deployer must complete and maintain for three years an AI impact assessment containing the following elements:

  • A statement disclosing the purpose, intended use cases, deployment context, benefits, risks, and the steps taken to mitigate the risks
  • Whether the intended use cases were consistent with, or varied from, the deployer’s intended uses post-deployment
  • A description of the categories of data for the AI input and the output such system produces
  • An overview of the categories of data the deployer used to customize the AI system
  • The metrics used to evaluate performance and known limitations of the AI system
  • A description of the transparency measures taken
  • A description of any post-deployment monitoring and safeguards adopted
  • An analysis and description of the AI system’s validity and reliability, and the metrics used to evaluate performance and known limitations.

May comply with an AI risk management framework

A developer may comply with the National Institute of Standards and Technology’s AI Risk Management Framework (NIST AI RMF), the International Organization for Standardization’s ISO/IEC 42001, or other recognized AI risk management frameworks to comply with related requirements under the Virginia AI Act.

Adopt an AI risk management framework

A deployer must design and implement a reasonable AI risk management policy, such as NIST AI RMF, ISO/IEC 42001, or another recognized AI risk management framework that is substantially equivalent to, and at least as stringent as, the Virginia AI Act’s requirements.

Transparency

If the AI system generates or substantially modifies synthetic content (i.e., information, such as images, video, audio clips, and, to the extent practicable, text, that has been significantly modified or generated by algorithms, including by AI), the developer must ensure that the output: (a) is identifiable and detectable in a manner that is accessible by consumers using industry-standard tools or tools provided by the developer; (b) complies with any applicable accessibility requirements, as synthetic content, to the extent reasonably feasible; and (c) applies such identification at the time the output is generated.

Transparency and adverse decisions

Before using an AI system to interact with a consumer, the deployer must disclose to the consumer, among other things, the purpose and nature of the AI system and the consequential decision, the deployer’s contact information, and a description of the AI system in plain language.

If a deployer uses the AI system, it must transmit to the consumer the consequential decision without undue delay. If the decision is adverse to the consumer and based on personal data beyond information that the consumer provided directly to the deployer, the deployer must provide to the consumer a statement disclosing the reason(s) and other details regarding the consequential decision, an opportunity to correct any inaccuracies regarding the consumer’s personal data, and the right to appeal the decision.

The deployer must also make available, in a manner that is clear and readily available, a statement summarizing how it manages any reasonably foreseeable risks of algorithmic discrimination.

 
  • Are there any exemptions and exclusions?
    • Yes. There is a long list of exemptions under the Virginia AI Act. Notably, under certain circumstances, the obligations under the Virginia AI Act do not apply to: (a) the federal government or any federal agency; (b) certain financial institutions (e.g., banks, credit unions, mortgage lenders, savings institutions), or their affiliates, subsidiaries or service providers; (c) insurers; and (d) healthcare entities. Each of these exemptions has certain caveats and nuances, which exempt entities should document under the Virginia AI Act.
    • There are also certain exclusions from the definition of a high-risk AI system, such as if the system is intended: (a) to perform a narrow procedural task; (b) to improve the result of a previously completed human activity, (c) to detect any decision-making patterns or any deviations from pre-existing decision-making patterns; or (d) to perform a preparatory task to an assessment relevant to a consequential decision.
    • A long list of technologies are also specifically excluded from the definition of a high-risk AI system, such as calculators, autonomous vehicle technology, cybersecurity technologies, data storage, spreadsheets, and others.
  • How is the act enforced and what are its penalties?
    • The Virginia Attorney General has exclusive authority to enforce the Virginia AI Act. The Virginia Attorney General is empowered to issue a civil investigative demand and bring an action to enforce the act. Persons who violate the Virginia AI Act could be subject to a civil penalty of up to $1,000, plus reasonable attorney fees, expenses, and costs. This penalty can be increased up to $10,000 if there is a willful violation.
    • The Virginia AI Act states that each violation of the act “shall constitute a separate violation,” which may suggest that these penalties could multiply. Persons who are alleged to violate the law may cure such violations within 45 days of receiving a notice of violation from the Virginia Attorney General.

Autores

Serviços e Indústrias Relacionadas

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe

Follow us

© 2025 Mayer Brown

 

 

Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC (“PKWN”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Mayer Brown Hong Kong LLP operates in temporary association with Johnson Stokes & Master (“JSM”). More information about the individual Mayer Brown Practices, PKWN and the association between Mayer Brown Hong Kong LLP and JSM (including how information may be shared) can be found in the Legal Notices section of our website.

“Mayer Brown” and the Mayer Brown logo are trademarks of Mayer Brown.

Attorney Advertising. Prior results do not guarantee a similar outcome.