Executive Summary

Following a lengthy and contested debate over the scope and requirements of Colorado’s first-in-the-nation risk-based AI law, SB 24-205 has been repealed and replaced by SB 26-189 – A Bill Concerning the Use of Automated Decision-Making Technology in Consequential Decisions (ADMT).

SB 26-189 retains the core architecture of a developer/deployer framework regulating AI systems used in consequential decisions but materially restructures nearly every operative element of the law. The new law delays enforcement until 1 January 2027 and shifts the regulatory focus from “High-Risk AI Systems” to “Covered ADMT”.

Many of the burdens for developers and deployers of high-risk AI systems have been eased or removed entirely. The heaviest compliance lifts – including risk management frameworks aligned to NIST AI RMF or ISO 42001, annual impact assessments, and self-reporting requirements – have been eliminated. In their place, SB 26-189 installs a more procedural regime focused on technical documentation from developers to deployers, point-of-interaction notices to consumers, and post-adverse-outcome disclosures with rights of correction and human review.

For organisations that have been preparing for SB 24-205 compliance under the 30 June 2026 effective date, SB 26-189 represents a six-month reprieve and a reduced regulatory burden.

xAI v Weiser – a Pause in Enforcement

On 9 April 2026, Elon Musk’s AI company xAI sued the Colorado Attorney General’s Office to prevent enforcement of the Colorado AI Act, which was previously scheduled to go into effect on 30 June 2026.

xAI claims in its lawsuit that SB24-205 is unconstitutionally vague and violates the First Amendment by requiring outputs that conform to Colorado’s preferred views. The United States Department of Justice joined the lawsuit in support of xAI, arguing that requirements to mitigate algorithmic discrimination violate the Equal Protection Clause of the Fourteenth Amendment.

Pursuant to the lawsuit, the Colorado Attorney General’s Office has agreed to stay enforcement of SB 24-205 or any replacement bill (such as SB 26-189) until the court can rule on xAI’s motion for preliminary injunction. xAI must file the motion within 28 days of formal rulemaking by the Colorado Attorney General. Under the new law, the Attorney General is required to undertake rulemaking before the 1 January 2027 enforcement date.

The court’s order fundamentally puts the Colorado AI Act on hold pending a ruling on xAI’s motion for preliminary injunction, which will not be filed until 28 days after rulemaking has concluded. The stay also creates significant uncertainty about when the law will become effective.

SB 26-189 – a Compromise for Colorado Businesses and Consumers

From high-risk AI systems to covered ADMT

SB 26-189 earned support from the Colorado Technology Association and the Colorado Chamber of Commerce, and reflects a compromise between consumer protection advocates and the business community. The law abandons SB 24-205’s focus on high-risk AI systems in favour of regulating covered ADMT.

The law applies to developers and deployers of ADMT when it affects a consequential decision for Colorado consumers in a covered domain. ADMT is defined in the statute as a technology that processes personal data and uses computation to generate output, including predictions, recommendations, classifications, rankings, scores or other information that is used to make, guide or assist a decision, judgement or determination concerning an individual.

The updated SB 26-189 includes an extensive list of carve-outs that did not appear with the same granularity in SB 24-205. Excluded technologies include anti-malware, anti-virus, calculators, databases, firewalls, spam filters, spell-checkers, spreadsheets without machine learning (ML) or large language model (LLM) components, web caching, and web hosting. The bill also excludes tools used solely to summarise, organise, translate, draft, route or present information for human review, and carves out natural-language consumer-facing technologies (ie, general-purpose chatbots and LLM interfaces) that are not contracted, marketed or configured for consequential decisions and that are subject to an acceptable use policy prohibiting such use.

In practice, common uses of popular consumer chatbots such as ChatGPT and Claude are excluded from the law if not specifically used to make decisions in covered areas. This provision should facilitate the adoption of low-risk AI processing throughout Colorado businesses.

Violations of the law are considered violations of the Colorado Consumer Protection Act and subject to fines of up to USD20,000 and USD50,000 for repeated violations. There is no private right of action for Colorado consumers, and the Colorado Attorney General retains rulemaking and enforcement authority.

Consequential decisions and covered domains (Section 6-1-1701)

Under SB 26-189, a “consequential decision” is defined as a decision that relates to an individual’s access to, eligibility for, or compensation for a covered domain or a decision, determination or action related to differentiated price, cost sharing, compensation or other material terms that interfere with a consumer’s rights in a covered domain.

The inclusion of differentiated pricing as a consequential decision under the law will have a significant effect on technology companies using surveillance pricing models to target consumers.

Covered ADMT means automated decision-making technology that is used to materially influence a consequential decision. Here, the legislature moved away from the “substantial factor” test for consequential decisions in SB 24-205, and instead applies the standard of “materially influence” on the covered decision. The statute defines “materially influence” as a non-de minimis factor in making a consequential decision. An ADMT output affects the outcome of a consequential decision, including by constraining, ranking, scoring, recommending, classifying or otherwise meaningfully altering how a consequential decision is made.

Covered domains are similar in nature to the high-risk categories identified in SB 24-205, but differ slightly and include:

• education enrolment or an education opportunity;
• employment or an employment opportunity that creates or may create an employer-employee relationship;
• the lease or purchase of residential real estate in Colorado (housing);
• a financial or lending service;
• insurance, including underwriting, pricing, coverage, claims, adjudication or other determinations that materially affect access to benefits;
• healthcare services; and
• essential government services.

Interestingly, SB 26-189 no longer includes legal services as a high-risk covered domain but otherwise maintains a similar scope of regulated activities.

Developer responsibilities (Section 6-1-1702)

Developers of covered ADMT systems must provide each deployer with technical documentation that is reasonably understandable while protecting trade secrets. Required disclosures include:

• developer’s intended uses and known harmful or inappropriate uses;
• categories of training data, including personal data, to the extent known;
• developer’s known limitations, risks and circumstances in which the system should not be used;
• instructions for appropriate use, monitoring and meaningful human review; and
• information reasonably necessary for the deployer to comply with its consumer-facing disclosure obligations.

Developers must also notify deployers of “material updates” (defined as updates that a developer knows or reasonably should know will materially affect outputs, performance or stated intended use), intentional and substantial modifications, and changes to intended use, limitations or risk mitigation. Public release notes may satisfy this obligation if direct notice of the release is provided. Developers must retain compliance records including version identifiers, changelogs and notices to deployers for at least three years.

What has been removed

• Developer’s requirement to provide deployers with documentation sufficient for the deployer to complete an impact assessment.
• Developer’s obligation to publish a public statement summarising system types and risk management.
• Attorney General’s authority to demand developer documentation within 90 days.
• Statutory rebuttable presumption tied to compliance with NIST or ISO 42001 is also eliminated and replaced with a 60-day notice and cure period.

Deployer obligations – record-keeping and disclosures (Section 6-1-1703 and 1704)

SB 26-189’s treatment of deployers is the bill’s most dramatic departure from the prior iteration of the law. The deployer-facing obligations include four primary requirements – record-keeping, point-of-interaction notice, post-adverse-outcome disclosures, and consumer rights – discussed in more detail as follows.

Record-keeping

Three-year retention of records reasonably necessary to demonstrate compliance, including ADMT version identifiers, changelogs and documentation of material mitigation changes.

Point-of-interaction notice

Clear and conspicuous notice prior to using a covered ADMT to materially influence a consequential decision. Compliance is satisfied by maintaining a prominent public notice reasonably accessible at points of consumer interaction.

Post-adverse-outcome disclosure

Within 30 days after a covered ADMT materially influences a consequential decision producing an “adverse outcome”, the deployer must provide:

• a plain-language description of the decision and the ADMT’s role;
• instructions for requesting additional information about the system, its inputs, the developer, and personal data sources; and
• an explanation of consumer rights under the Act.

Consumer rights

Upon an adverse outcome, consumers may request access to and correction of factually incorrect or materially inaccurate personal data, and an opportunity for meaningful human review and reconsideration “to the extent commercially reasonable”. Opinions, predictions, scores and protected evaluations are not subject to correction.

What has been removed

• Deployer’s duty of reasonable care to protect consumers from algorithmic discrimination.
• Deployer’s requirement to implement and maintain a risk management policy and programme aligned to NIST AI RMF or ISO 42001.
• Deployer’s obligation to complete impact assessments within 90 days of deployment and annually thereafter.
• Duty to notify the Attorney General of discovered algorithmic discrimination within 90 days.
• Public statement requirement summarising deployed systems and risk management practices.

Consumer rights (Section 6-1-1705)

Colorado consumers have several rights related to the use of ADMT for consequential decisions. Consumers have the right to inspect and correct inaccurate data used by companies as part of their ADMT processing and have the right to reconsideration of the adverse decision, with the opportunity for human review.

The opportunity for meaningful human review is significant in the employment context, where job seekers are routinely subject to applicant tracking systems using ADMT. Applicants will have the right to an explanation about the adverse decision and an opportunity for reconsideration with meaningful human review “where technically feasible”. This caveat provides a significant hole in the law by allowing companies to design their programmes to circumvent human review.

“Meaningful human review” is defined as review by an individual with authority to approve, modify or override the decision, who considers relevant primary evidence, is trained for the role, does not default to system output, and has access to information sufficient to understand the output’s intended use, material limitations, input categories and principal generative factors without requiring disclosure of source code, model weights or trade secrets.

The substantial modification of deployer obligations may be SB 26-189’s defining characteristic. However, the original framework of SB 24-205 still provides a roadmap for businesses seeking to go beyond minimum requirements in pursuit of industry best practices.

Enforcement, liability and indemnification (Section 6-1-1706 and 1707)

Enforcement of SB 26-189 rests exclusively with the Colorado Attorney General through the Colorado Consumer Protection Act, and a violation is a deceptive trade practice. The law creates a 60-day notice and cure period before enforcement, but cure is not required where the Attorney General finds knowing or repeated violations.

The Attorney General is responsible for promulgating rules for post-adverse-outcome disclosures and consumer rights by 1 January 2027, through a stakeholder-engaged process under the Administrative Procedure Act. The Attorney General must also report annually (beginning January 2028 and sunsetting 1 January 2030) on enforcement actions, cure periods offered, and violations where cure was not deemed possible.

Section 6-1-1707 introduces a comparative fault regime for civil actions alleging unlawful discrimination under the Colorado Anti-Discrimination Act or other state anti-discrimination laws arising from a consequential decision materially influenced by a covered ADMT. Liability is allocated based on relative fault between the developer and deployer, which deviates from other areas of Colorado law assessing joint-and-several liability.

The liability regime addresses one significant issue created in Mobley v Workday, where Workday’s popular AI hiring software allegedly created discriminatory outcomes that resulted in potential liability for the deployers of Workday’s software.

Critically, a developer is liable only to the extent that its ADMT was used in a manner the developer intended, documented, marketed, advertised, configured or contracted for. Unintended deployer uses absolve the developer of liability. Conversely, deployers cannot escape liability for independent acts or off-label use by consumers.

The law also invalidates any contractual indemnification, defence or hold-harmless provision that would shield a developer or deployer from liability for its own acts under the Colorado Anti-Discrimination Act or other Colorado anti-discrimination laws. This represents a noteworthy public-policy intervention that constrains common risk-shifting practices reflected in the terms of service. Under SB 26-189, those liability waivers are void against public policy under Colorado law.

Sectoral compliance and exemptions (Section 6-1-1708)

SB 26-189 retains and refines several sectoral carve-outs. Insurers subject to CRS Section 10-3-1104.9 are deemed compliant with insurance practices (with employment uses still covered). The law limits an insurance company’s use of external consumer data and information sources, as well as any algorithms or predictive models that use external consumer data and information sources, in a way that unfairly discriminates against consumers.

Health Insurance Portability and Accountability Act (HIPAA)-covered entities and business associates are largely exempt except for employment-related decisions; covered entities that are healthcare providers are exempt only when operating from Colorado locations. A covered entity using ADMT to determine eligibility for financial assistance must provide specific disclosures (either in advance or within 30 days post-adverse outcome).

Family Educational Rights and Privacy Act (FERPA)-subject educational deployers may satisfy notice and correction obligations through existing FERPA processes. Creditors providing notices under the Equal Credit Opportunity Act and Fair Credit Reporting Act may satisfy SB 26-189’s disclosure requirements with a brief statement that ADMT was used and instructions for consumers to obtain additional information. Medical devices and FDA-regulated research and development are excluded. The bill also preserves Gramm-Leach-Bliley non-disclosure protections.

Conclusion and Practical Considerations for Businesses

For consumers, businesses and regulators, SB 26-189 represents a compromise that attempts to strike the right balance between business innovation and consumer protection. Stakeholders on all sides, including the Colorado Governor and Attorney General, agreed that the rigorous requirements of SB 24-205 went further than reasonable compliance for businesses and presented significant enforcement challenges for regulators.

SB 26-189 represents a major departure from its predecessor as it no longer requires mandatory risk management programmes, impact assessments, NIST/ISO-aligned frameworks, or self-reporting obligations for identified discriminatory outcomes to the Attorney General’s Office.

The duty of reasonable care to prevent algorithmic discrimination was eliminated as a freestanding statutory duty, although anti-discrimination liability under the Colorado Anti-Discrimination Act and other laws is expressly preserved and clarified through the new fault-allocation framework. 

The applicable scope of SB 24-205 was narrowed through extensive technology and decision-process carve-outs, particularly for cybersecurity, fraud prevention, sanctions compliance, customer service triage and natural-language assistants subject to acceptable-use policies prohibiting consequential-decision use.

SB 26-189 advances consumer protections by providing rights of inspection and correction, and the right to reconsideration of adverse ADMT decisions (where technically feasible). The law also advances transparency of ADMT by requiring developer and deployer notices and record-keeping requirements.

The modified scope and delayed timing of enforcement will provide a short window for the Colorado Attorney General to conduct rulemaking before it goes into effect on 1 January 2027. However, it is important to recognise that the Attorney General has agreed to stay enforcement pending the outcome of xAI’s motion for preliminary injunction.

Colorado’s framework, enforcement timing and terminology now align closely with the ADMT provisions of the California Consumer Privacy Act.

For companies using AI systems to make decisions in consequential domains, waiting until the enforcement date to develop a compliance strategy creates increased regulatory risk. Colorado’s law is structurally closer to the EU AI Act than any other US state law and stands out for its heightened risk-based regulatory requirements. Colorado’s AI Act will usher in a new era of comprehensive state-level AI governance regulation and enforcement starting 1 January 2027. Despite the potential for delayed implementation of enforcement, the era of comprehensive state-level AI governance regulation is upon us with the passage of SB 26-189.