Is the Colorado AI Act (SB 24-205) still the law?

No. The 2024 Colorado AI Act (SB 24-205) was repealed and replaced before it ever took effect. Governor Polis signed SB 26-189 (Automated Decision-Making Technology) on May 14, 2026, which reenacts Colorado's AI rules as a narrower transparency and disclosure regime. The old high-risk, reasonable-care framework no longer governs.

When does Colorado SB 26-189 take effect?

Substantive compliance obligations under SB 26-189 commence January 1, 2027. The bill's own technical effective date is August 12, 2026 (90 days after adjournment), and the Colorado Attorney General must adopt clarifying rules by January 1, 2027. The earlier June 30, 2026 date came from the now-superseded 2024 framework and never went live.

What does SB 26-189 regulate instead of high-risk AI systems?

SB 26-189 regulates covered automated decision-making technology (ADMT): technology used to materially influence a consequential decision about an individual. 'Materially influence' means a non-de-minimis factor in the outcome. Consequential decisions cover access to education, employment, housing, financial or lending services, insurance, health-care services, and essential government services or public benefits.

What are the penalties under Colorado SB 26-189?

Violations are deceptive trade practices under the Colorado Consumer Protection Act, with civil penalties up to $20,000 per violation under C.R.S. 6-1-112. The Colorado Attorney General has exclusive enforcement authority and there is no private right of action. The Attorney General must give 60 days' notice and an opportunity to cure where a cure is possible, except for knowing or repeated violations; that cure right sunsets January 1, 2030.

Colorado ADMT Law (SB 26-189) Compliance Guide

What is Colorado’s AI law now?

Colorado’s governing AI statute is SB 26-189, titled “Automated Decision-Making Technology,” signed by Governor Polis on May 14, 2026. It repeals and reenacts the 2024 Colorado Artificial Intelligence Act (SB 24-205, the law originally codified at C.R.S. § 6-1-1701 et seq.) with a far narrower transparency and disclosure framework. Substantive compliance begins January 1, 2027.^[CO1]

The original 2024 Act never took effect. It was first scheduled for February 1, 2026, then delayed to June 30, 2026 by SB 25B-004 — but neither date went live, and SB 26-189 superseded the framework entirely. Colorado was still the first US state to enact comprehensive AI legislation; what changed is the substance, not that distinction.^[CO1]

SB 26-189 drops the 2024 Act’s “high-risk AI system” / reasonable-care model. Instead, it regulates covered automated decision-making technology (ADMT) — technology used to materially influence a consequential decision about an individual — and imposes transparency, notice, disclosure, documentation, and consumer-rights duties on developers and deployers. It is closer in spirit to a disclosure regime than to the EU AI Act’s prescriptive, risk-tiered conformity model.^[CO1]

Legislative History and Timeline

May 17, 2024: Governor Polis signs the original Colorado AI Act (SB 24-205) into law
August 28, 2025: Governor Polis signs SB 25B-004, delaying the 2024 Act’s start to June 30, 2026 (a date that never went live)
May 14, 2026: Governor Polis signs SB 26-189, repealing and replacing SB 24-205^[CO1]
January 1, 2027: SB 26-189 substantive obligations commence; AG clarifying rules due^[CO1]

The 2024 framework was superseded outright rather than refined: SB 26-189 reflects industry and legislative concerns about the feasibility of the reasonable-care and impact-assessment model, and replaces it with a leaner set of transparency and disclosure duties.

Scope and applicability

SB 26-189 applies to any person or entity “doing business in Colorado” that develops or deploys a covered ADMT. This broad jurisdictional language means that organizations headquartered outside Colorado must comply if they serve Colorado residents or make ADMT-driven decisions affecting them. Note that SB 26-189 has no size-based exemption — the 2024 Act’s fewer-than-50-employee deployer carve-out is gone.^[CO1]

Who Must Comply

The law establishes two distinct regulated parties with different obligations:

Developers

Persons doing business in Colorado who develop or substantially modify an AI system. This includes foundation model providers, algorithm developers, and companies that customize third-party AI systems beyond basic configuration.

Deployers

Persons doing business in Colorado who deploy a covered ADMT. This includes employers using AI in hiring, lenders using AI in credit decisions, landlords using tenant screening tools, and healthcare providers using clinical AI to materially influence consequential decisions.

Important note: An organization can be both a developer and a deployer. For example, a healthcare system that builds its own clinical decision support AI and deploys it internally must comply with both sets of requirements.

What Qualifies as Covered ADMT

Technology is covered ADMT when it is used to materially influence a consequential decision — that is, when it is a non-de-minimis factor in the outcome (replacing the 2024 Act’s “substantial factor” trigger). Incidental, trivial, or clerical uses are excluded, and the Colorado Attorney General must adopt mandatory rules clarifying the line by January 1, 2027. SB 26-189 covers consequential decisions about access to, eligibility for, or compensation related to seven domains:^[CO1]

Consequential-Decision Domains

Domain	Examples	Risk Context
Education	Admissions scoring, academic tracking	Access to educational opportunities
Employment	Resume screening, interview scoring, promotion	Livelihood and career advancement
Financial Services	Credit scoring, loan approval, underwriting	Access to capital and financial products
Government Services	Benefits eligibility, fraud detection	Access to essential public services
Healthcare	Diagnosis assistance, treatment recommendations	Health outcomes and medical care
Housing	Tenant screening, rental approval	Access to housing and shelter
Insurance	Risk assessment, claims processing, pricing	Access to insurance coverage

Notable Exemptions

SB 26-189 excludes incidental, trivial, and clerical uses from the “materially influence” trigger, and provides sector-specific deemed-compliance carve-outs for activity already governed by other regimes. These are regulatory-alignment exemptions, not a framework safe harbor:^[CO1]

Financial and credit notices: activity covered by FCRA/ECOA adverse-action requirements and insurers operating under existing Colorado rules
Health and education: FDA-regulated devices, HIPAA-governed activity, and FERPA-covered education records
Financial privacy: activity governed by the Gramm-Leach-Bliley Act (GLBA)

There is no size-based exemption: the 2024 Act’s fewer-than-50-employee deployer carve-out did not survive. Entity-type and regulatory-status exemptions apply, but small organizations meeting the definitions are still in scope.^[CO1]

Key definitions

Understanding SB 26-189 requires familiarity with the terms that structure its obligations — the most important being covered ADMT, materially influence, and consequential decision:

Discrimination Is Handled Outside the AI Law Now

SB 26-189 removes the 2024 Act’s standalone duty of reasonable care against “algorithmic discrimination.” Discrimination involving ADMT is now addressed through existing Colorado anti-discrimination law rather than a bespoke AI duty — with liability allocated by relative fault and developer liability limited to intended uses. That existing law continues to protect against unlawful differential treatment or impact on the basis of an individual’s actual or perceived:

Age
Color
Disability
Ethnicity
Genetic information
National origin
Race
Religion
Sex (including pregnancy, childbirth, and related medical conditions)
Sexual orientation
Other classifications protected under Colorado or federal law^[CO1]

This distinction still matters, but the legal mechanism changed. Under SB 26-189, AI-related discrimination is policed through general anti-discrimination law rather than an AI-specific reasonable-care duty — so the analysis turns on unlawful treatment of protected classes, not on whether an organization followed an AI risk framework.

Key Legal Distinction

SB 26-189 itself is a transparency and disclosure statute — it does not create a freestanding ban on AI bias. Discrimination claims run under existing Colorado anti-discrimination law. An ADMT could produce unequal outcomes based on non-protected characteristics (e.g., credit score, work history) without violating that law, as long as those outcomes don’t create unlawful disparate impact on protected groups.

Consequential Decision

A consequential decision is any decision that has a material legal or similarly significant effect on the provision or denial to any consumer of:

Education enrollment or opportunity
Employment or employment opportunity
Financial or lending services
Essential government services or public benefits
Health-care services
Housing or residential real estate
Insurance^[CO1]

The trigger phrase is now materially influence — defined as a non-de-minimis factor in the outcome, replacing the 2024 Act’s “substantial factor.” An ADMT need not make the final decision autonomously to be covered; it only needs to be a non-trivial factor. This captures systems where humans retain final authority but rely on ADMT-generated recommendations, while excluding incidental and clerical uses. The Attorney General must issue mandatory rules clarifying these contours by January 1, 2027.^[CO1]

Developer vs. Deployer

The law creates a two-party framework with distinct obligations:

Developer

A person doing business in Colorado who develops or substantially modifies an AI system. Key questions for determining developer status:

Did you design the algorithm or model architecture?
Did you train or fine-tune the model?
Did you materially alter how a third-party model makes decisions?

Deployer

A person doing business in Colorado who deploys a covered ADMT. Key indicator: you use the ADMT to materially influence consequential decisions about Colorado consumers. This includes:

Employers using resume screening AI
Lenders using credit risk models
Healthcare providers using diagnostic AI
Landlords using tenant screening tools

Developer requirements

Under SB 26-189 (new C.R.S. § 6-1-1702), developers of a covered ADMT must give each deployer the documentation needed to use the technology responsibly and to meet their own duties. The duties are documentation and disclosure — the 2024 Act’s reasonable-care duty, public-summary registry, and 90-day AG discrimination reporting did not survive. These obligations commence January 1, 2027, and records must be retained at least three years.^[CO1]

1. Documentation Provided to Deployers

Developers must provide each deployer documentation covering:^[CO1]

Intended uses and known harmful or inappropriate uses of the ADMT
Categories of training data, to the extent known
Known limitations and risks, and circumstances where the ADMT should not be used
Instructions for appropriate use, monitoring, and meaningful human review
Information the deployer needs to meet its own compliance obligations

Artifacts such as model cards and dataset cards remain a practical way to package this documentation, even though the statute no longer requires a specific format. Crucially, developers are not required to disclose proprietary source code, model weights, or trade secrets to satisfy these duties.^[CO1]

2. Recordkeeping

Developers must retain the documentation supporting these disclosures for at least three years. The emphasis is on demonstrable records rather than a public registry — there is no longer a requirement to publish summaries of systems offered or to report discrimination risks to the Attorney General within 90 days.^[CO1]

Deployer requirements

Under SB 26-189, deployers of a covered ADMT have four operational obligations, all centered on the consequential-decision context, with at least three-year recordkeeping. The 2024 Act’s mandatory risk-management program, annual impact assessments, and reasonable-care duty are gone. These obligations commence January 1, 2027.^[CO1]

1. Pre-Use Notice

Deployers must give clear-and-conspicuous notice before a covered ADMT is used to materially influence a consequential decision. This can be satisfied through a prominent public notice — for example, an accessible link describing the use.^[CO1]

2. Post-Adverse-Outcome Disclosure (within 30 days)

When a covered ADMT contributes to an adverse decision, the deployer must provide, within 30 days, a plain-language description of the ADMT’s role in that decision plus the consumer’s rights and how to exercise them.^[CO1]

3. Data Correction

On a consumer’s request, the deployer must allow access to, and correction of, factually inaccurate personal data the ADMT used. This is a consumer-request-triggered right tied to the adverse-outcome context, not a standalone affirmative duty.^[CO1]

4. Meaningful Human Review

On request, the deployer must offer meaningful human review or reconsideration of the decision, to the extent commercially reasonable. As with data correction, this is triggered by the consumer in the adverse-outcome context.^[CO1]

Frameworks like the NIST AI RMF Govern function and an ISO/IEC 42001 management system are no longer a codified legal defense in Colorado, but they remain a sound way to operationalize notice, disclosure, correction, and human-review workflows and to keep the three-year records SB 26-189 expects.

Consumer rights

SB 26-189 gives consumers rights that attach to the adverse-outcome context and create enforceable obligations for deployers. These rights take effect January 1, 2027.^[CO1]

Right to a Plain-Language Explanation

After an adverse decision in which a covered ADMT played a role, the consumer is entitled — within 30 days — to a plain-language description of:

The role the ADMT played in the decision
The consumer’s rights under SB 26-189
How to exercise those rights

The explanation must be in plain language, not technical jargon. For example, a job applicant rejected with the help of an ADMT screening tool can learn how the ADMT factored into the rejection and what they can do next.^[CO1]

Right to Correct Data

On request, a consumer may access and correct factually inaccurate personal data the ADMT used. The deployer should:

Provide a mechanism for consumers to submit correction requests
Investigate disputed data
Correct verified inaccuracies
Keep records of the request and resolution

Right to Meaningful Human Review

On request, and to the extent commercially reasonable, the consumer may obtain human review or reconsideration of the decision. A qualified human must be able to substantively evaluate the matter rather than rubber-stamp the ADMT’s original output.^[CO1]

Opt-Out Rights Under Colorado Privacy Act

SB 26-189 sits alongside the existing Colorado Privacy Act (CPA). Consumers retain the CPA right to opt out of the processing of personal data for profiling in furtherance of decisions that produce legal or similarly significant effects — which can overlap with covered ADMT.^[CPA]

Enforcement and penalties

SB 26-189 grants the Colorado Attorney General exclusive enforcement authority. There is no private right of action — only the AG can bring enforcement actions. Note that these duties are enacted but not yet enforceable; they become operative January 1, 2027.^[CO1]

Enforcement Mechanisms

Violations are treated as deceptive trade practices under the Colorado Consumer Protection Act (C.R.S. 6-1-112). This classification subjects violators to:

Civil penalties up to $20,000 per violation (up to $50,000 per violation where the victim is an elderly person)
Injunctive relief requiring cessation of unlawful practices
Each consumer or transaction treated as a separate violation

The "per violation" structure means penalties can accumulate rapidly. If a deployer fails to provide required disclosures to 1,000 Colorado consumers, each instance could constitute a separate violation — creating potential exposure of $20 million. (The dollar figures flow from C.R.S. 6-1-112 generally; verify the current statutory text before relying on them in a legal or contractual context.)^[CO1]

60-Day Notice and Cure

The Attorney General must give 60 days’ notice and an opportunity to cure where a cure is possible — except for knowing or repeated violations. This right to cure sunsets January 1, 2030. After that date, the cure window no longer applies.^[CO1]

No Framework Safe Harbor

Unlike the 2024 Act, SB 26-189 provides no rebuttable-presumption safe harbor for following the NIST AI Risk Management Framework or ISO/IEC 42001. Following those frameworks is no longer a codified legal defense in Colorado. They remain strong operational practice for building the notice, disclosure, correction, and human-review workflows the new law expects — just not a statutory shield.^[CO1]

Rulemaking Authority

The Attorney General must adopt clarifying rules by January 1, 2027. Expected guidance includes:

The contours of “materially influence” (presumptions and illustrative examples)
Notice and disclosure mechanics for covered ADMT
How developer and deployer documentation duties are evidenced
Interaction with sector-specific deemed-compliance carve-outs^[CO1]

Comparison to the EU AI Act

The 2024 Colorado AI Act was often described as “US-style EU AI Act regulation.” SB 26-189 moved Colorado further from that model — toward a leaner transparency regime. Here’s a comparative analysis:

Colorado SB 26-189 vs. EU AI Act

Feature	Colorado SB 26-189	EU AI Act
Scope	Covered ADMT used to materially influence consequential decisions in 7 domains	Four risk tiers: prohibited, high-risk, limited-risk, minimal-risk
Core Obligation	Transparency, notice, disclosure, data correction, and human review	Prescriptive technical and organizational requirements
Enforcement	State Attorney General only; no private right of action	National authorities; potential for private litigation under GDPR-like mechanisms
Penalties	Up to $20,000 per violation under the Colorado Consumer Protection Act	Up to €35M or 7% global revenue for high-risk violations
Conformity Assessment	No third-party certification required	Third-party notified body assessment for certain high-risk systems
Focus Area	Transparency about automated decisions; discrimination handled under existing anti-discrimination law	Broader safety, transparency, and fundamental rights protection
Safe Harbor	None — no framework presumption survives under SB 26-189	Voluntary harmonized standards provide presumption of conformity
Compliance Date	January 1, 2027	High-risk obligations: 2 Aug 2026 in the legal text; a Digital Omnibus agreement provisionally proposes moving standalone high-risk to no later than 2 Dec 2027, pending formal adoption

Key Similarities

Decision-focused scope: Both concentrate on AI that affects high-stakes decisions about people
Transparency obligations: Both mandate disclosure to affected individuals
Documentation flow: Both push documentation from upstream developers/providers to downstream deployers

Key Differences

Lighter touch: SB 26-189 is a transparency-and-disclosure regime — no risk-management program, impact assessments, or framework safe harbor — whereas the EU imposes detailed technical requirements
Penalty severity: EU penalties are orders of magnitude higher, creating stronger deterrent effects
Prohibited uses: The EU AI Act bans certain applications (social scoring, real-time biometric identification); Colorado does not
Extraterritoriality: The EU AI Act has broader extraterritorial reach covering any AI system used in the EU market^[EU]

For healthcare vendors

Healthcare AI teams have specific hooks under SB 26-189. Clinical technology is more likely to be covered ADMT when it materially influences consequential decisions about:

Access to health-care services
Cost or terms of health-care services
Coverage or prior-authorization workflows that materially affect access or cost

Whether a given clinical workflow qualifies turns on the facts — and the law provides a deemed-compliance carve-out for HIPAA-governed activity and FDA-regulated devices, so much routine clinical AI may sit outside scope. The closer a system is to access, cost, or coverage decisions, the more likely it is covered. Vendors building or substantially modifying these systems act as developers; health systems and payers using them to materially influence consequential decisions act as deployers. Many organizations will be both.

The good news for healthcare teams already behind on this: SB 26-189 asks for less than the 2024 framework did. There is no mandatory risk-management program and no annual impact assessment. The work is practical — give consumers clear pre-use notice, explain an adverse decision in plain language within 30 days, allow data correction, and offer meaningful human review. Keeping the supporting records (at least three years) is what turns those steps into something you can stand behind, and you have until January 1, 2027 to get there.

For background on how the EU AI Act, Colorado, and California rules overlap for healthcare teams, see our EU AI Act guide and HIPAA-compliant AI guide.

Compliance roadmap

With the January 1, 2027 compliance date set, here’s a practical implementation roadmap prioritizing evidence generation over documentation theater:

GLACIS Framework

Colorado SB 26-189 Compliance Sprint

Inventory & ADMT Classification (Weeks 1-3)

Catalog all AI systems used in your organization. Classify each against the seven consequential-decision domains and ask whether it materially influences (is a non-de-minimis factor in) a decision. Prioritize systems touching employment, housing, credit, or healthcare. Document whether your organization acts as developer, deployer, or both for each system.

Framework Alignment (Weeks 4-8)

Adopt NIST AI RMF or pursue ISO 42001 as operational backbone. These are no longer a codified legal defense in Colorado, but they remain the most efficient way to stand up notice, disclosure, correction, and human-review workflows. Map current practices to the framework and identify gaps in governance, testing, and documentation.

Testing & Evidence Generation (Weeks 9-14)

Even though SB 26-189 drops the AI-specific discrimination duty, existing Colorado anti-discrimination law still applies — so fairness testing remains worthwhile. Test for disparate impact across protected characteristics (race, gender, age, disability). Generate verifiable evidence of testing — not just internal reports but cryptographic attestations that testing occurred and results were reviewed. The same evidence supports your ADMT documentation and human-review records.

Documentation & Disclosures (Weeks 15-20)

If you’re a developer, assemble the deployer-facing documentation SB 26-189 requires (intended uses, training-data categories, limitations, monitoring and human-review instructions) — model cards and dataset cards remain a handy format. If you’re a deployer, prepare pre-use notice and post-adverse-outcome disclosure templates, and set a retention plan for at least three years.

Operational Readiness (Weeks 21-24)

Train personnel on the new ADMT requirements. Implement consumer notice mechanisms (e.g., website notices, application disclosures). Establish data-correction and meaningful-human-review processes, and a workflow to deliver post-adverse-outcome disclosures within 30 days.

Continuous Monitoring (Toward Jan 2027)

Keep production monitoring in place and your three-year records current. Watch for the Attorney General’s clarifying rules — due by January 1, 2027 — especially on what “materially influence” means in practice, and adjust notice, disclosure, and review workflows accordingly.

Critical insight: January 1, 2027 looks distant, but the AG’s clarifying rules and the build-out of notice, disclosure, and human-review workflows take time. Standing up durable evidence — records that show your disclosures went out and your reviews happened — is far easier to start now than to reconstruct later.

Role-Specific Action Items

For Developers

Document intended uses, known harmful uses, and training-data categories (model cards work well)
State known limitations, risks, and where the ADMT should not be used
Provide instructions for appropriate use, monitoring, and meaningful human review
Retain supporting documentation for at least three years

For Deployers

Stand up clear-and-conspicuous pre-use notice before January 1, 2027
Build a workflow to send post-adverse-outcome disclosures within 30 days
Establish data-correction and meaningful-human-review processes
Retain records of notices, disclosures, and reviews for at least three years

Frequently asked questions

Does SB 26-189 apply to companies headquartered outside Colorado?

Yes. SB 26-189 applies to any person or entity "doing business in Colorado" that develops or deploys a covered ADMT. If you serve Colorado residents, make employment decisions affecting Colorado workers, or deploy ADMT that materially influences consequential decisions about Colorado consumers, you are in scope — regardless of where your company is headquartered, and regardless of size.

What if I’m both a developer and deployer of the same AI system?

You must comply with both sets of requirements. For example, a healthcare system that builds its own diagnostic ADMT must provide developer-level documentation (intended uses, training-data categories, limitations, human-review instructions) and meet deployer duties (pre-use notice, post-adverse-outcome disclosure, data correction, meaningful human review). Many organizations fall into this dual category.

How does SB 26-189 interact with federal laws like Title VII or ECOA?

SB 26-189 is in addition to existing anti-discrimination laws, not a replacement. The new law itself is a transparency and disclosure regime; discrimination claims run under existing Colorado and federal anti-discrimination law, so an ADMT that contributes to a Title VII (employment) or ECOA (credit) violation is still unlawful under those statutes. Organizations comply with both the federal baseline and SB 26-189’s disclosure obligations. (No enacted federal law preempts Colorado’s state AI rules.)

What does “materially influence” mean for covered ADMT?

SB 26-189 defines it as being a non-de-minimis factor in a consequential decision — replacing the 2024 Act’s “substantial factor.” Incidental, trivial, and clerical uses are excluded. The exact line-drawing is subject to mandatory Attorney General rules due by January 1, 2027, so treat any precise threshold as provisional and confirm with counsel before relying on it.

Can I rely on vendor assertions that their AI system is compliant?

No. Deployers have independent notice, disclosure, data-correction, and human-review obligations under SB 26-189. While you can (and should) demand developer documentation, you cannot outsource your own duties. If a vendor’s ADMT materially influences consequential decisions in your deployment, you carry the deployer obligations — and the enforcement risk if they go unmet.

Do NIST AI RMF or ISO 42001 still give me a safe harbor in Colorado?

No. SB 26-189 removed the rebuttable-presumption safe harbor; following NIST AI RMF or pursuing ISO 42001 certification is no longer a codified legal defense in Colorado. They remain valuable practice for building the notice, disclosure, correction, and human-review workflows the law expects. Generate verifiable evidence — not just policies claiming the work happened, but cryptographic proof that disclosures went out and reviews occurred.

References

[CO1] Colorado General Assembly, “SB26-189 Automated Decision-Making Technology” (signed May 14, 2026; substantive compliance Jan 1, 2027) — leg.colorado.gov/bills/sb26-189. Corroborated by Holland & Knight, Crowell, Seyfarth, Norton Rose Fulbright, and Finnegan analyses of the repeal-and-replace.
[CO2] Colorado General Assembly, “SB24-205 Consumer Protections for Artificial Intelligence” (original 2024 Act, repealed and replaced) — leg.colorado.gov/bills/sb24-205.
[CO3] Colorado General Assembly, “SB25B-004” (2025 delay bill that moved the original Act to a June 30, 2026 date that never went live) — leg.colorado.gov/bills/sb25b-004.
[CO4] White House, “Eliminating State Law Obstruction of National Artificial Intelligence Policy” (Dec 11, 2025) — whitehouse.gov. No enacted federal law preempts state AI rules; see Ropes & Gray analysis of the federal preemption push.
[CPA] Colorado Privacy Act profiling opt-out provisions (C.R.S. § 6-1-1301 et seq.).
[EU] European Union, “Regulation (EU) 2024/1689 on Artificial Intelligence (AI Act)” — eur-lex.europa.eu. High-risk dates in the legal text are 2 Aug 2026; a Digital Omnibus provisional agreement proposes postponement, pending formal adoption.