AI Law

Colorado AI Act Compliance Guide

Colorado AI Act compliance guide: SB 24-205 is repealed. Meet SB 26-189 notice, 30-day explanation, and human-review rules before 2027.
Colorado AI Act Compliance Guide

Introduction

This Colorado AI Act compliance guide explains a law that changed shape twice before it ever took effect. Colorado passed the first broad state artificial intelligence statute in 2024, a milestone documented by the Colorado General Assembly record. Lawmakers then delayed the start date and, on May 14, 2026, repealed and replaced the framework entirely. The rules that now matter live in Senate Bill 26-189, the Automated Decision-Making Technology Act. That statute takes effect on January 1, 2027, and it reshapes what developers and deployers must do. This guide walks through every duty, deadline, and penalty in plain language for busy compliance teams. You will also find an interactive readiness tool, a data chart, worked examples, and detailed case studies.

Quick Answers on the Colorado AI Act

Is the original Colorado AI Act still in effect?

No. The Colorado AI Act known as SB 24-205 was repealed and replaced by SB 26-189 before it ever took effect.

When does the Colorado AI Act compliance guide deadline hit?

The replacement Colorado AI law, SB 26-189, takes effect January 1, 2027, so build your compliance program well before that date.

Who enforces the Colorado AI Act?

Only the Colorado Attorney General enforces the Colorado AI Act, treating violations as deceptive trade practices with a limited 60-day cure period.

Key Takeaways

  • The original Colorado AI Act, SB 24-205, never took effect and was replaced by the narrower SB 26-189 ADMT Act.
  • Deployers must give notice, explain adverse automated decisions within 30 days, and offer meaningful human review.
  • The Colorado Attorney General holds exclusive enforcement power, with a 60-day cure period that vanishes for knowing or repeated violations.
  • Preparation should start now, since the January 1, 2027 effective date arrives with detailed record-keeping obligations.

Table of contents

What Is the Colorado AI Act Compliance Guide?

This Colorado AI Act compliance guide is a practical roadmap to SB 26-189, the state law regulating automated decision-making technology. It explains deployer notice, adverse-outcome explanations, human review, and developer documentation duties that take effect on January 1, 2027.

Interactive tool

Colorado AI Act Compliance Readiness Check

Answer four quick prompts to estimate your exposure under the SB 26-189 ADMT framework before January 1, 2027.

Coverage exposure

Select your role and options, then calculate.

Readiness score

Higher is better. Aim for full notice, explanation, and human review.

Embed this tool

How Colorado Became the First State to Regulate AI Broadly

Given the pace of automated hiring and lending, Colorado moved first among the states in 2024. Governor Jared Polis signed Senate Bill 24-205, a law that the state legislature published in full. The measure aimed to protect consumers from algorithmic discrimination in high-risk artificial intelligence systems. It borrowed structure from the European risk-based model, then adapted it for United States consumer protection. National observers called it the most sweeping state artificial intelligence statute passed to that point. For context on the broader landscape, our overview of AI governance trends and regulations is useful.

The 2024 law targeted consequential decisions in employment, housing, lending, insurance, healthcare, and government services. Developers and deployers faced reasonable-care duties, impact assessments, and public summaries of their systems. Small employers with fewer than 50 workers sat outside several of those original obligations. Business groups warned that the compliance burden would fall heavily on startups and mid-sized firms. Civil-rights advocates countered that automated bias needed firm guardrails before it scaled further. That tension set the stage for the dramatic reversal that followed two years later.

Regulators and companies spent 2025 preparing for a February 2026 start date that kept slipping. The legislature first pushed the effective date to June 30, 2026, buying more time to negotiate. Lobbyists, agencies, and lawmakers argued over scope, definitions, and the sheer cost of compliance. Those negotiations produced a very different statute, which this compliance guide now unpacks in detail. Understanding that history explains why so much published advice about the law is already outdated.

The Shift From SB 24-205 to the SB 26-189 ADMT Framework

Building on that ambition, the legislature reversed course before the original rules ever bound anyone. On May 14, 2026, Governor Polis signed SB 26-189, a change analyzed by Skadden. The new statute repeals SB 24-205 outright and replaces it with a narrower framework. It is formally the Automated Decision-Making Technology Act, often shortened to the ADMT Act. The reset shows how quickly regulation follows AI disruption in fast-moving policy areas. Every compliance plan built around the 2024 text now needs a careful rewrite.

The most visible change is a shift from broad risk management to targeted transparency. SB 24-205 required reasonable care, impact assessments, annual reviews, and public system summaries. SB 26-189 instead centers on notice, explanation, correction, and a right to human review. The duty of care against algorithmic discrimination as a standalone obligation is gone. In its place sits a disclosure regime tied to Colorado consumer protection law. That trade reduces paperwork but sharpens the focus on consumer-facing communication.

The scope also narrowed from high-risk systems to covered automated decision-making technology. Both versions reach the same sectors, including employment, housing, lending, insurance, healthcare, and education. The new law drops the standalone small-business exemption that protected employers under 50 workers. It also removed several conditional carve-outs that previously shielded some federally regulated entities. As a result, many organizations that felt safe under the old text now fall inside scope. Reading the current statute rather than 2024 summaries is essential for an accurate assessment.

The effective date moved as well, landing firmly on January 1, 2027. The Colorado Attorney General must adopt clarifying rules before that same date arrives. Those rules will define how the notice and explanation duties work in practice. Businesses should treat the statutory text as a floor and watch rulemaking closely. This compliance guide will track the duties that the statute already makes concrete. Waiting for final rules before starting preparation is a common and costly mistake.

Who Must Comply as a Developer or Deployer

Turning to who actually carries the burden, the statute splits responsibility between developers and deployers. A developer builds, codes, or substantially modifies a covered automated decision-making technology. A deployer is the organization that actually uses that system on Colorado consumers. Many firms act as both, since they build internal tools and then run them. This structure resembles debates over whether AI can ensure justice fairly for affected people. The reduced obligations for employers were detailed by Littler after the amendment passed.

The dropped small-business exemption matters most for lean teams that assumed they were exempt. Any deployer using covered technology for consequential decisions about residents now falls within scope. Size no longer provides automatic shelter, though enforcement discretion may still consider it. Contractors, vendors, and staffing agencies should map their exact role before January 2027. Clarifying whether you are a developer, a deployer, or both drives every later duty. Written role definitions in vendor contracts will reduce finger-pointing when regulators ask questions.

Covered ADMT and Consequential Decisions Explained

Beyond the labels, the law turns on two defined terms that decide whether it applies. Covered automated decision-making technology processes personal data to materially influence a consequential decision. A consequential decision meaningfully affects access to core life opportunities and services. The statute lists employment, housing, lending, insurance, healthcare, education, and essential government services. Legal services and similar high-stakes contexts also fall inside the covered universe. Systems that merely support real-time operations can still qualify, as our piece on AI real-time decision systems shows.

The phrase materially influence is doing heavy lifting inside the definition. A system that simply scores or ranks applicants can materially influence the final call. Full automation is not required, since human rubber-stamping of a model still counts. That breadth is why documentation about how each model feeds decisions matters so much. The Finnegan overview of SB 26-189 walks through these definitions carefully. Teams should catalog every model that touches a listed sector before the deadline.

Some tools sit at the edge, such as fraud filters or spam classifiers. The safest approach treats any model influencing a listed decision as potentially covered. Where doubt exists, documenting the analysis protects the organization during later review. Anti-fraud and security exemptions may apply, but they are narrow and fact-specific. A clear inventory that flags borderline systems is the backbone of defensible compliance.

Consumer Notice Duties Before an Automated Decision

With that scope in mind, the first operational duty is a clear notice to consumers. Deployers must give clear and conspicuous notice before covered technology influences a consequential decision. The notice appears at the point of interaction, close to the transaction itself. It must explain that automated technology is in use and how to learn more. A link or posted statement near the interaction can satisfy the placement requirement. This mirrors wider fights over disclosure, echoing our coverage of the AI impact on privacy.

Notice sounds simple, yet operational details trip up many teams during rollout. The language must be plain, specific, and readable by ordinary consumers under pressure. Guidance from Epstein Becker Green stresses building notice into existing consumer journeys. Generic privacy boilerplate buried in a footer will not meet the standard. Deployers should test notices with real users to confirm they are actually understood. Version control on notice text creates the paper trail regulators will expect.

Adverse Outcome Explanations and the 30-Day Rule

Moving on from notice, the statute adds a harder duty once a decision goes against someone. When covered technology drives an adverse consequential decision, a detailed explanation becomes mandatory. The deployer has 30 days from that decision to deliver a plain-language description. The explanation covers the decision, the role the technology played, and the main data inputs. It also tells the consumer how to request more information and exercise their rights. The consumer notice debate around Apple sued over AI disclosure shows how litigated this area is.

The 30-day clock is strict and should drive internal workflow design early. Analysis from the Consumer Finance Monitor flags this window as an operational challenge. Lenders, insurers, and employers make thousands of adverse decisions across a year. Each one can trigger an explanation request that must be answered on time. Automating the explanation package is the only realistic path at meaningful scale. Manual drafting for every denial will collapse under ordinary transaction volume.

Explanations must be accurate, since a misleading description can itself invite enforcement. The description should avoid trade-secret disclosure while still being genuinely informative. Balancing candor with confidentiality is the central drafting challenge in this duty. Legal and data-science teams should co-author explanation templates well before launch. Templates tied to each model reduce both error and turnaround time under the deadline.

Meaningful Human Review and Data Correction Rights

Building on the explanation right, the law gives consumers a path to challenge the outcome. A consumer may request meaningful human review after an adverse consequential decision. The deployer must designate a trained individual to conduct that review. That reviewer needs real authority to override the automated result when warranted. Guidance from Greenberg Traurig stresses that the review cannot be a hollow formality. Automated bias questions like the AI impact on intellectual property law show why human judgment still matters.

Meaningful review is a demanding standard that ordinary escalation queues rarely meet. The reviewer must understand the model, the inputs, and the consumer’s specific situation. A checkbox approval without genuine analysis will not satisfy the statute. Training records for reviewers become part of the compliance evidence you retain. Staffing this function is a real cost that leaders should budget for now. Under-resourcing review is a fast route to systemic violations at scale.

Alongside review, consumers can correct inaccurate personal data used in the decision. If the underlying data was wrong, the consumer can demand a fresh look. Deployers must build intake channels that capture and route correction requests. The correction right ties directly to data-quality practices across the pipeline. Poor data hygiene turns every correction request into an expensive investigation. Clean, well-documented data reduces both errors and the volume of disputes.

Together these rights push deployers toward stronger data governance overall. Accurate inputs, clear audit trails, and empowered reviewers reinforce one another. Weakness in any one area undermines the entire consumer-protection promise. Firms that already invested in governance will adapt with far less friction. Those starting from scratch face a steeper climb before the 2027 deadline. Beginning with a data inventory is the most productive first move.

Developer Documentation and Transparency Duties

Shifting focus to the upstream party, developers carry their own transparency duties under the statute. Developers must give deployers documentation on intended uses of the covered technology. That package covers training-data categories, known limitations, and foreseeable risks. It also includes instructions for monitoring and for meaningful human review. Strong metrics for AI data quality make this documentation far more credible. The Lathrop GPM summary describes these developer duties in useful detail.

Documentation is where developer and deployer obligations connect into one chain. A deployer cannot explain an adverse decision without solid developer inputs. Vague or missing documentation exposes both parties to shared liability. Procurement teams should demand this material as a contract condition. Standardized documentation templates will speed vendor reviews across the market. Buyers who accept opaque systems inherit the compliance gap themselves.

Algorithmic Discrimination and How Liability Is Shared

Beyond process duties, the law keeps a substantive concern about discriminatory automated outcomes. Both developers and deployers can face liability for unlawful algorithmic discrimination. Liability tracks relative fault rather than falling on a single party. If a deployer uses a system as documented and results still discriminate, the developer may answer. This allocation resembles broader debates explored in how AI ethics and laws intersect. The Troutman analysis details how fault is apportioned between the parties.

The statute voids contract clauses that try to shift discrimination liability entirely. Indemnification language cannot rewrite the fault-based allocation the law imposes. That rule prevents large players from dumping risk onto smaller partners. Vendors and buyers should revisit existing contracts with this limit in mind. Old indemnities drafted before 2026 may no longer function as intended. Legal review of the contract portfolio is a concrete near-term task.

Enforcement of discrimination claims still runs through the Attorney General alone. There is no private right of action for individuals under this statute. That design concentrates risk in state investigations rather than class litigation. It does not, though, remove exposure under other federal civil-rights laws. Overlapping obligations mean that ongoing discrimination testing remains a genuinely wise and defensible investment. Documented fairness testing is the strongest defense a deployer can build.

Ethics, Fairness, and Bias in Automated Colorado Decisions

Stepping back from the statute text, the ethical stakes of automated decisions deserve direct attention. Automated systems can encode historical bias into life-changing outcomes at scale. A biased hiring or lending model harms real people far beyond any fine. Colorado’s framework treats fairness as a consumer-protection value, not a mere formality. Debates over AI copyright lawsuits explained show how contested automated systems have become. The National Association of Attorneys General has examined these fairness concerns closely.

Ethical practice reaches well beyond the bare minimum that the statute itself formally requires. Regular bias testing across protected groups catches problems before consumers do. Transparent model cards help internal teams reason about fairness honestly. Diverse review panels reduce blind spots that homogeneous teams often miss. These habits also make the required explanations more accurate and defensible. Ethics and compliance reinforce each other rather than competing for budget.

Fairness is hard because definitions of fairness genuinely conflict with one another. Optimizing for one metric can worsen another across different groups. There is no purely technical fix for these value-laden trade-offs. Leaders must make and document deliberate choices about acceptable outcomes. Recording that reasoning demonstrates good faith during any later inquiry. Silent trade-offs, by contrast, look like negligence when regulators review them.

Compliance Risks and Enforcement Penalties You Face

Given the enforcement design, the practical risks concentrate in a few costly failure modes. The Attorney General enforces the law through the Colorado Consumer Protection Act. A violation counts as a deceptive trade practice under that consumer statute. Before acting, the Attorney General must issue notice and a 60-day cure period. That cure window disappears for knowing or repeated violations of the law. Formal rulemaking details live on the Colorado Attorney General AI page.

Deceptive-trade-practice exposure can bring significant civil penalties that accumulate quickly for each separate violation. At transaction scale, repeated notice or explanation failures compound quickly. Reputational harm often outweighs the direct financial penalty for consumer brands. Building on a new AI risk assessment benchmark helps teams prioritize fixes. The safest posture treats the cure period as a backstop, not a plan. Getting notice and explanation right the first time avoids the whole cascade.

Putting Colorado AI Act Compliance Into Practice

In practice, turning legal duties into daily operations requires a small number of durable habits. Start with a complete inventory of every model that touches a covered decision. Map each system to a developer, a deployer, or a combined role. Attach owners, data sources, and documentation status to each inventory entry. This living inventory becomes the spine of the whole compliance program. Autonomous tools that challenge oversight frameworks make this mapping even more urgent.

Next, wire the consumer notice into the actual product interface. Place it at the decision point, not in a distant policy page. Track versions so you can prove what each consumer saw and when. Coordination between product, legal, and engineering teams is unavoidable here. A shared notice component reused across products reduces drift and error. Centralized ownership of the notice text prevents inconsistent consumer messaging from creeping across products.

Then build the adverse-outcome explanation and the human-review workflows together as one connected system. Template the explanation for each model to hit the 30-day deadline. Route review requests to trained staff with genuine override authority. Log every request, response, and decision for the record retention duty. Rehearse the workflow with test cases before real requests arrive. A dry run exposes bottlenecks while the stakes are still low.

Finally, close the loop with monitoring, testing, and periodic audits. Schedule bias testing and documentation reviews on a fixed calendar. Retain records for at least three years from each consequential decision. Assign a named accountable owner for the overall compliance program. Report status to leadership so resourcing keeps pace with volume. Continuous review beats a one-time scramble right before the deadline.

Mapping Colorado Rules to the EU AI Act and Other States

Beyond Colorado’s borders, the same core duties now surface across several other emerging regimes worldwide. The European Union’s AI Act sets a binding, risk-tiered benchmark that many global firms already track closely. Texas enacted its Responsible Artificial Intelligence Governance Act, which took effect at the start of 2026. Utah adopted disclosure obligations for consumers who interact with generative systems in regulated occupations. Reading these regimes together, echoing our overview of AI governance trends and regulations, reveals a shared direction. Notice, explanation, and human oversight recur as the common backbone across every serious framework.

The differences still matter for any organization operating across multiple jurisdictions at once. The European law imposes conformity assessments that the leaner Colorado statute never requires. Colorado, by contrast, ties enforcement tightly to its existing consumer-protection machinery. A firm that satisfies the strictest regime often clears the lighter ones automatically. That reality pushes multistate companies toward a single high-water-mark governance standard. Designing to the toughest applicable rule reduces the cost of tracking many moving targets.

Comparing regimes also clarifies where Colorado deliberately chose a narrower path. It dropped standalone impact assessments that both the European model and the original 2024 law required. It kept the consumer-facing rights that ordinary people actually notice and use. This selective borrowing shows lawmakers weighing administrative burden against genuine consumer benefit. Watching how these choices perform will shape the next wave of state legislation. For now, the practical lesson is to build flexibly enough to absorb further change.

Building an AI Governance Team That Owns Compliance

Turning to organization design, compliance needs a clear owner rather than diffuse and unassigned goodwill. A cross-functional governance team should join legal, data science, product, and risk leaders around one table. That group sets policy, approves new systems, and signs off on notices and explanation templates. Without a named owner, duties fall through the cracks between departments that each assume another will act. Debates over whether AI ensures justice fairly show why accountable human ownership matters so much. The team also becomes the single point of contact when the Attorney General asks questions.

Staffing this function is a real budget line, not a volunteer side project for busy managers. Reviewers, auditors, and a program lead all require dedicated time and genuine authority to act. Small firms can start with one accountable owner who coordinates part-time contributors across teams. Larger enterprises may need a standing office with quarterly reporting to executive leadership. Either way, the governance team should meet on a fixed cadence rather than only during crises. Regular meetings keep the living inventory current as new models enter production each month. A standing agenda also ensures that notice, explanation, and review gaps get surfaced long before any regulator asks about them.

Common Colorado AI Compliance Mistakes to Avoid

Given how new these rules are, a few predictable mistakes already recur across early compliance programs. The first is relying on outdated guidance that still treats the repealed 2024 law as live. Analysis from the National Association of Attorneys General helps teams separate current duties from obsolete ones. Reading the actual SB 26-189 text prevents building a program around requirements that no longer exist. This mistake wastes budget on impact assessments the replacement statute quietly removed. Starting from the current statute rather than old summaries avoids that expensive detour entirely.

A second mistake is assuming that small size still grants an automatic exemption. The replacement law deleted the carve-out that once protected employers under 50 workers. Any deployer using covered technology for consequential decisions now falls within the law’s reach. Teams that skip preparation on that false assumption face a compressed scramble before 2027. Confirming your status early removes a dangerous and very common blind spot. Written role definitions in contracts make that status unambiguous during any later inquiry.

A third mistake is treating consumer notice as a one-time legal checkbox. Notice must live at the decision point and stay accurate as products change over time. Stale notices that no longer match the system invite enforcement as deceptive practices. Version control and a single owning team keep the language honest and current. Our coverage of the AI impact on privacy underscores how much disclosure detail matters. Auditing notices on a schedule catches drift before a regulator ever does.

A fourth mistake is under-resourcing the human-review and explanation workflows entirely. Both duties scale with transaction volume, which climbs faster than manual teams can absorb. Automating explanations and staffing trained reviewers early prevents systemic failures later. Firms that wait until volume spikes discover the gap at the worst possible moment. Investing before the deadline turns a looming crisis into an ordinary operating cost. The pattern across every mistake is the same, since delay always proves more expensive than preparation.

How to Build a Colorado AI Act Compliance Program

This section turns the duties above into a concrete build sequence for the Colorado AI Act compliance guide. Each step maps to a specific statutory obligation that you can document, test, and defend before the January 1, 2027 effective date arrives.

Step 1 – Inventory every automated decision system

Begin by cataloging each model that processes personal data to influence a consequential decision across your organization. Record its purpose, owner, data sources, and whether you act as the developer or the deployer for that system. Because the replacement law removed the old exemption for employers under 50 workers, no organization can assume it sits outside scope. Capture the inventory in a simple structured format that your whole team can query, filter, and update over time. Aim to register every system within the first 30 days of the project so nothing slips through unnoticed. Pro tip: treat any model that ranks or scores people as in scope until you can prove otherwise. Cross-check your list against the enforcement lessons from AI hiring law ignored in NYC to surface systems teams routinely forget to register.

Step 2 – Draft and place consumer notices

Write a plain-language notice for each covered system and place it at the exact point of interaction with the consumer. Explain clearly that automated technology is in use and describe how the consumer can request additional information. Store the exact text under version control so you can later prove precisely what was shown and when it appeared. Keep the wording specific to the decision rather than reusing generic privacy boilerplate buried in a distant footer. Test the notice with at least 5 real users to confirm that ordinary people understand it under time pressure. Reuse a single shared notice component across products so messaging stays consistent and does not drift between teams. Assign one owner for the notice library so that every future change flows through a single reviewed pipeline.

Step 3 – Automate adverse-outcome explanations

Build an explanation template for every model so that denials generate a compliant description automatically rather than by hand. Include the decision, the role the technology played, the key inputs, and a clear statement of the consumer rights involved. Wire the template to fire within the strict 30-day statutory window after each adverse consequential decision is recorded. Log every generated explanation with a precise timestamp so you can demonstrate timeliness during any later review. Have legal and data-science teams co-author the language so it balances genuine candor against legitimate trade-secret concerns. Because lenders and insurers make thousands of adverse decisions each year, manual drafting simply cannot keep pace with real volume. Automation is the only realistic way to meet this duty reliably once transaction counts climb into the thousands.

Step 4 – Stand up meaningful human review

Designate and train specific reviewers who hold genuine authority to override an automated decision when the facts warrant it. Give each reviewer full access to the model logic, the underlying inputs, and the consumer complete situational context. Route every review request through a tracked queue with a clear turnaround target, such as 48 hours per case. Retain training records and review outcomes as part of the compliance evidence that regulators may later request from you. Avoid hollow rubber-stamp approvals, since the statute demands real analysis by at least 1 qualified human reviewer. Budget for this staffing now, because under-resourcing the review desk is a fast route to systemic violations at scale. A documented escalation path ensures difficult cases reach a senior reviewer rather than stalling in an ordinary queue.

Step 5 – Retain records and schedule audits

Keep records sufficient to demonstrate compliance for at least 3 years from the date of each consequential decision. Store notices, explanations, review outcomes, and developer documentation together in one system that supports fast retrieval. Schedule recurring bias testing and documentation reviews on a fixed calendar rather than reacting only when problems surface. Assign a single named owner who is accountable for the overall program, its metrics, and its reporting to leadership. Watch the Attorney General rulemaking closely and update your templates as the final clarifying rules land during 2026. Report program status to executives each quarter so that resourcing keeps pace with rising transaction volume and new systems. A standing audit rhythm turns compliance into a predictable routine instead of a frantic scramble before the deadline.

The Future of AI Regulation in Colorado and Beyond

Looking ahead, Colorado sits inside a fast-moving national contest over who governs AI. Texas enacted its Responsible Artificial Intelligence Governance Act, effective in January 2026. Utah adopted disclosure rules for consumers interacting with generative systems. The European Union’s AI Act, tracked alongside the Colorado law, sets a binding global benchmark. Reliability failures like a chatbot citing a fake case keep pressure on lawmakers. This patchwork forces multistate firms to reconcile several overlapping regimes at once.

Federal action could reshape the picture through preemption or a national standard. So far, Congress has not passed a comprehensive federal artificial intelligence law. That vacuum leaves states as the primary source of enforceable rules. Colorado’s reset from SB 24-205 signals how volatile these frameworks remain. Companies should design flexible programs that adapt as statutes change. Hard-coding today’s exact text into rigid systems invites expensive rework.

The near-term future centers on the Colorado rulemaking due by January 2027. Those rules will clarify notice, explanation, and review in operational detail. Early movers who build now can adjust at the margins later. Laggards may face a compressed scramble as the deadline approaches. The durable lesson is that AI governance is now a permanent business function. Colorado will keep refining these duties, so revisiting your compliance program each quarter keeps it genuinely current. Treating this Colorado AI Act compliance guide as a living playbook is the wisest stance.

Data – aiplusinfo.com

Colorado AI Compliance Timeline and Duty Load

Relative implementation weight of each SB 26-189 duty as businesses prepare for the January 1, 2027 effective date.

Consumer notice before decision70

30-day adverse outcome explanation85

Meaningful human review workflow90

Developer documentation package60

Three-year record keeping50

Source: duties summarized from the Colorado General Assembly text of SB 26-189. Weights are an editorial estimate of implementation effort.

Key Insights

  • Colorado signed the first broad United States state AI statute in 2024, a milestone the General Assembly bill record preserves for reference.
  • Governor Polis repealed and replaced that law on May 14, 2026, a pivot Skadden’s published analysis describes as a fundamental redesign.
  • The replacement statute, SB 26-189, takes effect January 1, 2027, per the Colorado legislature’s official text, giving teams a firm deadline.
  • Deployers must deliver an adverse-outcome explanation within 30 days, a window the Consumer Finance Monitor flags as operationally demanding at scale.
  • The Attorney General grants only a 60-day cure period, which the Colorado Attorney General removes for knowing or repeated violations.
  • Deployers must retain compliance records for at least three years, an obligation the Lathrop GPM summary ties to each consequential decision.
  • SB 26-189 eliminated the exemption for employers under 50 workers, a change Littler’s client alert says widens the law’s reach considerably.
  • Developers and deployers share discrimination liability by relative fault, an allocation Troutman’s review says voids conflicting indemnity clauses.

These duties fit together into a single consumer-protection chain from notice through explanation to human review. Colorado narrowed its original ambitions but sharpened the parts that consumers actually experience day to day. The reset also widened who must comply by dropping old exemptions and several federal carve-outs. Enforcement sits entirely with the Attorney General, which concentrates risk in state investigations rather than private lawsuits. The practical lesson is that early, documented preparation beats waiting for the final agency rules. Treating this work as an ongoing function rather than a one-time project is the real throughline.

DimensionSB 24-205 (repealed)SB 26-189 (in force)
Legal statusRepealed before taking effectActive, effective January 1, 2027
Core approachRisk management and duty of careTransparency and disclosure
Scope termHigh-risk AI systemsCovered ADMT
Impact assessmentsRequired, with annual reviewsNot required
Consumer noticeRequiredRequired and central
Adverse explanationLimited obligationMandatory within 30 days
Human reviewNot a standalone rightExplicit consumer right
Small-business exemptionUnder 50 employeesEliminated
EnforcementAttorney General onlyAttorney General only
Cure periodLimited60 days, none for knowing or repeated

Real-World Examples of Colorado AI Compliance in Action

Colorado’s Own Legislative Reset

Colorado itself ran the clearest example when it rolled back its landmark law before enforcement began. The legislature first pushed the effective date from February 1 to June 30, 2026, buying roughly 150 days. It then adopted SB 26-189, which the Norton Rose Fulbright analysis describes as a full replacement. The measurable result was a reset timeline that now ends firmly on January 1, 2027. The limitation was real, since firms that had already deployed impact-assessment programs had to rework them. Teams that hard-coded the 2024 rules absorbed the largest switching cost of the whole reset.

Multistate Hiring Tool Alignment

Large multistate employers piloted a single governance standard rather than juggling several conflicting state rules. They adopted bias-audit and notice practices modeled on the strictest jurisdictions across their hiring stack. One documented outcome was consolidating duplicated review work and cutting that overhead by an estimated 30 percent. The Warden AI comparison of the statutes helped teams map the overlapping duties. The limitation was that a single standard sometimes over-complied in states with lighter requirements. That trade raised near-term cost even as it steadily reduced long-term legal and reputational risk across the entire hiring portfolio.

Insurance Model Governance Carryover

Colorado insurers had already deployed model-governance frameworks under the state’s earlier insurance AI regulation. They implemented quantitative bias testing for life-insurance underwriting that relied on external consumer data. That program cut undocumented underwriting decisions by an estimated 45 percent across thousands of annual cases. Guidance summarized by the Finnegan SB 26-189 overview shows how those habits transfer forward. The limitation was that insurance-specific rules did not map perfectly onto the broader ADMT duties. Some consumer notice and adverse-explanation gaps still required substantial new build work despite the meaningful head start these insurers enjoyed.

Case Studies: Lessons From Early AI Governance Programs

Case Study: A Regional Bank’s Lending Explanations

A representative regional bank faced a clear problem, since its credit models produced thousands of adverse decisions with opaque reasons. Applicants could not learn why they were denied, and the 30-day explanation duty loomed. The bank built an automated explanation pipeline that generated a plain-language reason for each denial. It wired that pipeline to fire within the statutory window and logged every message for retention. The measurable impact was a turnaround cut to under 30 days and a 40 percent drop in manual drafting. The limitation was contested, because early explanations were sometimes too vague to satisfy reviewers.

The bank then refined its templates with legal and data-science teams working side by side. Practical guidance from the Consumer Finance Monitor shaped how it balanced candor against trade-secret concerns. Later explanations named the top inputs without exposing proprietary model weights. The remaining challenge was volume, since spikes in applications still strained the review desk. The lesson is that automation solves the deadline but not the quality problem by itself. Ongoing template tuning proved as important as the original build.

Case Study: A Health System’s Human-Review Desk

A representative health system struggled with automated triage that influenced consequential care decisions. Patients had no path to challenge an automated recommendation, which exposed the system to the human-review duty. The organization built and deployed a trained review desk staffed by clinicians with genuine override authority. Guidance from Epstein Becker Green informed how it defined meaningful review in practice. The measurable impact was that reviewers overturned roughly 12 percent of contested automated recommendations. The limitation was cost, since staffing and training the desk required real ongoing budget. Reviewer knowledge gaps also slowed the earliest cases before training matured.

Case Study: A Staffing Agency’s Vendor Documentation

A representative staffing agency deployed a third-party resume screener with no developer documentation on file. The problem was acute, because it could not explain adverse screening outcomes without vendor inputs. The agency renegotiated contracts to require full documentation and dropped one non-compliant vendor entirely. Analysis from Troutman’s privacy team guided how it rewrote the indemnification clauses. The measurable impact was documentation coverage rising to 100 percent of covered screening systems within two quarters. The limitation was migration cost, since replacing the refusing vendor required weeks of integration work. That expense still proved smaller than the shared liability the gap would have created.

Common Questions About the Colorado AI Act

Is the Colorado AI Act still called SB 24-205?

No, the label has actually changed in one important and often confusing way. SB 24-205 was the original Colorado AI Act passed in 2024. It was repealed and replaced by SB 26-189 before it ever took effect. The current rules live entirely in that newer automated decision-making technology statute.

When does the Colorado AI Act take effect?

The replacement law, SB 26-189, takes effect on January 1, 2027. The Colorado Attorney General must also issue clarifying rules by that same date. Businesses should build their programs well before the deadline arrives. Waiting for final rules to start preparing is a common mistake.

Who has to comply with the Colorado AI Act?

The law reaches both developers and deployers of covered automated decision-making technology. Developers build or substantially modify the systems, while deployers use them on consumers. The old exemption for employers under 50 workers was removed. Size alone no longer keeps an organization outside the law’s scope.

What is a consequential decision under the law?

A consequential decision meaningfully affects access to core opportunities and services. The statute covers employment, housing, lending, insurance, healthcare, education, and government services. Legal services and other similar high-stakes contexts also count under the same statutory definition. Any system materially influencing those outcomes may fall inside scope.

What notice must deployers give consumers?

Deployers must give clear and conspicuous notice before an automated consequential decision. The notice appears at the point of interaction with the consumer. It explains that automated technology is in use and how to learn more. Generic privacy boilerplate buried in a footer will not satisfy this duty.

How does the 30-day explanation rule work?

When covered technology drives an adverse decision, an explanation becomes mandatory. The deployer has 30 days to deliver a plain-language description of the outcome. That description covers the technology’s role, the key inputs, and the consumer’s rights. Automating this package is the only realistic way to meet the deadline at scale.

What is meaningful human review?

Meaningful human review lets a consumer challenge an adverse automated decision. A trained reviewer with real override authority must handle the request. A hollow rubber-stamp approval does not satisfy the meaningful human review standard at all. The reviewer must understand the model, the inputs, and the consumer’s situation.

Can consumers correct their data under the Colorado AI Act?

Yes, consumers can correct inaccurate personal data used in a decision. If the underlying data was wrong, they can demand a fresh review. Deployers must build channels that capture and route these correction requests. Strong data governance reduces both errors and the volume of disputes.

What are the penalties for violations?

The Attorney General enforces the law through the Colorado Consumer Protection Act. A violation counts as a deceptive trade practice under that statute. The Attorney General must first give notice and a 60-day cure period. That cure window disappears for knowing or repeated violations of the law.

Is there a private right of action?

No, private individuals cannot sue directly under this particular Colorado consumer protection statute. Enforcement rests entirely with the Colorado Attorney General and no other government party. That design concentrates risk in state investigations rather than class actions. Exposure under separate federal civil-rights laws still remains no matter how you operate.

How is this Colorado AI Act compliance guide different from older advice?

Much published advice still describes the repealed SB 24-205 as live law. This Colorado AI Act compliance guide reflects the current SB 26-189 framework. It focuses on notice, explanation, human review, and developer documentation. Reading current statutory text rather than 2024 summaries prevents costly errors.

Do small businesses get an exemption?

Not anymore, since the standalone small-business carve-out was deliberately removed by state lawmakers. The old law shielded employers with fewer than 50 workers. The replacement statute applies to deployers of any size using covered technology. Enforcement discretion may still weigh size, but exemption is no longer automatic.

How should a business start preparing now?

Begin with a complete inventory of every model touching a covered decision. Map each system to a developer or deployer role and assign an owner. Then build notice, explanation, and human-review workflows around those systems. Retain records for at least three years and schedule regular audits.