On May 14, 2026, Governor Polis signed SB 26-189 into law, substantially revising the Colorado AI Act originally enacted in 2024.
While the original act never took effect, the law stood as a model in recent years for what comprehensive risk-based regulation of AI governance could look like in the United States. Unlike many other AI laws, the original act applied to developers and deployers of “high-risk” AI Systems and required risk management programs, annual impact assessments, public statements describing AI use, and a notification regime when AI was used to influence certain consequential decisions. In the years since, many other states have enacted their own AI laws, but none thus far have gone as far in imposing the types of governance requirements Colorado’s original law would have required.
The new Act, which comes into effect January 1, 2027, substantially pares back the previous version of the law:
- The scope of what counts as a covered AI system has narrowed,
- The consumer-facing notice obligations have been lightened,
- The prior law’s governance obligations have been eliminated, and
- The Act no longer imposes a duty to avoid algorithmic discrimination, although developers and deployers can still be held liable under existing anti-discrimination law.
What remains is largely a transparency regime and a discrete set of consumer rights in the vein of California’s CCPA Automated Decision-Making rules.
Scope
What Counts as a Consequential Decision
The new law applies to “Automated Decision-Making Technology” (ADMT) used to “materially influence” a “consequential decision” about a consumer. A consequential decision is one that A) affects a consumer’s access to, eligibility for, selection for, or compensation for an opportunity or service in a covered domain, or B) affects pricing or other material terms in a manner reasonably likely to materially limit, delay, effectively deny, or fundamentally alter access to a covered domain.
The domains subject to the law are: (1) Education enrollment or opportunity; (2) Employment; (3) Lease or purchase of residential real estate in Colorado; (4) Financial or lending services; (5) Insurance; (6) Health-care services; and (7) Essential government services and public benefits.
Interestingly, legal services, which the prior version of the law swept in, are no longer covered.
Note that “consumer” here is defined more broadly than under the Colorado Privacy Act, applying not only to decisions about CO residents, but also to decisions about any employee of a party doing business in Colorado and any individual, regardless of residency, evaluated for a job or other opportunity in Colorado.
The “Materially Influence” Trigger
For systems being used to make consequential decisions in a covered domain, the law’s applicability turns on whether the system “materially influences” the decision. Under the revised law, this standard is met if an output (A) is a non-de minimis factor used in making the decision and (B) actually affects the outcome, “including by constraining, ranking, scoring, recommending, classifying, or otherwise meaningfully altering” how the decision is made.
The new standard is somewhat narrower than the prior law’s “substantial factor” standard, which captured any AI-generated output that “assists” in making a consequential decision and is “capable of altering” the outcome. Moreover, the new formulation requires the system to actually affect the outcome, not merely be capable of affecting it.
Notably, the Act does not contain a categorical exclusion for decisions subject to human review. This differs from California’s ADMT regulations under the CCPA, which explicitly defines ADMT to exclude systems whose outputs receive meaningful human review. Nevertheless, if a human reviewer does in fact review every output of a system, alongside the relevant inputs, and apply their own independent judgment, covered entities might be able to take the position that the system does not “materially influence” the outcome. Ultimately, though, the analysis will likely depend on the circumstances surrounding the decision and how human review is performed in practice.
Carve-Outs
The Act excludes a range of low-stakes, routine, or back-office uses from the definition of “consequential decision,” “ADMT,” or both. Some examples include advertising, marketing, and content moderation; cybersecurity, spam and robocall filtering, and system reliability; fraud prevention and identity verification; anti-money-laundering and sanctions compliance; and routine business processes such as scheduling, administrative routing, customer service triage, communication of decisions, and workflow management.
Of particular significance, the Act carves out natural-language tools (chatbots, assistants, and similar systems), provided they are not advertised, marketed, configured, or intended to be used in a consequential decision and are subject to an acceptable use policy prohibiting such use. As a result, most general-purpose chatbots will fall outside the Act on this basis, provided they are properly configured and governed.
Developer Obligations
Developer obligations under the new law are now primarily limited to documentation and transparency. A developer of a covered ADMT must provide each deployer with documentation describing: the system’s intended uses and known harmful or inappropriate uses, the categories of training data to the extent known, known limitations and circumstances in which the system should not be used, instructions for appropriate use and meaningful human review, and the information reasonably necessary for the deployer to comply with its consumer-facing disclosure obligations (see below). Developers must also notify deployers of material updates to the system within a reasonable time and retain compliance records for three years.
Deployer Obligations
Most of the law’s requirements apply to deployers of covered ADMTs, and are largely focused on disclosures and consumer rights.
Point-of-Interaction Notice
Before using a covered ADMT for a consequential decision, the deployer must provide a clear and conspicuous notice that an ADMT is being used and instructions on how the consumer can obtain more information about the system. A deployer can satisfy this obligation through a prominent public notice that is reasonably accessible at points of consumer interaction, for example, by placing a link to the disclosure on a job posting.
That is a meaningfully lighter disclosure than required under the prior law, which also required an explanation of the system’s purpose, the nature of the decision, the deployer’s contact information, and a plain-language description of the system, among other things.
Post-Decision Disclosure
If use of a covered ADMT results in an adverse outcome for a consumer, for example, a rejection of a job application, the deployer must provide an additional disclosure within thirty days. The notice must include: A) a plain-language description of the decision and the role the ADMT played, B) a simple-to-follow process for the consumer to request additional information about the system and its inputs (the system name, version, developer, and the types, categories, and sources of personal data used), and C) an explanation of the consumer’s rights under the Act and how to exercise them.
Consumer Rights
Following an adverse outcome, the law allows the consumer to, upon request: (A) access and correct inaccurate personal data used by the ADMT, and (B) obtain meaningful human review and reconsideration of the decision, to the extent commercially reasonable.
The law further clarifies that such human review be performed by someone with authority to approve, modify, or override the decision, who has been trained to conduct the review. The reviewer must also be provided with information sufficient to understand the system’s use, limitations, inputs, and the factors used to generate the decision. The intention appears to be to prohibit entities from simply rubber-stamping system outputs when a review is requested.
Notably, the new law only requires such reviews be conducted to the extent “commercially reasonable.” The prior law imposed a tighter standard, requiring the review as long as it was “technically feasible.” Since the concept of commercial reasonableness often takes operational cost and business context into account, the new standard may give deployers more flexibility to limit appeals in some circumstances where the volume of decisions cannot reasonably support individualized review.
Recordkeeping
Deployers must retain records reasonably necessary to demonstrate compliance for three years, including system version identifiers, changelogs, and documentation of material mitigation changes. Given the need to demonstrate compliance, this also likely includes a system’s inputs and outputs, logs demonstrating human review, and records of notices and disclosures provided to consumers.
Anti-Discrimination Liability
While the new Act does not impose a statutory duty to avoid “algorithmic discrimination” as the prior version did, neither does it eliminate discrimination exposure. The law makes explicit that developers and deployers can still be held liable under existing anti-discrimination law, including the Colorado Anti-Discrimination Act.
In discrimination actions involving covered ADMT, the law allocates liability among developers and deployers based on relative fault, rather than joint and several liability. It further specifies that the developer’s liability is limited to uses of the system that were intended, documented, marketed, advertised, configured, or contracted for by the developer. That is, a developer cannot be held liable under the law when a deployer uses the system in a manner outside the documented use cases. The Act also explicitly voids contractual provisions that indemnify or hold harmless a party against liability for acts or omissions related to discrimination involving a covered ADMT. So a party cannot use contractual indemnification to shift liability for its own discriminatory conduct.
Enforcement
The Attorney General has exclusive authority to enforce the law through the Colorado Consumer Protection Act, and a violation of the Act is considered a deceptive trade practice. There is no new private right of action.
Before bringing an enforcement action, the AG must issue a notice of violation and provide sixty days to cure if a cure is deemed possible. The cure period is not required for knowing or repeated violations. Penalties under the state’s consumer protection act are up to $20,000 per violation, with each consumer or transaction constituting a separate violation, and up to $50,000 per violation involving an elderly person.
Practical Recommendations
Companies developing or using AI to assist in making consequential decisions in a covered domain should prepare for compliance in advance of the law’s January 1, 2027 effective date. To this end, deployers of such systems should consider the following steps:
- Assess whether your system is a covered ADMT. If using an AI system to assist in making decisions in one of the covered domains, evaluate whether it is likely to meet the “materially influence” standard. Systems used to screen resumes, for example, by filtering out candidates from further human review, are almost certainly in scope.
- Draft and publish a point-of-interaction notice. The notice should include a statement that an ADMT is being used in the decision-making process and instructions on how the consumer can obtain more information about the system. Publicly posting the disclosure on one page and linking to it at the point of consumer interaction should be sufficient.
- Establish a process for providing notice following an adverse outcome. The notice must be sent within 30 days and contain a plain-language description of the decision and the role of the ADMT, instructions for the consumer to request additional information about the system, and an explanation of the consumer’s rights to correct data or appeal the decision.
- Develop a corrections and appeals process. Upon request, deployers will need to offer consumers meaningful human review and reconsideration of the decision. This must be performed by a trained reviewer who can override the decision and meaningfully evaluate the system’s outputs.
Developers of ADMTs who market their systems for use in making decisions in one of the covered domains should build a documentation and notification process that provides deployers with the information they need to satisfy their own obligations under the Act. To the extent a developer offers a general-purpose AI system, it should make clear in its marketing and contracts that the system is not intended to be used to assist in making consequential decisions.
While no longer explicitly required by the law, developers and deployers should nevertheless conduct bias audits of their ADMTs, as they may still be subject to exposure under existing state and federal anti-discrimination laws. If a suit is ever brought, such audits will be helpful in demonstrating that the system does not have discriminatory impacts.
With similar ADMT obligations already in place in CA, NYC, and CT, and many other states actively considering comparable legislation, developers and deployers should begin preparing for compliance sooner rather than later as these laws continue to gain traction.