Colorado AI Act Repealed and Replaced: What Businesses Need to Know

On May 14, 2026, Colorado Governor Jared Polis signed into law Senate Bill 26-189, an act that repeals and reenacts Colorado’s 2024 AI Act (SB 24-205) and replaces it with a different framework governing the use of automated decision-making technology (“ADMT”) in consequential decisions. The new law takes effect January 1, 2027.

Instead of regulating various types of AI systems defined as “high risk” under the 2024 AI Act, the 2026 law focuses on the regulation of automated tools used in decisions that affect people’s opportunities and access to services (such as employment, housing, lending, insurance, health care, education, or public benefits).

At a high level, compliance may require organizations to:

• Identify which decision-making tools and vendors are covered;
• Determine whether those tools meaningfully influence consequential decisions;
• Provide required pre-use notices and post-adverse-outcome disclosures;
• Establish processes for human review and reconsideration of certain adverse decisions;
• Update vendor management and contracting practices; and
• Maintain documentation and records demonstrating compliance.

What Changed?

SB 26-189 is narrower and more operational than Colorado’s prior AI governance framework. The 2024 act centered on “high-risk artificial intelligence systems” and imposed a duty of reasonable care to protect against algorithmic discrimination, along with risk management programs and impact assessments. The new law removes those obligations.

In their place, SB 26-189 establishes an operational framework built around documentation, transparency, notice, and human review for “covered ADMT” used in consequential decisions. It sets separate obligations for businesses that develop covered technologies and businesses that deploy them, creates specific rights for individuals affected by adverse outcomes, and requires organizations to retain records demonstrating compliance.

When the Law May Apply

The law does not apply to AI technologies generally; it applies to certain forms of ADMT. The statute defines ADMT as technology that processes personal data and uses computation to generate output, including predictions, recommendations, classifications, rankings, scores, or other information, that is used to make, guide, or assist a decision, judgment, or determination concerning an individual.

Not every automated tool falls within the law. Obligations attach only to “covered ADMT,” meaning ADMT that is used to materially influence a consequential decision about a consumer.

“Consequential Decision”

A “consequential decision” is a decision that relates to an individual’s access to, eligibility for, or compensation related to:

• Employment
• Housing
• Lending and financial services
• Insurance
• Health care
• Education
• Essential government services and public benefits

Importantly, consequential decisions are not limited to outright denials. Decisions that materially limit opportunities, delay access, affect compensation, or impose different terms may also be covered.

“Materially Influences”

A tool “materially influences” a consequential decision only when its output is a non-de minimis factor used in the decision and affects the outcome, including by constraining, ranking, scoring, recommending, classifying, or otherwise meaningfully altering how the decision is made. Incidental, trivial, and clerical uses do not qualify.

Future rulemaking, enforcement guidance, and regulatory interpretation may further define this standard.

“Consumer”

The term “consumer” is defined broadly. In addition to incorporating the Colorado Privacy Act’s definition of a consumer (a Colorado resident acting in an individual or household context), the law also expressly applies to employees and job applicants.

Developers and Deployers

The statute distinguishes between two roles:

• Developers, which create or provide covered ADMT; and
• Deployers, which use covered ADMT in consequential decision-making.

Developers must provide deployers with technical documentation describing intended uses and known harmful or inappropriate uses, the categories of data used for training, any known limitations, instructions for appropriate use, monitoring, and human review, and information reasonably necessary for deployers to comply with their disclosure requirements under the law. Developers must also notify deployers of material updates or modifications to the covered ADMT.

Deployers bear most of the operational compliance responsibilities. A deployer must provide clear and conspicuous notice to consumers at the point that they interact with a covered ADMT. When a covered ADMT makes a consequential decision that results in an adverse outcome for the consumer, the deployer must provide a plain-language description of the ADMT’s role within 30 days after making the decision. On request following an adverse outcome, the deployer must also give the consumer the opportunity to access and correct inaccurate personal data used in the decision and an opportunity for meaningful human review and reconsideration, to the extent commercially reasonable.

Both developers and deployers must retain the records necessary to demonstrate compliance with the act for at least three years.

When Does the Law Take Effect?

The new Colorado ADMT Act takes effect on January 1, 2027, and will apply to consequential decisions made on or after that date. Certain rulemaking is expected before then, including guidance from the Colorado Attorney General regarding post-adverse-outcome disclosure requirements and other implementation details.

Although the effective date gives organizations time to prepare, businesses that use automated tools in employment, lending, insurance, health care, housing, education, or other consequential decision-making contexts should begin assessing technology, vendors, and internal processes now. Many of the law’s requirements, including pre-use notices, human review procedures, record retention practices, and vendor documentation obligations, may take time to implement.

Exemptions

The act includes several sector-specific exemptions and compliance alternatives for regulated industries. Insurers subject to Colorado’s existing algorithmic-discrimination rules are deemed compliant when engaged in insurance, but not for employment decisions. HIPAA-covered entities and business associates generally are exempt from the law’s core requirements, except for employment decisions, although certain patient notices and financial-assistance disclosures still apply. FERPA-regulated deployers may satisfy applicable notice, correction, human-review, and appeal requirements through FERPA-compliant procedures rather than creating duplicative processes. The act also excludes certain FDA-regulated medical devices and research activities and does not require disclosures that would violate HIPAA or the Gramm-Leach-Bliley Act.

Enforcement

The new law is enforceable by the Colorado Attorney General and does not create a private right of action. Violations are treated as a deceptive trade practice under the Colorado Consumer Protection Act.

Prior to January 1, 2030, before initiating an enforcement action the Attorney General must generally provide the developer or deployer with 60 days’ notice and an opportunity to cure the alleged violation, where a cure is deemed possible.

Key Takeaways

For most businesses, compliance with Colorado’s new ADMT law will focus on understanding where automated decision-making tools are used, determining whether those tools materially influence consequential decisions, providing required notices and disclosures, maintaining meaningful human oversight, retaining records, and ensuring vendors provide the information necessary to support compliance.

Organizations that begin now by identifying covered decision-making systems and inventorying vendor relationships which may involve ADMT use will be in a stronger position as the January 1, 2027 applicability date approaches.

Erin Locker is a commercial partner whose practice focuses on privacy, cybersecurity and data protection. She helps companies at every stage navigate the rapidly evolving landscape of global privacy regulation and develop strategic approaches to compliance. Erin counsels clients on a range of data privacy and protection issues involving product design and development, digital marketing and advertising, compliance programs, and data licensing transactions.