How we got here
The 2024 Colorado AI Act drew sharp criticism for imposing compliance obligations many viewed as unworkable, prompting the legislature to delay its effective date and Governor Polis to convene a policy workgroup. That workgroup’s unanimous recommendations became SB 26-189, which passed the Senate 34–1 and the House 57–6.
What the new framework requires
The bill applies to “automated decision-making technology” (ADMT) used to “materially influence” a “consequential decision,” i.e., a decision affecting an individual’s access to education, employment, housing, financial services, insurance, healthcare, or essential government services. Critically, the bill excludes routine business activities (advertising, content moderation, cybersecurity, fraud prevention, AML/sanctions compliance) from the definition of “consequential decision,” and excludes common technologies like calculators, databases, spreadsheets, and tools used solely to summarize or present information for human review from the definition of ADMT itself.
For systems that do fall within scope, the bill’s obligations are significantly lighter than those of the 2024 law:
For developers: Provide deployers with documentation covering intended uses, training data categories, known limitations, and instructions for human review; notify deployers of material updates within a reasonable time; and retain compliance records for three years.
For deployers: Two disclosure obligations. First, provide clear and conspicuous pre-use notice that ADMT is being used, which is satisfiable through a prominent public posting at points of consumer interaction. Second, if a consequential decision produces an adverse outcome, provide the consumer within 30 days a plain-language explanation of the decision and the ADMT’s role, along with instructions for exercising consumer rights.
Consumer rights following an adverse outcome: Consumers may request their personal data, correction of factually inaccurate data (excluding opinions, predictions, and scores), and meaningful human review “to the extent commercially reasonable.” The human reviewer must have authority to approve, modify, or override the decision and must not simply default to the system’s output.
Enforcement posture: softer but not toothless
Enforcement rests exclusively with the Colorado Attorney General under the Consumer Protection Act; there is no private right of action. Before bringing an action, the AG must provide 60 days’ notice and an opportunity to cure (except for knowing or repeated violations); that cure right sunsets January 1, 2030.
For civil actions alleging AI-driven discrimination under state anti-discrimination law, the bill allocates fault between developers and deployers proportionally, without joint and several liability, and limits developer exposure to uses within the system’s intended, documented, or contracted purposes.
Notably, the bill voids contrary to public policy any contractual provision that would indemnify a party against liability for its own discriminatory use of ADMT.
Sector-specific safe harbors
The bill recognizes that many regulated entities already operate under frameworks addressing algorithmic accountability. Insurers complying with Section 10-3-1104.9 are deemed compliant for insurance activities (but not employment decisions). HIPAA-covered entities are largely exempt outside employment and financial assistance determinations. FDA-regulated medical devices and pharmaceutical R&D are excluded entirely. Creditors already providing ECOA/FCRA adverse action notices, and educational institutions following FERPA procedures, may satisfy the bill’s disclosure requirements through those existing processes.
What companies should do now
Audit AI vendor contracts for voided indemnification terms
The bill’s anti-indemnification provision is immediately actionable. Any contract term purporting to indemnify a party against liability for its own discriminatory use of ADMT is void as against public policy. Companies deploying AI systems, particularly in employment, lending, and insurance, should review their technology vendor agreements now, well before the January 2027 effective date, to identify provisions that may be unenforceable and negotiate replacement terms that properly allocate risk.
Build adverse-outcome response processes
The 30-day post-adverse-outcome disclosure requirement is the bill’s most operationally demanding obligation. Companies need to identify which of their AI-assisted workflows produce consequential decisions, establish mechanisms for flagging adverse outcomes, and develop templated consumer notices. They also need to designate and train human reviewers with genuine override authority for consumer requests.
Engage in the attorney general’s rulemaking
The attorney general must adopt implementing rules by January 1, 2027, through a stakeholder process that begins immediately upon the governor’s signature. Key open questions, including what it means for ADMT to “materially influence” a decision and what form post-adverse-outcome disclosures must take, will be resolved through this process. Companies that participate will have a meaningful opportunity to shape the scope of their obligations.
Repurpose (don't discard) existing governance investments
Organizations that built risk management frameworks or impact assessment processes in anticipation of the 2024 law should adapt those structures to the new disclosure and recordkeeping requirements rather than abandoning them. Those frameworks also remain directly relevant for compliance in other jurisdictions, e.g., California’s ADMT regulations, Illinois’s AI-in-employment amendments, and Texas’s Responsible AI Governance Act all impose substantive requirements that Colorado has now walked back.
Regulated entities should confirm safe-harbor eligibility
Insurers, HIPAA-covered entities, creditors subject to ECOA/FCRA, and educational institutions subject to FERPA should confirm that their existing compliance programs satisfy the bill’s requirements but should not assume blanket coverage. The exemptions have carve-outs (notably for employment-related decisions), and the rulemaking process may narrow their reach.
Treat January 1, 2027, as immovable
Unlike the 2024 law’s repeated postponements, SB 26-189’s effective date is expected to hold. The legislature will not reconvene until January 11, 2027, leaving no opportunity for further delay.
We will continue to monitor the attorney general’s rulemaking and broader developments in state AI regulation. We will provide updates as the stakeholder process unfolds.