On May 9, 2026, the Colorado General Assembly passed Senate Bill 26-189 (the "Bill"), which repeals and reenacts the previously passes SB 24-25 (Colorado's “AI Act") with comprehensive new requirements governing the use of automated decision-making technology ("ADMT") in consequential decisions affecting consumers. The Bill expressly supersedes the consumer protections enacted in 2024 under Senate Bill 24-205, Colorado's prior AI Act, which originally established consumer protections in interactions with artificial intelligence systems. The Bill takes effect January 1, 2027 and applies to decisions made on or after that date. 

Relationship to Senate Bill 24-205 

Colorado's AI Act (SB24-05), enacted in 2024, was among the first comprehensive state-level AI governance statutes in the United States, establishing duties for developers and deployers of "high-risk artificial intelligence systems" to avoid algorithmic discrimination. The Bill repeals those provisions in their entirety and replaces them with a substantially revised framework. Key changes include a shift in terminology from "high-risk artificial intelligence systems" to "automated decision-making technology" that "materially influences" a "consequential decision," narrower and more precisely scoped obligations, new carve-outs and exemptions, and revised enforcement and liability provisions. Organizations that undertook compliance efforts under SB 24-205 should carefully evaluate how the new framework differs and whether existing compliance programs require updating before January 1, 2027.

Key Definitions

Removing many of the AI Act's provisions, SB 26-189 instead focuses on “Automated Decision-Making Technology” ("ADMT"). These provisions would additionally come into effect in January 2027, a delay over the (already extended) June 30, 2026 effective date of the prior AI Act. 

Automated Decision-Making Technology is defined as a technology that processes personal data and uses computation to generate output—including predictions, recommendations, classifications, rankings, scores, or other information—that is used to make, guide, or assist a decision, judgment, or determination concerning an individual. Notably, the definition specifically excludes a number of routine technologies such as anti-malware, anti-virus tools, calculators, databases, firewalls, spreadsheets requiring human analysis (and not using machine learning or large language models), among other items. Also excluded  in this definition are tools used solely to summarize, organize, translate, draft, route, or present information for human review of administrative processing. Consumer-facing natural language tools (such as chatbots) are excluded if they are not contracted, advertised, marketed, configured, or intended to be used in a consequential decision and are subject to an acceptable use policy prohibiting such use. 

Consequential Decision means a decision about a consumer relating to access, eligibility, selection, or compensation for a "covered domain," or a decision relating to differentiated pricing or material terms that is reasonably likely to materially limit, delay, or effectively deny access to a covered domain. Covered domains include education, employment, housing, financial or lending services, insurance, health-care services, and essential government services. The Bill expressly excludes from the definition of "consequential decision" low-stakes or routine decisions, advertising, marketing, differentiated product recommendations, search, content moderation, and narrow procedural tasks. 

Covered ADMT means ADMT that is used to "materially influence" a consequential decision—so not all ADMT will be restricted by the Bill, only specific uses. In this context, "materially influence" means the ADMT output is a non-de minimis factor used in making a consequential decision and affects its outcome, including by constraining, ranking, scoring, recommending, classifying, or otherwise meaningfully altering how a consequential decision is made. Incidental, trivial, or clerical uses do not constitute material influence.

Adverse Outcome means a decision that denies, terminates, revokes, or materially reduces or restricts a consumer's access to or eligibility for an opportunity or service, or results in materially less favorable differentiated pricing or terms that are reasonably likely to materially limit or effectively deny the consumer's access to such an opportunity or service. 

Developers are defined as persons doing business in Colorado who 1) develop, offer, sell, or makes commercially available a covered ADMT; 2) develops a component intended to be used in a covered ADMT; or 3) intentionally modifies an ADMT such that it becomes a covered ADMT. 

Deployers, in contrast with developers, are defined as a person doing business in Colorado that "deploys" (a term that is not explicitly defined in the Bill) a covered ADMT. 

Developer Obligations

Beginning January 1, 2027, a developer (i.e. one developing a covered ADMT) must make the following documentation available to each deployer, in a form that is reasonably understandable and that protects trade secrets: 

• A general statement describing the covered ADMT's intended uses and known harmful or inappropriate uses.
• A description of the categories of data, including personal data, used to train the covered ADMT.
• Known limitations and circumstances in which the covered ADMT should not be used.
• Instructions for the deployer's appropriate use, monitoring, and meaningful human review.
• Information reasonably necessary for the deployer to comply with its own disclosure obligations. 

Developers must also provide deployers with notice of material updates, intentional and substantial modifications, and changes to the intended use or risk mitigation of the covered ADMT within a reasonable time. Public release notes may satisfy this requirement if direct notice of the release is provided to each deployer. Developers must retain compliance records for at least three years.

A developer's documentation obligations apply only where the ADMT was marketed, advertised, configured, contracted, sold, or licensed to be used to materially influence a consequential decision. 

Deployer Obligations

In contrast with developers, deployers of covered ADMT will be required to comply with a number of record keeping and transparency obligations for the general public, those who will actually be interacting with the ADMT.

Record Keeping. Deployers must retain records reasonably necessary to demonstrate compliance for at least three years after the date of a consequential decision. 

Point-of-Interaction Notice. Prior to using a covered ADMT to materially influence a consequential decision, the deployer must provide clear and conspicuous notice to the consumer that a covered ADMT was or will be used in a consequential decision, along with instructions on how to obtain additional information. A deployer may comply by maintaining a prominent public notice reasonably accessible at points of consumer interaction, such as through a link or posting reasonably proximate to the interaction.

Post-Adverse Outcome Disclosures. If a covered ADMT materially influences a consequential decision resulting in an adverse outcome, the deployer must provide within 30 days: 

• A plain language description of the consequential decision and the role of the covered ADMT.
• Instructions and a simple process to request additional information about the covered ADMT, including its name, version number, developer, and the types, categories, and sources of personal data used.
• An explanation of the consumer's rights under the Bill and how to exercise them. 

The Attorney General must adopt rules by January 1, 2027 to further clarify post-adverse outcome disclosure requirements. 

Accessibility. Notices and disclosures must be provided in a manner reasonably accessible to consumers with disabilities and those with limited English proficiency. 

Consumer Rights

When a consumer believes that they have experienced an adverse outcome from a consequential decision materially influenced by a covered ADMT, the Bill provides the consumers with the right to request: 

• Instructions for further requesting and correcting factually incorrect or materially inaccurate personal data used in the consequential decision.
• Meaningful human review and reconsideration of the consequential decision, to the extent commercially reasonable. 

"Meaningful human review" requires review by a designated individual with authority to approve, modify, or override the decision, who considers relevant primary evidence, is trained to conduct the review, does not default to the system output, and has access to sufficient information about the system's intended use, material limitations, inputs, and principal factors without requiring disclosure of trade secrets. 

The right to correction does not extend to opinions, predictions, scores, or protected evaluations. 

Enforcement

The Attorney General has exclusive authority to enforce the Bill through the Colorado Consumer Protection Act (that is, the Bill does not provide a private right of action); a violation of the Bill constitutes a deceptive trade practice. Before initiating an enforcement action, the Attorney General must issue a notice of violation and provide a 60-day opportunity to cure, if a cure is deemed possible. However, no cure period is required for knowing or repeated violations. Beginning in January 2028, the Attorney General must report annually on enforcement actions and cure periods offered. The cure-period reporting requirement sunsets on January 1, 2030.

No Private Right of Action. The Bill does not create a new private right of action. It does not limit or reduce any existing rights or remedies available under state or federal law, including the Colorado Anti-Discrimination Act, the Colorado Consumer Protection Act, or product liability law. 

Liability and Fault Allocation

A developer or deployer may be held liable in an action alleging unlawful discrimination under state anti-discrimination laws arising from a consequential decision materially influenced by a covered ADMT. Fault is allocated between developers and deployers based on their relative fault. The Bill does not create joint and several liability except to the extent permitted under existing law.

A developer's liability is limited to circumstances where the covered ADMT was used in a manner intended, documented, marketed, advertised, configured, or contracted for by the developer. A developer is not liable for violations arising from a deployer's use of the covered ADMT in an unintended manner.

Contractual indemnification clauses that purport to hold a party harmless from its own acts or omissions related to the use of ADMT in consequential decisions in violation of Colorado anti-discrimination law are void as contrary to public policy. This restriction does not apply where the developer's ADMT was used in an unintended manner and the developer complied with its documentation obligations.

Exemptions

Insurers. Insurers and affiliated entities subject to Section 10-3-1104.9 of the Colorado Revised Statutes (governing insurers' use of external consumer data and algorithms) are deemed in compliance with the Bill for the practice of insurance, except with respect to employment-related decisions. 

HIPAA Covered Entities. The Bill's principal requirements (Sections 6-1-1701 through 6-1-1706) do not apply to HIPAA-covered entities or their business associates, except for employment-related consequential decisions. Covered entities must still provide patients with a general notice of use of advanced technologies, including covered ADMT. Covered entities using a covered ADMT to determine a patient's eligibility for financial assistance must provide additional specified disclosures. 

FDA-Regulated Devices. The Bill does not apply to medical devices subject to FDA oversight or pharmaceutical/medical device manufacturers' research and development activities subject to FDA oversight. 

Federal Law Preemption. The Bill does not require disclosures that would violate the Gramm-Leach-Bliley Act or HIPAA. Creditors that comply with the Equal Credit Opportunity Act and Fair Credit Reporting Act notice requirements are deemed to satisfy the Bill's disclosure obligations relating to the same decision if those federal notices also satisfy the Bill's requirements. 

Practical Implications and Recommendations

Organizations that develop or deploy AI-powered systems affecting Colorado consumers should take note of the following:

1. Reassess Compliance Programs. The Bill replaces the 2024 AI Act's framework with substantially different terminology, scoping, and obligations. Compliance programs built around "high-risk AI systems" and "algorithmic discrimination" should be mapped against the new definitions of ADMT, covered ADMT, consequential decision, and materially influence to determine continued applicability.
2. Evaluate Scope. The extensive exclusions from the definitions of ADMT and consequential decision (routine technologies, chatbots with acceptable use policies, low-stakes decisions, advertising, fraud prevention, and cybersecurity tools) may narrow the scope of covered systems relative to the prior law.
3. Documentation and Disclosure Infrastructure. Developers should prepare to deliver technical documentation and material update notices to deployers by January 1, 2027. Deployers should establish point-of-interaction notice processes, post-adverse outcome disclosure workflows, and consumer rights response mechanisms.
4. Human Review Processes. Deployers must offer meaningful human review upon consumer request, which demands designated trained individuals with override authority who do not default to system output.
5. Indemnification Clauses. Existing contracts between developers and deployers should be reviewed for indemnification provisions that may now be void as against public policy if they purport to shield a party from liability for its own discriminatory use of ADMT.
6. Monitor Attorney General Rulemaking. The Attorney General is directed to adopt implementing rules by January 1, 2027 and may issue additional rules clarifying the definition of "materially influence" and other aspects of the Bill. Stakeholders should engage with the rulemaking process.
7. Appropriation. The Bill appropriates $46,190 from the general fund to the Department of Law for enforcement, based on an assumption of 0.4 additional FTE. 

We will continue to monitor developments related to SB 26-189, including the Attorney General's rulemaking activities and any further legislative action. Governor Polis is expected to sign the Bill in the coming weeks.