Colorado has enacted Senate Bill 26‑189, significantly revising and replacing key provisions of its 2024 artificial intelligence law (SB 24‑205) to establish a more detailed regulatory framework governing the use of automated decision‑making technology (ADMT) in high‑impact decisions. The new law, which takes effect January 1, 2027, imposes expanded compliance obligations on both developers and deployers of AI systems used in “consequential decisions” and introduces new transparency, documentation, and consumer‑rights requirements.
Colorado’s earlier 2024 AI statute was due to become operative in June, and was recently delayed after a federal court paused its enforcement. Notably, SB 26-189 replaces the earlier 2024 AI statute, establishing a new and updated compliance framework effective January 1, 2027.
Scope: Covered AI Systems and Consequential Decisions
SB 26‑189 defines automated decision‑making technology broadly to include systems that use personal data to generate outputs such as predictions, rankings, classifications, or recommendations that inform or influence decisions. The law applies where such tools are used to materially influence “consequential decisions,” including decisions affecting an individual’s access to or terms of:
- Employment and compensation,
- Education,
- Housing,
- Financial or lending services,
- Insurance,
- Health care, and
- Essential government services.
This scope places many HR, recruiting, performance management, lending, and underwriting systems squarely within the law’s reach.
New Obligations for AI Developers
The law imposes significant new requirements on developers of covered ADMT systems. Beginning January 1, 2027, developers must provide deployers with detailed technical documentation, including:
- The system’s intended uses;
- The categories of training data used;
- Known limitations and risks; and
- Instructions for appropriate use and human oversight.
Developers are also required to notify deployers of material updates or changes to the system and must maintain records demonstrating compliance for at least three years. These provisions are designed to improve transparency and allow deployers to better assess downstream compliance risks.
New Compliance Responsibilities for Deployers
Entities that use AI systems to make or assist consequential decisions (defined as “deployers”) must meet new transparency and accountability requirements. Deployers must provide clear and conspicuous notice to individuals at the point where they interact with a covered ADMT system.
In addition, where a covered ADMT contributes to an adverse decision, deployers must provide the affected individual, within 30 days, a plain‑language explanation of how the AI system influenced the outcome. The Colorado Attorney General is tasked with issuing rules clarifying these disclosure requirements by January 1, 2027.
New Consumer Rights and Protections
SB 26‑189 grants individuals several important rights related to automated decision‑making:
- The right to access personal data used by the AI system;
- The right to correct inaccurate personal data; and
- The right to request meaningful human review and reconsideration of adverse decisions.
These rights align Colorado’s AI framework with broader trends emphasizing explainability and human oversight in high‑stakes automated systems.
Enforcement and Liability Framework
The law will be enforced under the Colorado Consumer Protection Act, meaning violations may be treated as deceptive trade practices. Before initiating enforcement actions, the Attorney General must provide a 60‑day notice and opportunity to cure, where a cure is possible.
Notably, the law does not create a standalone private right of action, but it does clarify how liability may be allocated between developers and deployers in existing discrimination claims. This allocation framework is likely to influence litigation strategies and contractual risk allocation between vendors and users of AI systems.
Exemptions and Interaction with Other Laws
Certain entities may be exempt from some requirements to the extent they are already subject to comparable regulatory obligations under other laws. Employers and organizations should carefully assess whether existing compliance regimes (such as those governing financial services or health care) may partially overlap with or satisfy the statute’s requirements.
Employer and Business Takeaway
SB 26‑189 is likely to have a direct and operational impact on employers, particularly those using AI‑driven tools in hiring, promotion, compensation, performance evaluation, or workforce analytics. Many common HR technologies (such as resume‑screening tools, algorithmic candidate scoring systems, employee monitoring platforms, and performance‑ranking software) may qualify as ADMT if they meaningfully influence employment decisions.