If your business used the past eighteen months to build a Colorado AI Act compliance program around risk management policies, annual impact assessments, and algorithmic discrimination duty-of-care obligations, the rules just changed under you. On May 14, 2026, Colorado Governor Jared Polis signed Senate Bill 26-189, which repealed and replaced the original Colorado AI Act before its core obligations ever took effect. The new framework drops the duty-of-care standard, the formal risk management program requirement, and the annual impact assessment mandate. In their place sits a narrower transparency regime built around pre-use notices, post-adverse-outcome disclosures, and a small bundle of consumer rights tied to "covered automated decision-making technology."
For founders, HR leaders, lenders, insurers, healthcare administrators, landlords, and SaaS operators who have been burning consulting dollars on the original SB 24-205 framework, the natural reaction is relief. That relief should be tempered. The new law still imposes real obligations on businesses of nearly any size, it still creates Colorado Attorney General enforcement risk, and it still requires you to map where automated decision-making technology touches consequential decisions in your operations. The compliance burden is lighter, but it is not zero, and the January 1, 2027 effective date arrives faster than most teams expect once budgeting cycles and vendor renegotiations are factored in.
This guide walks through what changed, what survived, who is in scope, what specifically you have to do before January 1, 2027, and how to coordinate Colorado obligations with the patchwork of other state and federal AI rules now landing on businesses operating in multiple jurisdictions.
What Happened to the Original Colorado AI Act
The original Colorado AI Act, codified as SB 24-205, was signed in May 2024 and slated to take effect February 1, 2026. It was the first comprehensive state AI law in the United States and modeled loosely on the European Union AI Act's risk-tier approach. The original framework drew sustained criticism from technology companies, business groups, and bipartisan legislators who argued it would punish in-state innovation, impose costs disproportionate to actual algorithmic discrimination risk, and force small companies to build governance programs comparable to those of regulated financial institutions.
During the 2025 legislative session, the General Assembly extended the effective date from February 1, 2026 to June 30, 2026 to give lawmakers time to revise the statute. In May 2026, SB 26-189 was passed and signed, repealing the original act and replacing it with a substantially narrower framework that takes effect January 1, 2027. The Colorado Attorney General is required to complete implementing rulemaking by that same date, and the office has indicated enforcement will not begin until rulemaking is complete and businesses have had reasonable opportunity to align.
The practical upshot for your compliance team: any documentation, vendor diligence packets, or impact assessment templates you built against the SB 24-205 framework still have value as a foundation, but you need to recalibrate against the SB 26-189 obligations rather than the original duty-of-care standard.
What Stayed and What Disappeared
Understanding the delta between the old and new law matters because consultants and vendors are still selling SB 24-205 frameworks. Here is what is gone, what is new, and what survived.
Removed from the original law:
- The reasonable-care duty to protect consumers from algorithmic discrimination
- The formal risk management policy and program requirement
- The annual impact assessment mandate covering purpose, data inputs, mitigation, monitoring, and discrimination risk
- The 90-day discovery-and-disclosure obligation tied to discovered algorithmic discrimination
- The small-deployer exemption framework with its four-prong test (this is restructured, not preserved verbatim)
New under SB 26-189:
- A narrower scope built around "covered automated decision-making technology" rather than "high-risk artificial intelligence system"
- A two-step notice framework: pre-use notice before deployment in a consequential decision, plus post-adverse-outcome disclosure within 30 days
- A right for consumers to access and correct personal data used by the covered ADMT
- A right to request meaningful human review of consequential decisions, where technically feasible
- An accessibility requirement that all notices reach consumers with disabilities and limited English proficiency
- A safe harbor allowing deployers to satisfy pre-use notice through a prominent public posting reasonably proximate to the consumer interaction
Survived in substance:
- The list of consequential decision categories: education, employment, financial or lending services, essential government services, healthcare services, housing, insurance, and legal services
- Exclusive enforcement by the Colorado Attorney General with no private right of action
- Treatment of violations as deceptive trade practices under the Colorado Consumer Protection Act
- The general distinction between developers (who build or substantially modify ADMT) and deployers (who use it to make consequential decisions about Colorado consumers)
Who Is in Scope
The new law applies to any developer or deployer of covered automated decision-making technology that makes or materially influences consequential decisions about Colorado consumers. Geography is determined by the consumer's residence, not the location of your business, so a remote-first SaaS company headquartered in Austin or a New York staffing firm that places candidates with Colorado employers is squarely within scope.
A consequential decision under SB 26-189 is any decision that has a material legal or similarly significant effect on the provision, denial, cost, or terms of services in eight categories: education enrollment or opportunity, employment or employment opportunity, financial or lending services, an essential government service, healthcare services, housing, insurance, or legal services. The list captures most of the high-stakes decisions that small and mid-size businesses make about people every day.
Real-world examples of covered use cases include resume screening tools that score job applicants, credit underwriting models that approve or deny loans, insurance pricing engines that set premiums, tenant screening tools that filter rental applicants, clinical decision support that affects which patients get scheduled or referred, AI tutors or admissions tools used by online education providers, and intake or triage tools at legal aid clinics or law firm websites. Customer service chatbots, marketing personalization, internal productivity tools, and generative AI used for content drafting generally fall outside scope unless they materially influence one of the listed consequential decisions.
The Pre-Use Notice Obligation
Before a deployer uses a covered ADMT to materially influence a consequential decision, the deployer must give the consumer a clear and conspicuous notice that ADMT is being used or will be used. The notice must describe in plain language the purpose of the system, the type of consequential decision it factors into, and how the consumer can exercise the rights granted by the statute.
The safe harbor matters here. Rather than serving an individualized notice at the moment of each interaction, the law allows you to satisfy this obligation through a prominent public posting reasonably accessible at points of consumer interaction. In practice, that means a clearly linked AI disclosure page on your application portal, your loan intake flow, your tenant screening landing page, or your patient onboarding portal will generally suffice, provided the link is visually proximate to the relevant transaction and the disclosure language is written for a lay reader.
Three drafting pitfalls to avoid. First, do not bury the disclosure in a generic privacy policy; the statute requires it to be reasonably proximate to the relevant transaction. Second, do not rely on industry jargon like "automated decision-making technology" or "ADMT" without translating it; the accessibility requirement covers cognitive and language accessibility, not just screen-reader compatibility. Third, do not write notices that paper over the role of AI in the decision; vague language like "we may use technology to help us" will not satisfy a plain-language standard that survives Attorney General scrutiny.
The 30-Day Adverse Outcome Disclosure
When a covered ADMT materially influences a consequential decision that results in an adverse outcome for the consumer, the deployer must provide a plain-language description of the ADMT's role within 30 days of the decision. An adverse outcome includes denial of an application, termination of an existing service, materially less favorable pricing, or any decision that reduces a benefit the consumer would otherwise receive.
The disclosure does not require disclosure of trade secrets, model weights, or proprietary algorithms. What it does require is a description that a reasonable consumer can understand of what the system considered, what role it played in the decision, what categories of personal data it processed, and how the consumer can exercise their access, correction, and human review rights. Industry-specific content variation is permitted, so a lender's adverse action disclosure can lean on existing Equal Credit Opportunity Act Regulation B notice formats and a healthcare deployer's disclosure can build on existing patient communication norms.
Coordinate this with adjacent federal disclosure obligations rather than treating it as a parallel track. If you are already sending a Fair Credit Reporting Act adverse action notice, an Equal Credit Opportunity Act notice of action taken, or a HIPAA-compliant communication, expand the existing notice rather than building a redundant Colorado-specific letter. The 30-day clock under SB 26-189 is generally compatible with the timing of those federal notices, though you should map the deadlines case by case because exceptions exist.
Consumer Rights to Access, Correction, and Human Review
Three consumer rights live under the new framework. Consumers can request access to the personal data the covered ADMT processed about them. Consumers can request correction of inaccurate personal data. And consumers can request meaningful human review of the consequential decision when technically feasible.
The access and correction rights overlap substantially with rights that already exist under the Colorado Privacy Act for personal data generally. Operationally, the cleanest approach is to extend your existing CPA data subject request workflow to handle ADMT-specific requests rather than building a separate intake channel. Map which systems contain which categories of personal data used in ADMT, train your privacy or HR intake team on the new categories, and document your response timelines.
The human review right is the more interesting compliance question. The statute requires meaningful human review when technically feasible, which is not the same as a human rubber-stamp of the algorithmic output. Meaningful review typically requires that a person with authority to overturn the decision actually examine the consumer's circumstances, consider information beyond the algorithmic score, and have practical ability to reach a different conclusion. The "technically feasible" qualifier excuses cases where the underlying decision cannot meaningfully be reviewed by a human at all, but it does not excuse mere inconvenience or cost.
Developer Obligations
Developers of covered ADMT have parallel obligations centered on giving deployers what they need to comply downstream. The original SB 24-205 framework required developers to maintain extensive documentation about training data sources, performance metrics, intended use cases, and known risks of algorithmic discrimination. Under SB 26-189, those obligations are scaled back but not eliminated.
A developer must furnish deployers with documentation sufficient for the deployer to satisfy its notice and disclosure obligations, including a description of the ADMT's intended use cases, the categories of personal data it processes, the categories of outputs it generates, and known limitations relevant to the consequential decision context. Developers must also publish a public statement summarizing the covered ADMT they offer and how they manage risks tied to consequential decisions.
If you sell or license AI tools used by Colorado deployers, the vendor contract conversation has already started. Expect deployer customers to request standardized model cards, data sheets, and ADMT-specific contractual representations. Get ahead of it by preparing a one-page ADMT disclosure that you can attach to MSAs and renewal packages.
Small Business Considerations
The original SB 24-205 small-deployer exemption was a four-prong test that excused deployers under 50 full-time equivalent employees from the impact assessment requirement under narrow conditions. SB 26-189 restructures the small business treatment rather than preserving the exemption verbatim, because the underlying impact assessment requirement no longer exists.
For most small and mid-size deployers, the practical compliance footprint under the new law is genuinely modest: maintain a clear ADMT disclosure page reasonably accessible at the point of consumer interaction, build a 30-day adverse outcome response process, extend your existing data subject request workflow to cover ADMT data access and correction, and document a human review process for decisions the algorithm materially influences. Most well-run companies can stand this up in a few weeks of focused work, especially if they already have a Colorado Privacy Act program in place.
The biggest cost drivers for small businesses are not the notices themselves, but the upstream work of inventorying where covered ADMT exists in the business. A common surprise is discovering that an off-the-shelf SaaS tool with AI features embedded by the vendor is functioning as covered ADMT for consequential decision purposes even though the deploying business never thought of itself as deploying AI. Tenant screening platforms, automated underwriting wizards, AI-augmented hiring tools, and clinical decision support modules embedded in EHR systems are all common surprise inclusions.
How This Coordinates With Other AI and Privacy Laws
Colorado is not legislating in a vacuum, and a coordinated compliance program is dramatically cheaper to run than a series of state-by-state silos. The key coordination points to plan for in 2026 and 2027:
Colorado Privacy Act. The CPA already gives Colorado consumers data access, correction, and deletion rights, and already imposes profiling-related opt-out and data protection assessment obligations on controllers conducting "profiling in furtherance of decisions that produce legal or similarly significant effects." Your CPA program is the natural foundation for your SB 26-189 program because the data subject request workflows, vendor contract templates, and consumer notice infrastructure overlap heavily.
NYC Local Law 144. New York City requires annual independent bias audits for automated employment decision tools used to screen NYC residents. SB 26-189 does not require a bias audit, but the documentation produced for an LL 144 audit is useful supporting evidence that you have considered algorithmic discrimination risk if Colorado's Attorney General comes asking.
Illinois AI Video Interview Act and California AB 2930. Both impose hiring-context AI notice obligations that overlap with Colorado employment-context disclosures. Build a unified hiring AI notice that satisfies all three rather than three separate notices.
EU AI Act. If you also serve EU users, the EU AI Act high-risk system documentation and human oversight requirements are substantially more stringent than Colorado's new framework. The EU documentation can generally satisfy Colorado obligations with light tailoring.
EEOC and DOJ enforcement. The EEOC's May 2023 Title VII technical assistance on AI employment selection procedures and the Department of Justice's ADA enforcement priorities both create federal anti-discrimination risk in employment AI that exists independent of state notice laws. Compliance with Colorado's notice obligations does not insulate you from federal civil rights enforcement.
NIST AI RMF. Aligning your internal governance to the NIST AI Risk Management Framework 1.0 is not legally required by SB 26-189 but is widely accepted as a defensible baseline by regulators across jurisdictions and by enterprise customers conducting AI vendor diligence.
A Practical Twelve-Week Compliance Roadmap
For a small or mid-size business starting from zero, the work to be ready for January 1, 2027 breaks into four phases.
Weeks 1 through 3 - Inventory. Identify every tool, vendor, or in-house system that makes or materially influences any decision in the eight consequential decision categories about Colorado consumers. Include embedded AI features in third-party SaaS. For each, classify whether it is covered ADMT and document who the developer is.
Weeks 4 through 6 - Vendor alignment. Reach out to each developer of covered ADMT and request the documentation package they will provide to support your notice and disclosure obligations. Negotiate any contract amendments needed to cover indemnification, data correction support, and adverse outcome response cooperation.
Weeks 7 through 9 - Notice and process design. Draft the pre-use notice page, the adverse outcome disclosure template, the data subject request workflow extensions, and the human review process. Run each through plain-language and accessibility review. Train customer-facing, HR, and underwriting staff.
Weeks 10 through 12 - Launch and audit prep. Publish notices, route the new processes to production, and build the documentation file an Attorney General investigator would request: vendor contracts, notice screenshots, response logs, human review records, and training rosters. Schedule a six-month internal audit.
A team that starts in mid-2026 has comfortable runway. A team that waits until Q4 will be scrambling, especially given the vendor contract amendment cycle, which routinely takes 60 to 90 days at enterprise scale.
Keep Your Compliance Records as Transparent as Your Books
Whether you are mapping ADMT inventories, tracking adverse outcome disclosures, or building the audit-defensible documentation file an attorney general investigator might request, the same principle applies to compliance records as to financial records: transparency, version control, and the ability to reconstruct any number at any point in time matter more than the format. Beancount.io provides plain-text accounting that gives you complete visibility into your financial data, with no black boxes and no vendor lock-in. Get started for free and see why developers, finance teams, and compliance-minded operators are switching to plain-text accounting.
Sources: