Skip to main content
Regulome
Search regulations…⌘K
For ProvidersFree Checker
CO AI ActEnactedUS · Colorado

Colorado AI Act (repealed and reenacted by SB 26-189).

Colorado's AI law after SB 26-189 (signed May 14, 2026): the 2024 risk-management framework was repealed and replaced with an automated decision-making (ADMT) disclosure-and-rights regime. January 1, 2027 effective date, AG enforcement, and $20,000 per-violation penalty risk explained.

Last updated:

Effective
January 1, 2027
Enforcement
January 1, 2027
Max Penalty
$20,000 per violation
Jurisdiction
US · Colorado
⚠ Enforcement deadline — January 1, 2027
170
Days
08
Hours
21
Minutes
50
Seconds

Colorado AI Act (as amended by SB 26-189) enforcement begins January 1, 2027 — is your business ready?

§ Timeline
May 2024May 2026Jan 2027
Signed into lawSB 26-189 amendmentEffective (amended)

Colorado SB 24-205, repealed and reenacted by SB 26-189 (signed May 14, 2026) | Effective January 1, 2027 | Exclusive AG enforcement — no private right of action


What Changed With SB 26-189

If you built (or planned) a Colorado AI Act compliance program around the 2024 law, stop and re-scope it. The obligations you were preparing for no longer exist.

SB 26-189 was passed by the legislature and sent to the Governor on May 12, 2026, and Governor Polis signed it into law on May 14, 2026. It did not merely amend the 2024 Colorado AI Act (SB 24-205) — it repealed and reenacted the statute, replacing one regulatory model with a fundamentally different one.

The 2024 law was an EU-style, risk-management framework built around a freestanding duty of reasonable care to prevent algorithmic discrimination. The new law throws that out. In its place is a narrower disclosure-and-rights regime for automated decision-making technology (ADMT): tell consumers when covered ADMT is used, explain adverse outcomes, let consumers correct their data and ask for human review, and keep records.

The key changes:

  • Effective date moved from June 30, 2026 to January 1, 2027. The original deadline is gone.
  • The risk-management framework was eliminated. No more mandatory risk management program, no annual impact assessments, no freestanding duty of reasonable care (see the next section).
  • New ADMT disclosure and consumer-rights obligations replace those duties (covered in "What Deployers Must Do").
  • The under-50-employee small-business exemption from the 2024 law was removed. The new law applies to deployers regardless of size, subject to a limited and conditional employer carve-out for very small employers — do not assume you qualify; check the enrolled bill text.
  • Mandatory AG rulemaking — the Attorney General must adopt implementing rules by January 1, 2027.
  • Enforcement is currently stayed under a federal court order in xAI v. Weiser dated April 27, 2026.

The practical implication: you have more time than the old calendar suggested, but the substance of what you must build has changed entirely. Building to the 2024 obligations now is wasted effort.


What Was Repealed (Do Not Build to the Old Law)

This is the most important section on this page, because a lot of guidance still circulating online describes the repealed 2024 law as if it were current.

The following obligations were part of SB 24-205 and no longer exist under the reenacted statute:

  • The duty of reasonable care to prevent algorithmic discrimination — eliminated. (Existing federal and Colorado anti-discrimination laws still apply; they always did. But there is no standalone AI "reasonable care" duty.)
  • The mandatory risk management program — eliminated.
  • Annual impact assessments — eliminated.
  • The NIST AI RMF / ISO 42001 safe harbor (a rebuttable-presumption affirmative defense for documented, framework-aligned programs) — not carried forward.

If a checklist tells you to "conduct an annual impact assessment," "maintain a documented risk management program," or "rely on the NIST safe harbor as your primary defense" under Colorado law, that checklist is describing the law that was repealed in May 2026.


Are You a Deployer? Run This Test First

Most compliance work falls on deployers — the companies using ADMT to make decisions — not developers. If you build an AI product for someone else, your obligations are narrower (primarily technical documentation and disclosure to deployers downstream from you).

You are a deployer under the Colorado AI Act if:

All three of these are true:

  1. You use automated decision-making technology (ADMT) that makes, or is a substantial factor in, a consequential decision
  2. That decision affects a Colorado consumer
  3. The decision is in one of these enumerated domains:
    • Employment: hiring, promotion, termination, compensation, and similar decisions
    • Education: admissions, financial aid, academic evaluation, credentialing
    • Housing: rental applications, purchase decisions, pricing
    • Financial or lending services: loan approvals, credit limits, interest rates
    • Insurance: applications, underwriting, claims decisions, pricing
    • Health care: access to and eligibility for health-care services
    • Essential government services and public benefits

"ADMT" is defined broadly: technology that processes personal data and uses computation to generate output — predictions, recommendations, classifications, rankings, scores — used to make, guide, or assist a consequential decision.

You do not need to be headquartered in Colorado. If your ADMT affects Colorado residents in these domains — even with no Colorado presence — you are covered.

If you're still not sure: ask, "Does this system's output affect whether a Colorado resident gets a job, a loan, an apartment, insurance, health care, education, or a government benefit?" If yes, treat yourself as in scope.

Note on scope: The 2024 law's broad list once referenced categories like "legal services." The reenacted law's enumerated domains are the seven listed above. Confirm any edge-case domain against the enrolled bill text.


What Deployers Must Do

Under SB 26-189, deployer obligations are disclosure and consumer-rights duties — not a risk-management program. There are four core operative duties, effective January 1, 2027.

1. Provide Pre-Use Notice

Before using covered ADMT to make or substantially influence a consequential decision, give the consumer clear and conspicuous notice that ADMT will be used, with instructions for how to obtain additional information. A deployer can generally satisfy this with a prominent, reasonably accessible public notice at points of consumer interaction.

2. Explain Adverse Decisions (Within ~30 Days)

When a consequential decision results in an adverse outcome for the consumer, the deployer must provide, within 30 days, a plain-language description of:

  • The decision and the adverse outcome
  • The role the covered ADMT played in the decision
  • Instructions for requesting additional information about the ADMT
  • How the consumer can exercise their rights (below)

3. Honor Consumer Rights: Inspect, Correct, and Human Review

A consumer who receives an adverse outcome can request:

  • Access and correction of the personal data the ADMT used in the decision (consistent with the Colorado Privacy Act)
  • Meaningful human review and reconsideration of the consequential decision, to the extent commercially reasonable

You need a process to receive and respond to these requests.

4. Keep Records for Three Years

Retain records sufficient to demonstrate compliance for at least three years from the date of the consequential decision.

What's gone: Notice there is no impact-assessment requirement, no documented risk management program, and no "reasonable care" standard in this list. Those were the heart of the 2024 law and were repealed.


What Developers Must Do

If you build covered ADMT and supply it to deployers, your obligations are primarily about giving deployers the information they need:

  • Document and disclose to deployers the technical information about the system — including the categories of data used to train the system, known limitations/constraints, and the inputs tied to decision-making — so deployers can meet their disclosure duties.
  • Retain compliance records for at least three years.
  • Cooperate with deployers' consumer-facing obligations where your system is involved.

Developer duties are about transparency downstream to deployers, not managing consumer relationships directly.


Is There Still a NIST Safe Harbor?

No. This is a common and dangerous misconception, because the repealed 2024 law did include one.

Under SB 24-205, a deployer (or developer) who maintained a program aligned with the NIST AI Risk Management Framework (or an equivalent like ISO/IEC 42001) could claim a rebuttable presumption — effectively an affirmative defense — that it had used reasonable care. SB 26-189 did not carry that forward. With the reasonable-care duty itself repealed, there is nothing for a NIST-aligned program to be a "safe harbor" against.

What this means in practice:

  • There is no codified NIST safe harbor or affirmative defense under current Colorado law.
  • NIST AI RMF and ISO 42001 are still worthwhile as a documentation and governance backbone — and they help with overlapping obligations (the Colorado Privacy Act, anti-discrimination law, other state AI laws). But do not present them, internally or to a vendor, as a statutory Colorado defense.
  • Your real exposure-reduction levers under the new law are doing the disclosures correctly, responding to consumer rights requests, and keeping the three-year records that prove you did.

The Penalty Structure

Enforcement is exclusive to the Colorado Attorney General — there is no private right of action (no class-action plaintiffs).

Legal basis: A violation is treated as a deceptive trade practice under the Colorado Consumer Protection Act (CCPA).

Maximum penalty: up to $20,000 per violation.

Right to cure (with a sunset): The AG must give 60 days' written notice and an opportunity to cure before bringing an enforcement action — but:

  • The right-to-cure provision sunsets on January 1, 2030. After that date, the AG is not required to offer a cure period.
  • No cure period applies to knowing or repeated violations.

The $20,000-per-violation figure scales quickly in high-volume contexts: a disclosure failure applied across thousands of Colorado consumers is a large theoretical exposure even before any per-consumer multiplication the AG might pursue.


The Enforcement Reality

Current status: enforcement is suspended by a federal court order. In xAI v. Weiser (U.S. District Court for the District of Colorado), the court — on a joint motion — entered an order dated April 27, 2026 providing that the Colorado AG shall not initiate enforcement (including opening an investigation) of the Colorado AI Act, or any legislation replacing or amending it enacted this session (i.e., SB 26-189), until 14 days after the court rules on xAI's forthcoming preliminary-injunction motion. That motion is not due until 28 days after the AG completes rulemaking. The U.S. Department of Justice has intervened in the case.

AG rulemaking: SB 26-189 directs the AG to adopt implementing rules by January 1, 2027. Those rules are expected to clarify the disclosure and consumer-rights mechanics and have not yet been finalized.

What this means for your program: the new obligations are narrower and more concrete than the old framework, which makes them easier to operationalize. Don't pause indefinitely on the strength of the stay — it is litigation-driven and could lift, and the law's effective date is January 1, 2027. Build the disclosure, consumer-rights, and recordkeeping plumbing now, and watch the AG rulemaking for the operational details.


Your Compliance Checklist

Work through these before January 1, 2027. This reflects the reenacted law (SB 26-189), not the repealed 2024 framework.

Phase 1 — Scope assessment (do this first)

  • Inventory all systems that use covered ADMT to make, or substantially influence, consequential decisions about Colorado residents
  • Confirm which fall in the seven enumerated domains (employment, education, housing, financial/lending, insurance, health care, essential government services)
  • Identify which third-party ADMT products you deploy that qualify — and remember the under-50-employee blanket exemption is gone

Phase 2 — Pre-use disclosure

  • Draft clear-and-conspicuous pre-use notices stating that ADMT is used and how to get more information
  • Decide where notice lives (point-of-interaction notice vs. a prominent public notice)

Phase 3 — Adverse-outcome process

  • Build a process to issue plain-language adverse-decision explanations within 30 days
  • Include the ADMT's role and instructions for requesting more information and exercising rights

Phase 4 — Consumer rights

  • Stand up intake for data access/correction requests (align with your Colorado Privacy Act processes)
  • Build a meaningful human-review-and-reconsideration path (to the extent commercially reasonable)

Phase 5 — Recordkeeping and vendor management

  • Retain compliance records for at least three years per consequential decision
  • Collect developer technical documentation for third-party ADMT and confirm it supports your disclosures
  • Update contracts to allocate ADMT compliance responsibilities

Phase 6 — Watch rulemaking

  • Track the AG's implementing rules (due January 1, 2027) and the xAI v. Weiser docket; adjust your disclosures when rules are finalized

For a step-by-step version of this checklist with implementation detail, see the Colorado AI Act Compliance Checklist.


Official Resources

§ Industries Most Affected
🏥
Healthcare

AI used in diagnosis, coverage decisions, or treatment recommendations is high-risk under SB 24-205.

👔
HR & Hiring

Automated tools for screening, scoring, or ranking job candidates trigger deployer obligations.

🏦
Financial Services

Credit scoring, lending decisions, and underwriting algorithms are explicitly covered by the Act.

🛡️
Insurance

AI-driven underwriting or claims decisions affecting Colorado policyholders require impact assessments.

⚠ Penalty exposure
Up to $20,000 per violation

Enforced by the Colorado Attorney General under the Colorado Consumer Protection Act. A 60-day cure window applies for non-willful violations — but only if you have an active compliance program.

§ Source documents
§ Also in The Ledger
Stay ahead of AI compliance changes

Get weekly regulation updates, enforcement news, and compliance deadlines — free.