Colorado Replaces Its Landmark AI Act With New Framework: What Developers and Deployers Need to Know About SB 26-189

The new law drops the duty-of-care standard and annual impact assessments but still imposes transparency, disclosure, and recordkeeping obligations on companies that build or deploy AI systems used in consequential decisions. The attorney general (AG) has exclusive enforcement authority with penalties up to $20,000 per violation.

What Changed

The original Colorado AI Act imposed a broad duty of reasonable care on developers and deployers of “high-risk AI systems” and required annual impact assessments, risk management programs, and AG notification of algorithmic discrimination. After criticism that these obligations would stifle innovation, the legislature passed SB 26-189, which narrows the scope from “high-risk AI systems” to “covered automated decision-making technologies (ADMTs) that materially influence consequential decisions and eliminates the duty-of-care standard and impact assessment requirements previously needed for the “safe harbor” against enforcement actions brought by the Colorado attorney general.

Who and What Is Covered

The law applies to developers (those who build, sell, or license covered ADMTs) and deployers (those who use them) doing business in Colorado. It covers AI tools that materially influence decisions affecting consumers in these domains.

• Education.

• Employment.

• Residential real estate.

• Financial/lending services.

• Insurance.

• Health care.

• Essential government services.

Excluding advertising, marketing, content moderation, product recommendations, scheduling, and customer service triage.

Key Obligations

Developers: Must provide deployers with technical documentation covering intended uses, training data categories, known limitations, instructions for human review, and information deployers need for their own disclosures. Developers must also notify deployers of material changes to the ADMT’s use, limitations, or risk profile.

Deployers: Deployer obligations are more extensive than those imposed on developers but still less burdensome than under the original law. Obligations include the following.

• Point-of-Interaction Notice: Before using a covered ADMT to materially influence a consequential decision, a deployer must give the affected consumer clear and conspicuous notice that a covered ADMT is being used along with instructions on how to obtain additional information. A deployer can satisfy this requirement by maintaining a prominent public notice that is reasonably accessible at points of consumer interaction, including through a link or posting reasonably proximate to the relevant transaction.

• Post Adverse Outcome Disclosure: In the event of an adverse outcome, the deployer must provide the consumer with the following information within 30 days: (a) a plain-language description of the consequential decision and the role the covered ADMT played; (b) instructions and a simple process to request additional information about the ADMT and its inputs, including the system’s name, version number, developer, and the types, categories, and sources of personal data used; and (c) an explanation of the consumer’s rights under the law and how to exercise them.

Recordkeeping: Both developers and deployers must retain compliance records for at least three years.

Enforcement

The AG has exclusive enforcement authority under the Colorado Consumer Protection Act. Violations are treated as deceptive trade practices carrying penalties of up to $20,000 per violation. The AG must provide 60 days’ written notice and an opportunity to cure before enforcement — but this right-to-cure provision sunsets on January 1, 2030, after which no cure period is required. No cure period applies if the violation was knowing or repeated. Developers and deployers also remain exposed to civil discrimination claims under the Colorado Anti-Discrimination Act.

Consumers who experience an adverse outcome from a consequential decision in which a covered ADMT was materially influential may request correction of inaccurate personal data used in the decision and meaningful human review and reconsideration of the decision to the extent commercially reasonable.

Actions To Take

Assess Scope Now

Identify which AI tools your company builds or deploys in Colorado that qualify as covered ADMTs — i.e., tools that materially influence decisions in education, employment, real estate, financial services, insurance, health care, or government services.

Build Disclosure Processes

Deployers need point-of-interaction notices and a 30-day post-adverse-outcome disclosure workflow. Developers need to deliver technical documentation and a process to communicate material ADMT updates to deployers.

Monitor Rulemaking

The AG must adopt implementing rules by January 1, 2027. These will clarify post-adverse-outcome disclosure requirements and may shape compliance standards. Track developments and be prepared to adjust processes as guidance is finalized.