Colorado AI Act 2026: The Plain-Language Guide for Businesses

In May 2026 Colorado scrapped its first AI law and replaced it with a much lighter one. If you run a Colorado business and any automated decision tool helps decide who gets hired, fired, approved for a loan, priced for insurance, admitted to a program, or evaluated for housing or healthcare, the new Colorado AI Act applies to you — but the obligations look very different from what the legal industry was bracing for.

This is the plain-language walkthrough of what actually passed, what changed, and what a realistic compliance plan looks like now for a business that does not have a general counsel on staff.

What is the new Colorado AI Act?

The new Colorado AI Act is Senate Bill 26-189, signed by Governor Polis on May 14, 2026 after passing the legislature by a bipartisan 34-1 vote in the Senate and 57-6 in the House. It repeals and replaces the prior Colorado AI Act (Senate Bill 24-205, the 2024 law that was scheduled to take effect first in February 2026 and then in June 2026). The 2024 statute will not take effect. The 2026 statute does, on January 1, 2027.

The core idea has shifted. SB 24-205 borrowed from the European Union's AI Act and treated high-risk AI like a regulated industry — ongoing risk management, written impact assessments, an affirmative duty of care to avoid algorithmic discrimination, and Attorney General notification when things went wrong. SB 26-189 throws most of that out. The new regime is a disclosure-and-human-review framework: tell people when you're using ADMT, tell them more after an adverse outcome, and give them a way to get a real person to look at the decision.

Who does it apply to?

SB 26-189 keeps the same two categories of regulated parties from the old law:

• Developers — the businesses that build or meaningfully modify the underlying technology. If your company trains a model, or licenses one and fine-tunes it for a specific use, you are probably a developer.
• Deployers — the businesses that use ADMT to make, or to materially influence, a consequential decision about a consumer. Most Colorado small businesses will end up in this bucket.

The deployer duties are the ones most Colorado businesses will need to worry about. A SaaS company that uses an off-the-shelf applicant-tracking tool with AI resume screening is a deployer. A lender that uses a third-party model to evaluate credit risk is a deployer. A landlord running tenant applications through an AI-powered background check is a deployer.

What is “covered ADMT”?

The new statute drops “high-risk AI system” and replaces it with covered ADMT — automated decision-making technology that processes personal data and materially influences a consequential decision. Three pieces have to line up before the duties attach:

• ADMT — technology that processes personal data and uses computation to generate output that makes, guides, or assists a decision. The statute explicitly excludes spell-checkers, calculators, and tools used for human review or administrative processing.
• Materially influences— the ADMT's output is a non-de-minimis factor in the outcome. Incidental, trivial, or clerical uses do not count.
• Consequential decision — a decision about a consumer affecting access, eligibility, or terms in one of the seven covered sectors listed below.

The seven covered sectors

• Education enrollment and opportunity
• Employment and the employer-employee relationship
• Residential real estate lease or purchase
• Financial and lending services
• Insurance underwriting, pricing, coverage, and claims
• Healthcare services
• Government services and public benefits

Two things to notice. First, this list covers a huge portion of the Colorado economy. Second, legal services— which was in the 2024 law's scope — has been dropped from the 2026 law.

The five duties deployers actually owe

If the statute applies to your business, the affirmative obligations are shorter and more concrete than under the 2024 law:

1. Pre-use notice (clear and conspicuous)

You have to tell people that covered ADMT is used in your consequential decisions, with instructions for how to request more information. The statute says “clear and conspicuous” — buried disclosure at the bottom of a privacy policy does not count. A public-facing notice that is reasonably accessible at the points of consumer interaction generally does.

2. Adverse-outcome notice within 30 days

When ADMT contributes to an adverse outcome — a denial, a rejection, an unfavorable price — the deployer has 30 days to send the affected person a plain-language notice describing the decision, the ADMT's role, how to request more information about the inputs the ADMT considered, and an explanation of the consumer's rights and how to exercise them.

3. Meaningful human review of adverse outcomes

After an adverse outcome, consumers have a right to a real human review — to the extent commercially reasonable. The statute defines meaningful human reviewas review by someone with authority to approve, modify, or override the decision, who is trained, who considers relevant evidence, who does not default to the system's output, and who has access to the system's intended use, material limitations, input categories, and principal factors. Ad-hoc rubber-stamping does not satisfy the duty.

4. Consumer access and correction of personal data

Consumers can request access to the personal data the ADMT relied on, and can ask to correct factually incorrect or materially inaccurate data. The rights are tied to the Colorado Privacy Act, which means regulated-entity exemptions (GLBA-covered financial institutions, public utilities, employment records in part, and higher education records) carry over. Consumers cannot correct opinions, predictions, scores, or protected evaluations — only the underlying facts.

5. Recordkeeping for three years

Deployers must keep records sufficient to demonstrate compliance for three years after the relevant consequential decision. That generally means decision logs, copies of notices sent, vendor documentation, and records of human-review outcomes and consumer-data requests.

What developers owe

Developer-side duties are lighter and primarily documentation-based. Developers must give deployers enough information to comply, including a statement of intended uses and known harmful or inappropriate uses, the categories of data used to train the system (to the extent known), known limitations and risks, and instructions for meaningful human review. Developers can satisfy the duty through public release notes plus direct notice to deployers. Developers also retain records for three years and must update deployers about material changes.

What you no longer have to do

If you were following the 2024 law's prep cycle, these duties are gone:

• No more duty of care to avoid algorithmic discrimination as a freestanding statutory obligation.
• No more risk management program requirement under the AI statute (NIST AI RMF alignment is still good practice — just not legally compelled by this statute).
• No more annual impact assessments as a statutory deliverable.
• No more Attorney General notification of algorithmic discrimination incidents.
• No more broad consumer appeal rights — meaningful human review is now scoped to adverse outcomes.

Anti-discrimination liability did not go away

This is the part the headlines miss. SB 26-189 deleted the algorithmic-discrimination language from the AI statute, but the bill expressly preserves liability under existing state anti-discrimination laws for consequential decisions materially influenced by covered ADMT. Liability is allocated by relative fault among developer, deployer, and any intermediary — and contracts trying to indemnify a party for its own discriminatory conduct are explicitly declared void.

Translation: you can still get sued for discriminatory AI outcomes under Colorado's existing anti-discrimination laws, and you cannot contract out of that exposure. The practical defense is the same as it has always been — ongoing bias testing, documented remediation, and a human review path that actually works.

Who enforces it and what are the penalties?

The Colorado Attorney General is the exclusive enforcement authority, operating under the Colorado Consumer Protection Act. There is no private right of action under the AI statute. Before bringing an enforcement action, the AG must give a notice of violation and a 60-day cure period, unless the violation is knowing or repeated. The cure period sunsets on January 1, 2030 — so after that, the AG can move straight to enforcement.

What to do right now

The compliance lift is significantly smaller than under the 2024 law. Five concrete steps, roughly in this order:

1. Inventory your ADMT. Make a written list of every tool your business uses that has automated decision-making components, and what decisions each one influences. Include third-party tools — your HR platform, your credit model, your customer support copilot, your pricing engine.
2. Classify against the new definition. For each system, decide in writing whether it materially influences a consequential decision in one of the seven covered sectors. Note any exemptions you relied on.
3. Draft the two notices. A clear-and-conspicuous pre-use notice for your public-facing properties, and a templated plain-language adverse-outcome notice you can send within 30 days of any unfavorable decision.
4. Stand up a meaningful human review process. Name who reviews, train them, document the workflow, and give them access to the developer documentation they need to second-guess the system. The process has to be real, not a rubber stamp.
5. Collect developer documentation from every ADMT vendor. Intended uses, training data categories, limitations, risks, and human-review instructions. You need these on file to draft accurate consumer notices and to defend an AG inquiry. (More on the contract clauses that get you there.)

If you want to know how your business would score against these duties right now, take our free Colorado AI Act Readiness Checker. It takes about two minutes and produces a specific, prioritized gap list mapped to SB 26-189.

The honest bottom line

The new Colorado AI Act is less onerous than the law it replaced, but it is also more concrete. The duties are shorter, more public, and more measurable — which means a regulator can tell at a glance whether you complied. The businesses that get hurt after January 1, 2027 will not be the ones that got every detail right; they will be the ones that did not post a pre-use notice, did not respond to an adverse-outcome request, or could not produce three years of records.

Available Law built FAIIR — the Foundation for AI Integrity & Regulation specifically to get Colorado businesses through this statute without paying big-firm rates. If your business is running covered ADMT in any of the seven sectors above and you do not yet have notices, human review, or vendor documentation in place, that is what we are here for.