Colorado Just Rewrote Its AI Law — What It Means for Your Small Business

On May 14, 2026, Governor Polis signed SB 26-189, repealing and replacing the Colorado AI Act that lawyers (including us) had been prepping Colorado businesses for since 2024. If you spent the last two years hearing about high-risk AI systems, risk management programs, and impact assessments — most of that is gone. What replaced it is shorter, more concrete, and much friendlier to small businesses.

Here is what actually changed, what you should do this week, and what to ignore from the SB 24-205 prep cycle.

The short version of what happened

The Colorado General Assembly passed Senate Bill 26-189 by a bipartisan 34-1 vote in the Senate and 57-6 in the House. The Governor signed it on May 14, 2026. It fully repeals Senate Bill 24-205 (the 2024 Colorado AI Act) before that law ever took effect. The new statute is effective January 1, 2027.

SB 24-205 had been pushed to a June 30, 2026 effective date in an August 2025 special session and was widely expected to be the most demanding state AI law in the country. The legislature listened to two years of business and regulatory feedback and scrapped most of the framework. What replaced it is a disclosure-and-human-review regime that is far less expensive for small businesses to comply with — but still has teeth.

What changed (the short list)

The terminology changed

Out: “high-risk AI system.” In: “covered ADMT” — automated decision-making technology that materially influences a consequential decision. The new term is narrower in some ways (spell-checkers, calculators, and administrative tools are explicitly excluded) and clearer in others (the law spells out what counts as “materially influences” and gives a list of nine sector exemptions).

The duties are shorter

The 2024 law had seven affirmative deployer duties stacked on top of an open-ended “reasonable care” standard. The 2026 law has five concrete duties:

1. A clear and conspicuous pre-use notice that ADMT is used.
2. A 30-day adverse-outcome notice in plain language when ADMT contributes to a denial or other unfavorable outcome.
3. A meaningful human review process for adverse outcomes, to the extent commercially reasonable.
4. A process for consumers to access and correct the personal data ADMT relied on.
5. Three years of records sufficient to demonstrate compliance.

The sectors changed

Out: legal services. In: same as the 2024 law's other sectors — education, employment, residential real estate, financial and lending services, insurance, healthcare, and government services and public benefits.

The duty of care is gone

SB 24-205's “reasonable care to avoid algorithmic discrimination” was the single most uncertain piece of the old framework — nobody could tell you exactly what reasonable care looked like in advance. That standard is gone. But anti-discrimination liability did not disappear — see the next section.

The effective date moved out

Out: June 30, 2026. In: January 1, 2027. You got an extra six months of runway, and the new framework is faster to stand up.

What did not change

Three things matter here, and they are easy to miss if you only read the press releases.

Anti-discrimination law still applies

SB 26-189 expressly preserves liability under existing state anti-discrimination laws for consequential decisions materially influenced by ADMT. The statute also makes liability allocable by relative fault between developer and deployer. Translation: if your AI hiring tool produces a disparate impact, you can still get sued under Colorado anti-discrimination law — and the new statute makes clear that contracts purporting to indemnify a party for its own discriminatory conduct are void as a matter of public policy.

Documentation is still the spine of any defense

The AG's exclusive enforcement authority comes with a 60-day cure period before any action — but the cure period sunsets entirely on January 1, 2030, and the right to cure does not apply to knowing or repeated violations. Without records, you cannot meaningfully use the cure window. And a three-year recordkeeping duty is now in the statute itself.

Vendor risk shifted further onto the deployer

Even with a lighter deployer regime, SB 26-189 assumes you have contractual visibility into what your AI vendors are doing. Developers now owe deployers a documentation package — intended uses, training data categories, limitations, and human-review instructions. If you have not asked for that from your vendors, you should.

What Colorado SMBs should actually do this week

If your business is small enough that you do not have an in-house attorney, here is the prioritized list:

1. Pull together a one-page ADMT inventory. List every AI-assisted tool your business uses that touches a decision about a person — hiring, lending, customer eligibility, pricing, anything in the seven covered sectors. Note the vendor, what it does, and who owns it internally.
2. Post a pre-use notice on the customer-facing surfaces. You do not need a 12-page policy. You need a clearly-written notice at the points of consumer interaction explaining that ADMT is used and how to ask for more information. Plain English. Reasonably accessible.
3. Draft a templated adverse-outcome notice. When someone is denied, declined, or priced unfavorably, you have 30 days to send a plain-language explanation that covers what the system did, what inputs it considered, and how the consumer can request more information and exercise their rights. Template it once and reuse it.
4. Name a human reviewer. Pick a person — or a short list — with the authority to override an adverse ADMT outcome. Train them. Make sure they have access to the system documentation the vendor gave you. Write down the workflow.
5. Ask every AI vendor for the developer documentation SB 26-189 requires. Intended uses, training data categories, limitations, and human-review instructions. If they will not send it, log the request and start looking for alternatives.
6. Pick a place for your records. Decision logs, notices sent, vendor documentation, review outcomes — all in one place, retained for at least three years.

That's the whole minimum-viable program. No risk management committee. No annual impact assessments. No Attorney General notification. The bar is real but it is achievable for a small business on a normal week.

What about everything we already built for SB 24-205?

If your business already started a SB 24-205 compliance program — drafted a risk management policy, ran impact assessments, set up bias auditing — none of it is wasted. Every one of those artifacts maps to a piece of either SB 26-189 or state anti-discrimination law. You may not need the formal risk-management program anymore, but the documentation it produced is exactly the paper trail that survives a cure notice. Keep it. Update what changed. Do not throw out the file cabinet because the law renamed the categories.

The honest take on what this means for Colorado SMBs

SB 26-189 is a meaningfully better law for small businesses than the one it replaced. The duties are shorter, more public, and more measurable. A regulator can tell at a glance whether you complied. That is a feature, not a bug — it means a small business that did the work has a real defense, and a small business that ignored the statute is going to be obvious.

The businesses that get hurt after January 1, 2027 will not be the ones that got every detail right; they will be the ones that did not post a pre-use notice, did not respond to an adverse-outcome request, or could not produce three years of records when the AG asks.

For the comprehensive walkthrough of every duty in the new statute, see our Colorado AI Act plain-language guide. If you want a personalized two-minute readout on where your business stands against SB 26-189, our free readiness checker will produce a prioritized gap list mapped to the new framework. And if you want a fixed-fee, attorney-led assessment of your ADMT footprint, that is what FAIIR certification is for.