Colorado Hits Reset on AI Regulation: SB 26-189 Repeals and Reenacts the Colorado AI Act

How We Got Here

Colorado’s original AI Act (SB 24-205), signed in May 2024, imposed broad obligations on developers and deployers of “high-risk AI systems” — including requiring risk management programs, impact assessments, and affirmative steps to prevent algorithmic discrimination across employment, housing, lending, insurance, health care, and education decisions. The operative date for SB 24-205 was extended twice, and a court temporarily suspended enforcement in early 2026, following a lawsuit filed by xAI, which the U.S. Department of Justice (DOJ) intervened to support. Industry feedback on SB 24-205 was generally negative. In response to this environment, Colorado’s legislature undertook a rewrite, drafting and passing SB 26-189 in a matter of weeks. SB 26-189 reflects the legislature’s effort to preserve the policy goal of filling the AI oversight vacuum given the lack of a comprehensive federal law, but within a more workable compliance framework.

What the Law Covers — and What It Doesn’t

SB 26-189 regulates “covered automated decision-making technology” (covered ADMT): any system using computation or machine learning to process personal data and materially influence a consequential decision. The covered domains remain the same: employment, housing, credit, insurance, health care, education, and essential government services.

The new law contains meaningful carveouts. Tools like firewalls, spam filters, spell-checkers, and web hosting software are excluded from the definition of “covered ADMT,” as are calculators, databases, spreadsheets, and tools used solely to summarize or present information for human review. Routine business functions — including scheduling, customer service triage, advertising, product recommendations, search, and content moderation — fall outside the definition of “consequential decision.”

One definitional nuance for companies to note: while the overall compliance burden is narrower than SB 24-205, the new definition of “covered ADMT” does not require that a system make inferences from inputs to generate outputs — in contrast to SB 24-205, which defined “artificial intelligence systems” as systems that infer from inputs to generate outputs. A system that merely checks whether an answer falls within an acceptable range could qualify. Companies should not assume that simpler automated tools are categorically excluded without assessing them against the new definition.

What Changed: The Core Compliance Obligations

The most significant structural change in SB 26-189 is what it removes. Three obligations that drove the most concern in the business community are gone: the mandate for a risk management program, the requirement for an impact assessment, and — critically — the duty to use reasonable care to prevent algorithmic discrimination, which was a significant source of liability exposure under the prior law. What replaces these obligations is a more targeted, operationally focused framework built around three pillars: developer documentation, deployer transparency, and consumer rights.

Pillar 1: Developer Documentation is now a statutory baseline requirement. Beginning January 1, 2027, developers must provide deployers with documentation covering intended uses of ADMT, known risks and limitations, categories of personal data used in training, and instructions for appropriate use and human oversight. They must also notify deployers of material updates and retain records for at least three years. For vendors and organizations that rely on third-party AI vendors, this means ensuring these new documentation deliverables are negotiated into contracts now, not at renewal time. Most vendors are not currently providing the developer documentation that the law will shortly require. Representations made in the documentation create a potential area of liability for vendors, along with potential intellectual property and confidentiality issues for what is contained in the documentation, particularly around training data.

Pillar 2: Deployer Transparency forms the operational core of the new law and encompasses two of the four new operational duties. Before using covered ADMT to influence a consequential decision, deployers must provide clear and conspicuous notice to the consumer before they use or interact with a covered ADMT. When a covered decision produces an adverse outcome, deployers have 30 days to deliver a plain-language disclosure explaining the decision, the role the ADMT played, and how the individual can exercise their rights. The Colorado attorney general’s (AG) rules — due by January 1, 2027 — will specify what these disclosures must contain, including sector-specific guidance.

Pillar 3: Consumer Rights encompasses the remaining two operational duties. Individuals who receive an adverse outcome may request correction of inaccurate personal data used in the decision and an opportunity for meaningful human review and reconsideration, to the extent commercially reasonable. These are two distinct and independent entitlements — the right to correct data, and the separate right to human review — and each requires its own operational infrastructure. Building that infrastructure — identifying the right owner, capturing the relevant system information, training reviewers to exercise genuine independent judgment — is cross-functional work that should start now.

Sector-Specific Accommodations

SB 26-189 introduces sector-specific safe harbors that were largely absent from the prior law, and which could be significant for clients in regulated industries.

Insurance: Insurers that are already complying with Colorado’s existing algorithmic discrimination rules are deemed compliant with SB 26-189’s requirements. Note, however, that this safe harbor does not extend to an insurer’s own employment decisions or employment opportunities, which remain fully subject to SB 26-189’s requirements. Colorado-regulated insurers should confirm their current compliance posture against the relevant insurance-specific standards rather than building a parallel ADMT compliance program.

Health care: Health Insurance Portability and Accountability Act (HIPAA)-covered entities and their business associates are largely exempt from the new law’s requirements outside of consequential employment decisions and financial assistance determinations. For those entities that are not fully exempt, the ADMT notice requirements can be incorporated into other existing notices, and additional specific disclosure requirements apply around use of ADMT to make financial assistance eligibility determinations. The exemption reflects that there is an existing federal privacy and nondiscrimination framework that already governs much of how covered entities use data in clinical and administrative contexts.

Medical devices and pharmaceutical research: Medical devices and pharmaceutical research and development activities subject to U.S. Food and Drug Administration (FDA) oversight are excluded from the law’s coverage entirely, providing meaningful certainty for life sciences companies operating in Colorado.

Financial services: Creditors who are already providing adverse action notices under the Equal Credit Opportunity Act (ECOA) and the Fair Credit Reporting Act (FCRA) may satisfy SB 26-189’s post-adverse-outcome disclosure requirements through those existing statutory processes, avoiding duplicative obligations for covered credit decisions.

Education: Family Educational Rights and Privacy Act (FERPA)-covered educational institutions that provide FERPA-compliant notices will be deemed compliant with SB 26-189’s notice requirements and do not need to establish a separate or duplicate notice. An institution meets SB 26-189’s human review requirements if it has already established a FERPA-compliant correction and human review process.

For general counsel in any of these sectors, a threshold question in any compliance assessment should be whether the relevant safe harbor applies — and if so, whether existing regulatory compliance programs can be leveraged rather than building new ADMT-specific infrastructure.

New Limits on AI Risk Transfer by Contract

SB 26-189 includes a provision that should receive significant attention by organizations that rely on third-party AI vendors. The law renders void any contract clause purporting to indemnify a party for its own ADMT-related discriminatory acts or omissions in connection with a consequential decision. It also creates a fault-allocation framework between developers and deployers in discrimination claims. Standard AI vendor agreements — including broad mutual indemnities, limitation-of-liability carveouts, and defense and settlement control provisions — may need revision. Legal and procurement departments should conduct that review before the next renewal cycle closes the window.

Enforcement

The Colorado AG will treat violations of SB 26-189 as deceptive trade practices and will have exclusive authority. The AG must generally give alleged violators 60 days’ notice and an opportunity to cure before bringing an action — but that window does not apply to knowing or repeated violations. Companies should also note that the right to cure sunsets on January 1, 2030. After that date, the AG is not required to provide a cure opportunity before bringing an enforcement action, which meaningfully increases the long-term compliance stakes. The consumer-protection framing matters in the near term as well: an AG investigation carries reputational and operational risk that can exceed formal penalty exposure, even when ultimately resolved in the cure period.

SB 26-189 explicitly states that the law does not create a new private right of action.

What to Do Now

Inventory first. Map every tool that processes personal data to influence an employment, lending, insurance, health care, housing, or education decision. Assess each tool against the statutory carveouts and the sector-specific safe harbors. This inventory drives every subsequent decision.

Update vendor contracts. Request developer documentation deliverables now. Review indemnification and liability provisions in light of the new statutory allocation rules.

Build the adverse-outcome workflow. Determine who owns the 30-day disclosure obligation, how ADMT system information gets captured, and who conducts reconsideration reviews — before the AG’s rules land and the clock starts. Establish separate procedures for data correction requests and human review requests, as these are distinct consumer entitlements.

Track the rulemaking. The AG’s rules, expected by January 1, 2027, will define disclosure content and consumer rights implementation in detail, including sector-specific guidance for financial services, health care, and insurance. Monitor that docket closely throughout the year.

Plan for 2030. The 60-day cure right sunsets on January 1, 2030. Compliance programs should be sufficiently mature well before that date, as the enforcement posture will shift meaningfully once the cure period expires.

How We Can Help

Our team regularly advises companies on AI compliance and state privacy regulatory matters, including system inventories, vendor contract review, disclosure program design, and AG investigation response. If you have questions about how SB 26-189 affects your business — whether you are a developer or deployer or are operating in a regulated sector — or if you are seeking to build or audit your ADMT compliance program ahead of the January 1, 2027, operative date, please contact our team.