Colorado ADMT / AI Act (SB 26-189)
Effective date
Penalty
Enforced by the Colorado Attorney General through the Colorado Consumer Protection Act; 60-day notice and opportunity to cure where cure is possible; no new…
Cure period
60 days
Obligations mapped
17 obligations
Legislative update
SB26-189 was signed on May 14, 2026. It repeals and reenacts the SB24-205 AI provisions into a covered ADMT framework with a January 1, 2027 operative start for core developer documentation, deployer notice, consumer-rights, and recordkeeping duties. The stable co-ai-act route stays in place and SB24-205 artifacts are preserved as historical or reusable governance evidence while the current-law workspace model is refit to SB26-189.
SB26-189 is current; SB24-205 artifacts are preserved
XIRA keeps co-ai-act as the stable product route, but the current legal model is SB26-189. Existing SB24-205 risk-management, impact-assessment, notice, and proof-bundle artifacts stay available as historical records or reusable governance evidence. They should not be treated as the full current Colorado minimum-law checklist after the SB26-189 refit.
Overview
If your company does business in Colorado and develops or deploys automated decision-making technology that materially influences consequential decisions about education, employment, housing, financial or lending services, insurance, healthcare services, or essential government services, SB26-189 may apply starting January 1, 2027. Developers should prepare technical documentation for deployers and material-update notices. Deployers should prepare clear point-of-interaction notice, post-adverse-outcome explanations, data access and correction handling, meaningful human review and reconsideration, and three-year compliance records. Existing SB24-205 impact-assessment, risk-management, and public-statement work should stay in XIRA as historical and reusable governance evidence, not be deleted.
This is an AI-specific state law.
See if this regulation applies to your company with the free exposure scan.
Who this applies to
This regulation applies to the following roles:
- Developers of covered AI systems
- Deployers and users of covered AI systems
- Organizations operating in Colorado
This regulation applies to both companies that build AI products and companies that use AI tools from other vendors.
SB 24-205
AI categories covered
- Employment and hiring
- Consumer-facing AI
- Healthcare AI
- Financial services AI
- Insurance
- Housing
- Education
Specific AI use cases:
- education decisions
- employment decisions
- financial lending decisions
- government service decisions
- healthcare decisions
- housing decisions
- insurance decisions
- Resume screening and ranking
- Video interview analysis
- Candidate assessment and scoring
- Workforce scheduling and optimization
- Credit scoring and risk assessment
- Fraud detection
- Insurance underwriting
- insurance claims ai
- tenant screening
- Diagnostic and clinical AI
- Insurance prior authorization
What this requires you to do
17 obligations identified from statutory analysis.
SB24-205 historical control; reusable governance evidence
SB26-189 deployer point-of-interaction notice
SB24-205 historical control; SB26 fault-allocation evidence
SB26-189 AG enforcement response
SB24-205 historical control; SB26 fault-allocation evidence
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.
Enforcement and penalties
Enforced by the Colorado Attorney General through the Colorado Consumer Protection Act; 60-day notice and opportunity to cure where cure is possible; no new private right of action. SB26-189 also allocates fault between developers and deployers in existing-law discrimination actions.
Cure period: 60 days.
Private right of action: plaintiffs may bring direct claims in addition to government enforcement.
Penalty amounts are based on statutory text and may be subject to adjustment, judicial interpretation, or enforcement discretion.
Legislative history
effective
Core SB26-189 covered ADMT duties begin, including developer documentation, deployer notices and post-adverse-outcome disclosures, consumer data and human-review rights, and three-year recordkeeping.
signed
SB 26-189 signed. The signed act repeals and reenacts SB24-205 into a covered ADMT framework and prevents the prior June 30, 2026 SB24-205 operating model from becoming the current Colorado baseline.
Treat SB26-189 as the current Colorado source version. Preserve SB24-205 artifacts as historical or reusable governance evidence.
amended
SB 26-189 passed both chambers and was sent to the Governor after Senate concurrence in House amendments.
proposed replacement
SB 26-189 introduced to repeal and reenact the SB24-205 AI provisions as an automated decision-making technology framework.
guidance issued
Commerce Department publishes evaluation identifying Colorado as having onerous state AI law
proposed replacement
Governor AI Policy Working Group convening weekly, developing repeal-and-replace consensus language
proposed replacement
Regular legislative session begins with replacement framework negotiations still open.
guidance issued
Trump executive order creates DOJ AI Litigation Task Force. No lawsuits filed against Colorado as of April 2026.
delayed
Governor signs SB 25B-004, delaying effective date from February 1, 2026 to June 30, 2026
delayed
Special session convened. Four competing AI bills introduced including AI Sunshine Act SB 25B-004. Substantive amendments collapse.
delayed
Governor Polis and legislative leaders jointly request delay of effective date
introduced
SB 25-318 introduced by Sen. Rodriguez to amend AI Act. Postponed indefinitely.
signed
Governor Polis signs SB 24-205 with public letter expressing reservations and urging amendments
Related regulations
- In EffectPrivacy ADM
Colorado Privacy Act (CPA profiling and ADM)
Colorado profiling rules define three tiers: Solely Automated Processing, Human Reviewed Automated Processing, and Human Involved Automated Processing. Consumer opt-out applies to tiers 1 and 2. Tier 3 gets enhanced disclosure instead of opt-out. Core profiling provisions effective July 1, 2023. Universal opt-out mechanism compliance required since July 1, 2024. The 60-day cure period for CPA violations expired January 1, 2025, so the Attorney General may pursue enforcement without a cure window (distinct from the Colorado AI Act cure rule). HB 24-1130 added biometric consent requirements effective July 1, 2025. SB 24-041 added minor protections effective October 1, 2025.
Effective
- In EffectFramework
NIST AI Risk Management Framework (AI RMF 1.0)
NIST AI RMF is a voluntary framework used as a practical benchmark by regulators and lawmakers. NIST released AI RMF 2.0 in February 2024, building on early adoption experiences and adapting to generative AI paradigms. Companion documents include the AI RMF Playbook and Generative AI Profile (NIST AI 600-1), developed under EO 14110, which persists as a voluntary framework even though EO 14110 was revoked. State laws that reference NIST as a safe harbor or affirmative defense include Texas TRAIGA (HB 149), Tennessee TIPA, and Montana Right to Compute Act (SB 212). Colorado SB24-205 NIST-aligned controls remain useful historical and reusable governance evidence after SB26-189, but they should not be described as the current Colorado ADMT minimum-law safe harbor without legal review. Alignment with NIST AI RMF increasingly affects legal exposure under these state laws.
Effective
- UpcomingPrivacy ADM
CCPA/CPRA Automated Decision-Making Technology Regulations
California's ADMT regulations require businesses using automated decisionmaking technology for significant decisions (employment, finance, housing, education, healthcare) to provide pre-use notices, offer opt-out rights, respond to access requests, and conduct risk assessments with annual CPPA filing under penalty of perjury.
Effective
- In EffectAI-Specific
NYC Local Law 144 (Automated Employment Decision Tools)
NYC Local Law 144 requires employers and employment agencies using automated employment decision tools for hiring or promotion in New York City to conduct annual independent bias audits, publish results on their website, and notify candidates that an AEDT is being used.
Effective
- In EffectAI-Specific
Illinois Biometric Information Privacy Act (BIPA)
Illinois BIPA may apply to written consent before collecting fingerprints, facial scans, voiceprints, iris scans, or hand geometry. Where applicable, companies may need to publish a retention/destruction policy, provide written notice, obtain written releases, and may be barred from selling or profiting from biometric data. Any aggrieved person can sue for $1,000 to $5,000 per violation without proving harm.
Effective
Colorado AI regulation guide lists every tracked rule for this jurisdiction with timelines and obligation tallies.
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.