By ByteBot
Colorado’s AI law was supposed to be a milestone: the first serious state-level attempt to regulate AI systems in the US, modeled on the EU AI Act, scheduled to take effect June 30, 2026. It never made it. The law was judicially stayed, then fully replaced before its own deadline. What survived is materially lighter, and if you’re building AI products, the compliance picture just changed substantially.
What Happened to the Original Law
Senate Bill 24-205 passed in 2024 and imposed broad obligations on developers and deployers of “high-risk AI systems” — annual impact assessments, risk management programs, a duty of care to prevent algorithmic discrimination, and mandatory reporting to the Colorado Attorney General. Governor Polis signed it with public reservations, calling it “a complex compliance regime.”
The collapse accelerated in 2026. In December 2025, the White House issued an executive order on AI that specifically named Colorado’s law as one that “would compel AI systems to produce false results.” Then in April 2026, xAI filed suit in federal district court, arguing the law was unconstitutionally vague and violated the First Amendment. The Department of Justice intervened on xAI’s side — the first time the federal government had moved to invalidate a state AI law. By April 27, a federal judge had stayed enforcement after Colorado’s own AG stipulated to the pause. The law that was meant to regulate AI never regulated anything.
Governor Polis signed the replacement — Senate Bill 26-189 — on May 14, 2026. The new law takes effect January 1, 2027.
The New Law: Narrower Scope, Different Philosophy
SB 26-189 does not try to govern how AI systems are built. Instead, it focuses on transparency when they’re deployed in specific high-stakes decisions. The regulatory target is “covered automated decision-making technology” (ADMT) — any computational or ML-based system that materially influences a “consequential decision” in one of seven defined domains: employment, housing, credit and lending, insurance, healthcare, education, and essential government services.
That framing matters. If your AI tool handles advertising, product recommendations, content moderation, scheduling, or customer service triage, it falls outside the law entirely. Spam filters, calculators, and summarization tools are explicitly excluded. The original law’s broad “high-risk AI system” bucket has been replaced by something far more targeted.
The three provisions that drove the most industry concern are gone. There are no more annual impact assessments, no risk management programs, and no duty of care to avoid algorithmic discrimination. The mandatory reporting requirement to the AG also disappears. What remains is a framework built around disclosure and consumer rights.
What Developers and Deployers Must Do by January 1, 2027
For developers who build covered ADMT products and sell them to other businesses, the obligation is documentation. You must provide deployers with a technical package covering: intended uses, known harmful uses and limitations, categories of personal data used in training, risk mitigation guidance, and instructions for human oversight. Material changes to the system — new risks, updated intended use, modifications — must be communicated to deployers in a reasonable timeframe. Records must be retained for at least three years.
For deployers, there are two core requirements. First, provide clear notice to consumers before using covered ADMT to make or influence a consequential decision. Second, if a covered decision produces an adverse outcome, deliver a plain-language disclosure within 30 days explaining what was decided, what role the ADMT played, and what rights the consumer has. Consumers can request correction of factually incorrect data used in the decision and ask for meaningful human review — the law’s phrase “to the extent commercially reasonable” gives deployers some flexibility on the latter.
Enforcement sits exclusively with the Colorado AG. There is no private right of action, meaning individuals cannot sue you directly. Violations are treated as deceptive trade practices with penalties up to $20,000 per violation. A 60-day cure window applies through January 1, 2030, after which enforcement becomes stricter. Existing compliance under ECOA, FCRA, HIPAA, or FERPA may satisfy many of these requirements depending on your sector.
Pre-January 2027 Compliance Checklist
- Inventory all systems that process personal data to influence decisions in the 7 covered domains
- Prepare developer documentation packages for each covered ADMT product (intended uses, training data, risks, oversight instructions)
- Review vendor contracts to confirm documentation delivery and indemnification obligations
- Build pre-use notice infrastructure for consumer-facing deployer workflows
- Create 30-day adverse-outcome disclosure workflows with plain-language templates
- Document your process for handling human review requests
- Monitor Colorado AG rulemaking for sector-specific disclosure requirements (expected late 2026)
- Check whether existing ECOA, FCRA, HIPAA, or FERPA compliance already satisfies your sector’s requirements
The Larger Signal
Colorado’s regulatory whiplash is worth paying attention to, because it’s not an isolated story. The White House directly targeted a state AI law, the DOJ litigated against it, and the replacement passed in two weeks under federal pressure. That is a coordinated signal about where US AI policy is heading — toward disclosure and consumer rights, not governance programs and algorithmic discrimination duties. Compare this to the EU AI Act, where August 2026 brings new compliance obligations for general-purpose AI providers — the divergence is sharp and deliberate.
If you’re building AI products that touch employment, housing, credit, health, or education decisions for Colorado residents, January 1, 2027 is the date to have your documentation and disclosure infrastructure in place. The AG’s implementing rules, due by the same date, will fill in specific disclosure content requirements and sector-specific guidance — watch for those in the second half of 2026.
