Colorado became the first state in the country to pass a sweeping law regulating how businesses use artificial intelligence in 2024. Governor Polis expressed concerns about the law at that time and called for revisions before the law took effect. Those revisions have now largely arrived, with SB 26 189, signed by the governor on May 14, 2026. The amendments essentially repeal and replace much of the original AI Act with a narrower, more targeted framework. The law will now take effect on January 1, 2027, rather than June 30, 2026.
The law originally was to regulate use of “high risk” AI systems, similar to the EU AI Act. As amended, the law will focus on companies’ use of automated decision-making technology (ADMT) used to materially influence a “consequential decision.” Material influence means situations in which the tool plays a meaningful role in decisions that can seriously affect someone’s life. Examples listed in the law include decisions about hiring and employment, housing, or loans and financial services. Other examples include the provision of insurance, health care, education, and certain government services.
The revised law removes obligations to have formal risk programs, impact assessments, bias audits, and general “AI use” notices. Instead, the law focuses on transparency and individual rights when using ADMT to materially influence a consequential decision. Namely:
- Companies that use covered ADMT must give clear notice when an automated tool is being used in a covered decision. This must occur before or at the time a company uses covered ADMT to materially influence a consequential decision. This can be done through a “prominent” public notice the consumer can access.
- If a person is negatively impacted by an ADMT decision, the company must (a) provide a plain language explanation within 30 days describing the role the automated tool played, the types of data used, and how the person can get more information. Additionally, (b) companies must give people a meaningful way to request human review of the decision and (c) instructions on accessing and correcting factually incorrect personal data used by ADMT.
- Companies must keep records, including records that show the ADMT’s use in decisions, for three years (or longer).
- The law contemplates shared responsibility by both developers and deployers. Developers need to document the use and capabilities of covered ADMT, and deployers are responsible for how they use the tools in practice.
As was previously the case, enforcement rests with the Colorado Attorney General, there is no private right of action, and violations are treated as deceptive trade practices. The AG must adopt implementing regulations by the January 1, 2027 effective date.
Putting it into Practice: Colorado’s revisions will come as a relief for many. It moves the law into closer alignment with other states’ governance of ADMT. Between now and the implementation date, companies would be well served to review their use of automated decisionmaking technologies to see if they are being deployed to materially influence consequential decisions.