Stay Informed | Legal Updates

Colorado Repeals and Replaces Its Landmark AI Statute: What Businesses Need to Know

June 12, 2026

On May 14, 2026, Colorado Governor Jared Polis signed SB 26-189, which repeals and replaces SB 24-205, the Colorado Artificial Intelligence Act enacted in 2024.

The new enactment narrows the original statute, postpones the effective date to January 1, 2027, and reorients Colorado’s approach from proactive risk-management obligations to a more limited framework centered on consumer transparency and rights connected to consequential automated decision-making. Entities that develop, deploy, or procure artificial intelligence (“AI”) enabled or other automated decision-making tools (“ADMT”) that will be used to make employment, consumer, health care, housing, lending, insurance, or other high-impact determinations should: (i) assess whether those tools qualify as ADMTs; (ii) conduct internal assessments and develop internal procedures and required disclosures; (iii) review contractual allocation-of-risk provisions with its customers and vendors; and (iv) prepare for the Colorado Attorney General’s upcoming regulations.

BACKGROUND

Colorado enacted SB 24-205 in 2024 as the first comprehensive state statute specifically regulating “high risk” AI systems, which borrowed concepts under the European Union’s comprehensive EU AI Act. As originally enacted, the law imposed affirmative compliance obligations on both developers and deployers of AI systems used in “consequential decisions”, including decisions relating to employment, housing, health care, lending, insurance, and education. Those obligations included risk-management programs, annual impact assessments, a duty of reasonable care to prevent algorithmic discrimination, consumer notice rights, and self-reporting duties to the Attorney General. After sustained industry opposition, the effective date was postponed from February 1, 2026, to June 30, 2026. In April 2026, a major AI developer commenced a federal constitutional challenge and the U.S. Department of Justice (“DOJ”) intervened in support of the AI developer[1] . A federal court entered a stay of enforcement on April 27, 2026. The General Assembly then enacted SB 26-189, superseding the prior framework before either version became operative. The new law will not provide a private right of action, but the Colorado Attorney General may impose fines for violations of the law, provided that in scope entities will be typically granted a sixty day opportunity to cure until January 1, 2030.

WHO IS AFFECTED

The statute applies to businesses that develop and/or use ADMTs to materially influence consequential decisions affecting Colorado residents. Covered technologies may include AI functionality embedded in third-party platforms, such as HR systems, underwriting software, compliance tools, and patient intake applications, even if the regulated entity did not itself develop the tool. Determining coverage requires a fact-specific assessment of the technology’s function, its integration into operational workflows, and whether its output materially influences the ultimate consequential decision.

KEY CHANGES UNDER SB 26-189

Refocused compliance framework. SB 26-189 eliminates several of the original statute’s core substantive duties, including the duty of reasonable care to prevent algorithmic discrimination, deployer risk-management programs, and annual impact assessments. In their place, the revised statute adopts a narrower compliance model focused primarily on transparency. The new law requires ADMT developers and/or deployers to: (i) provide disclosures to its downstream ADMT deployers and consumers, respectively; (ii) establish procedural safeguards when using ADMT to make consequential decisions; and (iii) comply with detailed documentation requirements. Further information on the new requirements under the amended Colorado law is described below.

Developer disclosures retained. Developers, defined to include entities that build, sell, license, or substantially modify ADMTs, must furnish deployers with specified documentation and material updates concerning intended uses, categories of training data, known limitations, reasonably foreseeable harmful uses, and instructions for human oversight. SB 26-189 also renders unenforceable contractual provisions that shift liability for a party’s own discriminatory use of ADMT, which makes review of indemnification clauses, and other risk-shifting language in applicable contracts advisable.

Consumer-facing obligations clarified. Deployers using ADMTs must provide a public notice to consumers before, or at the time, a covered ADMT is used. If AI materially contributes to an adverse consequential decision, the deployer must, within thirty days of the decision, disclose to the consumer: the ADMT decision, the role of the ADMT in the decision, and the procedure by which the consumer may seek reconsideration. Consumers also retain rights to access and correct personal data used in automated decision-making and to request meaningful human review.

AG self-reporting removed; record retention added. The revised statute does not carry forward the prior obligation to self-report algorithmic discrimination risks to the Attorney General. It does, however, impose a new three-year record-retention requirement on ADMT developers and deployers.

ENFORCEMENT STATUS

SB 26-189 is scheduled to take effect on January 1, 2027, but enforcement remains contingent on completion of Attorney General rulemaking, which has not yet formally commenced. The April 2026 federal stay also extends to successor legislation, making practical enforcement unlikely before late 2027. Nevertheless, entities subject to the statute should begin compliance planning now because the forthcoming rulemaking will define key implementation requirements, and a documented compliance record may prove significant in regulatory inquiries, civil litigation, and transactional due diligence.

ACTION CHECKLIST

Although SB 26-189 narrows the original statutory framework and delays the effective date, it still imposes material compliance obligations.

Developer Obligations. ADMT developers should consider the following compliance steps:

  1. Conduct ADMT assessments to identify and document: (i) all intended and inappropriate uses of, and known harms associated with, its ADMT(s); (ii) categories of data used in ADMT model training; and (iii) known risks and limitations associated with its ADMT(s); and

  2. Develop required ADMT deployer information disclosures and instructions based on the results of the ADMT assessments and retain associated documentation for three years

Deployer Obligations. At a minimum, ADMT deployers should consider the following steps:

  1. Map covered ADMT consequential-decision use cases and inventory the related ADMT, including AI functionality embedded in third-party products and workflows;

  2. Develop ADMT pre-use notices and adverse-decision disclosures and prominently and publicly publish the pre-use notice by the law’s effective date;

  3. Review and remediate vendor contracts to confirm receipt of required developer disclosures and to evaluate indemnification and other risk-allocation provisions in light of the statute’s non-waivable liability rules;

  4. Establish documented operational procedures for pre-use notice, adverse-decision disclosures, personal data access and correction requests, and requests for meaningful human review of ADMT decisions;

  5. Implement defensible record-retention controls sufficient to preserve records of covered ADMT use for the required three-year period; and

  6. Monitor rulemaking and conform governance documents accordingly by updating policies, internal controls, vendor templates, and employee training as the Attorney General issues implementing guidance.

[1] The DOJ’s intervention highlights a broader trend of challenging state laws that purportedly interfere with U.S. AI innovation. See Presidential Executive Order 14365, which ordered the creation of a new DOJ AI Litigation Taskforce to challenge the constitutionality of state AI laws that hinder AI innovation. Also, federal lawmakers spearheaded by Senator Blackburn are the currently negotiating the Trump America AI Act which includes state pre-emption provisions.

Click here to view a downloadable PDF of the Legal Update.

This Legal Update is intended to keep readers current on developments in the law. It is not intended to be legal advice. If you have any questions, please contact Derek Luke at 412.566.6967 or dluke@eckertseamans.com, Elizabeth Wilson at 215.851.8497 or ewilson@eckertseamans.com, or any other attorney at Eckert Seamans with whom you have been working.

Share This Post

Authors

Derek T. Luke Photo Pittsburgh

Derek T. Luke

Associate - Pittsburgh

See full bio
Elizabeth Wilson Photo Philadelphia

Elizabeth Wilson

Member - Philadelphia

See full bio