Colorado pulls back on AI regulation

On May 14, 2026, Colorado Governor Jared Polis signed into law SB 26-189 (SB 26-189, or Colorado law), overriding the 2024 Colorado Artificial Intelligence Act (Colorado AI Act), which made it the first state in the country to pass comprehensive AI regulations. The new law goes into effect on January 1, 2027.

Unlike the Colorado AI Act, which regulated all “high risk” artificial intelligence (AI) systems, SB 26-189 only applies to automated decision-making technologies (ADMTs) that are used to make “consequential decisions.” The new law eliminates the affirmative duty to prevent algorithmic discrimination that was established in the Colorado AI Act and instead mandates that existing state anti-discrimination laws apply to ADMTs.

Below, we describe the key provisions of the new Colorado law, compare it to its closest state analog (California’s recently amended regulations under its Consumer Privacy Act (CCPA)), and provide key takeaways for ADMT developers and deployers in Colorado.

Key provisions

• Covered ADMTs. The new Colorado law applies to any ADMT that “is used to materially influence a consequential decision.” SB 26-189 defines “consequential decision” largely consistent with the repealed Colorado AI Act. Decisions relating to education, employment, lease or purchase of real estate, financial and lending services, insurance, health care services, and essential government services and benefits are in scope.


• Deployer obligations focus on transparency and notice. Deployers are required to disclose the use of ADMTs to consumers prior to use and, in the event of an “adverse outcome,” provide the consumer with an explanation of the ADMT’s role in the decision and an opportunity for meaningful human review. The Colorado Attorney General is tasked with issuing rules about the format and content of certain notices.


• Developers have obligations to deployers. For covered ADMTs, developers must give deployers documentation regarding intended uses; harmful or inappropriate uses; limitations and risks; personal and other data used to train the ADMT; instructions for use, monitoring, and meaningful human review; and updates to the ADMT.


• State anti-discrimination laws apply to ADMTs. The law states that developers and deployers of covered ADMTs can be held liable for violation of state anti-discrimination laws “arising from a consequential decision materially influenced by a covered ADMT.”


• Carve-outs for low-risk uses. “Low stakes” decisions, advertising and marketing, spreadsheets requiring human analysis, summarization, and narrow procedural tasks are out of scope.


• Security, compliance, and anti-fraud carve-outs. The law excludes technology used for cybersecurity, system reliability, anti-money laundering, economic sanctions compliance, and fraud prevention (including identity verification).


• Allocation of liability. The law states that liability will be allocated between developers and deployers based on their relative fault for the violation. It also provides that those subject to the law cannot avoid violations via contractual indemnity clauses.


• No private right of action. The law is enforceable only by the Colorado Attorney General, and violations are treated as unfair trade practices. For any potential violation that is neither knowing nor repeated, the Attorney General will provide a notice and an opportunity to cure (if it is deemed curable by the Attorney General).

SB 26-189 compared to California ADMT regulations

As described in a prior client alert, last year, California promulgated amended CCPA regulations that include requirements relating to ADMTs. Although those regulations are now generally in effect, the ADMT-specific requirements begin on January 1, 2027, the same day that SB 26-189 goes into effect.

The new Colorado law and CCPA regulations use different terms and definitions but are similar in operation. Key differences between the two are as follows:

• Broader ADMT coverage. The Colorado law and CCPA regulations apply to “consequential” or “significant” decisions, respectively. Whereas the CCPA limits “significant” decisions to those in which ADMT “substantially replace[s] human decision-making” (emphasis added), the Colorado law is broader and applies to any use of ADMTs that “materially influences” (emphasis added) such decisions.


• Broader domain coverage. The Colorado law applies to the use of ADMTs in two domains not covered by CCPA regulations: (1) insurance; and (2) “essential government services and public benefits, including eligibility and renewal determinations.”


• Developer obligations. The Colorado law places downstream documentation obligations on covered ADMT developers. Developers do not have analogous obligations under CCPA regulations.


• Broader consumer appeal rights, but no opt-out rights. The Colorado law provides a right for meaningful human review for adverse outcomes but no opt-out right. By contrast, CCPA regulations provide consumers with a right to opt out of ADMT use, though covered businesses can avoid the opt-out requirement by offering an appeal to a human reviewer.

Key takeaways

The repeal of the Colorado AI Act follows a national trend of states adopting narrower AI laws. While the new Colorado law is more limited in scope than its predecessor, its ADMT provisions are broader than comparable state regulations. With the Colorado law and the similar CCPA regulations going into effect next January, ADMT developers and deployers are encouraged to review what tools are in scope and what policies and procedures should be in place for compliance.

For more information, please contact the authors.