Colorado Rewrites Its AI Law: The New Colorado AI Act

Colorado Rewrites Its AI Law: The New Colorado AI Act

Colorado has replaced its landmark 2024 AI law with Senate Bill 26-189, a narrower statute that repeals and reenacts the earlier framework and instead regulates automated decision-making technology (“ADMT”) when it is used in “consequential decisions,” a concept discussed further below. The new law takes effect on January 1, 2027, and applies to consequential decisions made on or after that date. The rewrite materially reduces the compliance regime companies had been preparing for under the 2024 act, but it still imposes documentation, notice, consumer rights, and record-retention obligations on both developers and deployers of AI systems.

How SB 26-189 differs from the 2024 Colorado AI Act

The old act centered on preventing “algorithmic discrimination,” defined as AI system use that resulted in unlawful differential treatment or impact disfavoring individuals based on protected classes such as race, age, sex, or disability in consequential decisions. SB 26-189 replaces that framework with a regime focused on covered ADMT that materially influences consequential decisions.

In practical terms, SB 26-189 removes the following:
‍

1. the prior law’s duty of reasonable care in protecting against algorithmic discrimination;
‍

2. requirements for the implementation, maintenance and review by deployers of covered AI systems of formal risk-management programs;
‍

3. mandatory annual impact assessments and annual reviews;
‍

4. public website statements from both developers and deployers of covered AI systems summarizing their risk management systems;
‍

5. attorney general reporting obligations, and 
‍

6. standalone AI-interaction disclosure requirement where consumers are interacting with covered AI systems. 

‍

How the new law regulates automated decision-making

SB 26-189 is not limited to tools marketed as AI, because it covers technologies that process personal data and use computation to generate outputs used to make, guide, or assist decisions about individuals. “Consequential decisions” include decisions, determinations, or actions about a consumer’s access to, eligibility for, selection for, or compensation for covered domains such as education, employment, residential real estate, financial or lending services, insurance, health care services, and essential government services and public benefits. The term also reaches decisions about differentiated pricing, costs, compensation, or other material terms when those terms are reasonably likely to materially limit, delay, effectively deny, or otherwise fundamentally alter access to one of the previously listed covered categories of “consequential decisions.” The revised statute narrows that broad definition through exclusions for low-stakes or routine processes, advertising and marketing, content moderation, summarization tools that do not generate an inference affecting outcome, and specified cybersecurity, sanctions-compliance, fraud-prevention, and identity-verification activities. 
‍

Developers of covered ADMT must provide deployers with reasonably understandable documentation describing intended and harmful uses, training-data categories, known limitations, and instructions for appropriate use and human review, and they must notify deployers of material updates to covered ADMT.  Developers must also retain compliance records for at least three years. 

‍

Deployers of covered ADMT must provide clear and conspicuous pre-use notice of such ADMT to consumers.  Additionally, such deployers must give a post-adverse-outcome disclosure within thirty days if a consequential decision materially influenced by covered ADMT results in an adverse outcome to a consumer, and such consumers may request access to and correction of factually incorrect or materially inaccurate personal data used in the applicable decision subject to ADMT, and may even request meaningful human review and reconsideration of such decision to the extent commercially reasonable. This “meaningful human review” requirement is not merely ceremonial; the reviewer must be trained in reviewing such ADMT processes, must consider relevant evidence, must have authority to approve, modify, or override the decision, and must not simply default to the output of the ADMT at issue. 

‍

Restrictions on Contractual Shifting of Liability Between Developers and Deployers

SB 26-189 makes liability allocation and contract drafting a front-burner issue by allocating fault between developers and deployers based on relative responsibility and declaring void any contractual provision that seeks to indemnify, defend, or hold harmless a party for its own discriminatory ADMT-related acts or omissions in connection with consequential decisions. In practical terms, the statute is aimed at preventing either side from using a vendor or deployment agreement to shift responsibility for its own violations of Colorado anti-discrimination law to the other side. The restriction is narrower than a blanket ban on all AI-related indemnities, however, because the statute focuses on a party’s own discriminatory conduct, and a developer is generally not liable where a deployer used the covered ADMT in a manner that was not intended, documented, marketed, advertised, configured, or contracted for by the developer. 

‍

Preparing for compliance

In preparing for the new law going into effect in 2027, businesses should start by inventorying the tools that may qualify as covered ADMT and mapping the consequential decisions in which those tools are used, with special attention to employment, housing, lending, insurance, healthcare, education, and public-benefit workflows. They should also determine which affected populations fall within Colorado’s expanded consumer definition, because that analysis now extends beyond traditional consumer transactions and into applicants or recruits for employment and in Colorado 

‍

Deployers of covered systems will need front-end notices to consumers and a thirty-day post-adverse-outcome process that can explain the role of their ADMT in plain language. Companies should also develop human-review procedures now for disputed decisions of ADMT, since the statutory standard contemplates trained reviewers with real override authority and the practical burden of that requirement is likely to become a focal point of attorney general rulemaking.

‍

Finally, although the broad regulatory regime of the old Colorado AI Act has been significantly narrowed, covered ADMT should be reviewed for potentially discriminatory impact, as existing state and federal laws prohibiting such discrimination remain in place whether or not they specifically target algorithmic discrimination.  As such, ongoing bias review remains best practice for the use of ADMT in consumer interactions and transactions.  Working with qualified legal counsel in coordination with business operations experts remains the surest way to avoid unnecessary disruptions to business processes while remaining compliant with regulatory requirements.

‍
Zachary Soto, Partner, PAG Law
‍‍
‍^{Disclaimer: This publication is provided by PAG Law PLLC for general informational purposes only and does not constitute legal advice or create an attorney-client relationship between PAG Law and the reader. The content reflects the views of the author as of the date of publication and may not reflect subsequent developments in law, regulation, or policy. Readers should not act or refrain from acting on the basis of any information contained herein without seeking professional legal counsel tailored to their specific circumstances and jurisdiction. PAG Law expressly disclaims all liability with respect to actions taken or not taken based on any or all of the contents of this publication. This material may be considered attorney advertising in some jurisdictions.}