Colorado’s New AI Act Targets Automated Decision-Making for Consequential Decisions

00:00

24:53

Quick Hits 

• On May 14, 2026, Colorado Governor Polis signed Senate Bill 26-189, which repeals and replaces the 2024 Colorado AI Act.
• The new law removes the 2024 act’s duty of care, risk management program, and impact assessment requirements in favor of a pre-use notice, a post-adverse-outcome disclosure, and a limited set of consumer rights tied to “covered ADMT.”
• “Consumer” expressly includes employees and Colorado resident job applicants, reaching workforce decisions the Colorado Privacy Act largely excludes (apart from its biometric data provisions).
• Contract terms that indemnify a developer or deployer against liability for its own antidiscrimination violations involving covered ADMT are void as against public policy.
• The law takes effect January 1, 2027.

The Colorado General Assembly’s passage of Senate Bill (SB) 26-189 closes two years of legislative wrangling over a law that had not yet taken effect. Governor Jared Polis signed the 2024 Colorado Artificial Intelligence (AI) Act in May 2024 only after publicly asking the legislature to revisit it during stakeholder review. After repeated session-long deadlocks and an interim Working Group convened by the governor in fall 2025, the legislature adopted the Working Group’s framework largely intact. Governor Polis signed the bill on May 14, 2026, and the law takes effect January 1, 2027.

For employers, SB 26-189 is both narrower in scope and broader in reach than the law it replaces. It eliminates the 2024 act’s most demanding compliance obligations, but it pulls employees and job applicants into a notice-and-rights regime that the Colorado Privacy Act expressly excludes.

Narrowing Scope and Covered Technology

SB 26-189 imposes compliance obligations on both “developers” (creators) and “deployers” (users, including employers) of AI, but it abandons the 2024 act’s broad reach over “high-risk artificial intelligence systems.” In its place is a broadly defined automated decision-making technology (ADMT) concept narrowed to “covered ADMT,” meaning ADMT used to materially influence a “consequential decision” in one of seven defined domains: education, employment, housing, financial or lending services, insurance, healthcare services, and essential government services.

The ADMT definition itself excludes a list of baseline technologies, including web hosting, firewalls, anti-virus and anti-malware software, spell-check, calculators, and spreadsheets that require human analysis and do not use machine learning, foundation models, or large language models. General purpose large language models are also excluded, but only where they are not specifically configured or marketed for use in consequential decisions and are subject to acceptable use policies that prohibit such use.

Specifying Covered Uses 

Obligations attach only when a covered ADMT is used to “materially influence” a “consequential decision” concerning a consumer, employee, or job applicant. “Materially influences” requires that the ADMT output (1) be a “non-de minimis factor” in the decision and (2) “affect the outcome of the decision, including by constraining, ranking, scoring, recommending, classifying, or otherwise meaningfully altering how the decision is made.” That standard is higher than the 2024 act’s “substantial factor” threshold, and the definition expressly excludes “incidental, trivial, or clerical uses.”

The new framework also expands the carve-outs from “consequential decision.” Out of scope are low-stakes or routine decisions; advertising and marketing, including content moderation and product recommendations; narrow procedural tasks; cybersecurity and fraud prevention activities; and routine academic administration. The definition further excludes use of an ADMT to “summarize, organize, or present information for human review” where the system does not produce a score, ranking, recommendation, classification, prediction, or other inference that materially affects the outcome. That last carve-out matters for the many employer use cases in which AI prepares materials but a human ultimately decides.

From Duties to Disclosures

SB 26-189 discards the 2024 act’s central machinery. There is no duty of reasonable care, no algorithmic discrimination notice to the attorney general, no risk management program requirement, no impact assessment, and no standalone obligation to tell consumers they are interacting with AI. What remains is a documentation, notice, and disclosure regime structured around three points of obligation.

First, developers of covered ADMT must provide each deployer with documentation describing intended and known harmful uses, categories of training data, known limitations, and instructions for appropriate use and meaningful human review, along with notice of material updates. Second, deployers must provide a clear-and-conspicuous pre-use notice. A prominent posting reasonably proximate to the consumer interaction (such as a link or notice at the point of engagement) will satisfy the requirement. Third, when a consequential decision results in an adverse outcome, deployers must provide a plain language post-adverse-outcome disclosure within thirty calendar days. On request following an adverse outcome, deployers must give instructions for accessing and correcting inaccurate personal data used in the decision and provide an opportunity for meaningful human review and reconsideration, “to the extent commercially reasonable.”

“Meaningful human review” has its own five-part definition. The reviewer must (1) have authority to approve, modify, or override the decision; (2) consider relevant available primary evidence; (3) be trained for the review function; (4) not default to the system output; and (5) have access to sufficient information to understand the output’s intended use, material limitations, and categories of inputs and principal factors, without disclosure of trade secrets, model weights, or proprietary source code. The “commercially reasonable” qualifier on reconsideration is significant for high-volume decisioning and is likely to be a focus of attorney general rulemaking.

Both developers and deployers must retain compliance records for at least three years. Coordination provisions allow Equal Credit Opportunity Act/Fair Credit Reporting Act (ECOA/FCRA)-compliant adverse action notices and Family Educational Rights and Privacy Act (FERPA)-compliant processes to satisfy overlapping requirements where applicable.

Employees and Applicants Are Covered

The provision employers should focus on is the definition of “consumer.” It incorporates the Colorado Privacy Act’s definition (a Colorado resident acting in an individual or household context) and then adds three further categories: employees; job applicants who are Colorado residents; and any individual whose access to, eligibility for, or opportunity in Colorado is evaluated in a consequential decision by a business operating in Colorado.

The Colorado Privacy Act does the opposite, generally excluding individuals acting in a commercial or employment context (subject to its biometric data provisions, which do apply to employee data). SB 26-189 closes that gap for AI-influenced employment decisions more broadly. An employer using a covered ADMT to materially influence a hiring, compensation, promotion, or similar decision about a current or prospective employee will owe the new notices and, after an adverse outcome, a right to correct inaccurate personal data and an opportunity for human review, none of which the Colorado Privacy Act provides to employees outside the biometric context. National employers running centralized recruiting for Colorado-based roles should note that the third category reaches out-of-state applicants evaluated for Colorado opportunities.

Enforcement, Liability, and Contracts

The attorney general retains exclusive enforcement authority. SB 26-189 replaces the 2024 act’s affirmative defenses with a sixty-day cure period: developers and deployers may cure within sixty days of a notice of violation to avoid civil penalties, and a timely cure completed during an enforcement action may still be considered as a mitigating factor in the court’s penalty determination. The attorney general may bypass the cure period for knowing violations or repeat offenders, and may seek injunctive relief regardless of the cure to prevent future violations.

SB 26-189 creates no private right of action. It also expressly preserves existing rights and remedies under state and federal law, including the Colorado Anti-Discrimination Act, the Colorado Consumer Protection Act, product liability law, and other applicable statutes. The use of an ADMT does not excuse any obligation or liability under existing antidiscrimination law; compliance with the new notice-and-disclosure regime is not a shield against claims under Title VII of the Civil Rights Act of 1964, the Colorado Anti-Discrimination Act, or analogous state statutes.

Liability between developers and deployers is several, not joint, with fault allocated based on relative responsibility. That allocation mechanism is a deliberate departure from the 2024 act, which imposed separate duties on each but did not specify how fault would be apportioned between them. (A proposal for joint and several liability did not survive the August 2025 special session.) A developer may face liability for an ADMT that “materially influences” a decision, but only to the extent the deployer used the ADMT in a manner consistent with its intended use, and the attorney general is authorized to issue regulations on the “materially influences” standard.

The provision with the most immediate practical impact is the bar on contractual liability shifting. Any contract term that indemnifies, defends, or holds a developer or deployer harmless against liability for its own antidiscrimination violations involving covered ADMT is declared contrary to public policy and void. Many enterprise AI vendor agreements contain mutual indemnities that are now partially unenforceable in Colorado as applied to these claims. The bill preserves the ability to obtain and recover under applicable insurance.

Sectoral Exemptions, With a Workforce Carve-out

Insurers subject to Colorado’s existing algorithmic discrimination insurance statute, and covered entities and their business associates subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), are largely exempt from the operative requirements. The carve-out does not extend to consequential decisions related to employment. Health systems and carriers using AI in hiring or other workforce decisions remain fully subject to the new law. The bill also addresses medical devices regulated by the Food and Drug Administration (FDA) and provides that nothing in the act requires disclosure of nonpublic personal information in violation of the Gramm-Leach-Bliley Act.

What It Means for Employers

Compared to the 2024 act, SB 26-189 should offer employers materially greater clarity. The framework eliminates the impact assessment and risk management program obligations, introduces a fault allocation regime, and requires the attorney general to give a sixty-day cure window in most circumstances. The narrower definitions of “covered ADMT” and “consequential decision” will keep many routine business uses outside the law’s operative reach.

Two caveats matter. First, bias audits are no longer required, but they remain important compliance tools. Discrimination liability under Title VII, the Colorado Anti-Discrimination Act, and analogous state laws exists regardless of whether a tool qualifies as a covered ADMT, and bias-testing evidence is explicitly relevant under California’s recently finalized Fair Employment and Housing Act (FEHA) regulations addressing AI in employment. Litigation involving AI tools in hiring continues to increase whether or not those tools fall within state AI statutes. Second, the indemnification ban means vendor contracts written on the assumption that the developer would absorb discrimination liability are now exposed.

Employers may want to consider taking the following steps before the January 1, 2027, effective date:

• inventorying current AI tools to identify which qualify as “covered ADMT” under the new definitions, with particular attention to hiring, compensation, and other workforce decision tools;
• reviewing AI vendor contracts for indemnification provisions that may be void under the new framework;
• evaluating whether existing human review processes satisfy the five-part “meaningful human review” standard, including override authority and required training;
• assessing post-adverse-disclosure infrastructure, particularly for high-volume hiring processes; and
• continuing or initiating bias auditing given that discrimination liability remains under existing law.

Federal Developments to Watch

Federal preemption pressure on state AI laws has increased over the past six months. President Donald Trump’s December 2025 executive order established a U.S. Department of Justice AI Litigation Task Force, and the White House’s National Policy Framework for Artificial Intelligence urges the U.S. Congress to broadly preempt state AI laws. Whether federal preemption legislation advances will significantly affect the Colorado framework’s longevity and practical reach. The attorney general’s rulemaking process began on May 14, 2026, with rules on post-adverse-outcome disclosures and consumer rights required by January 1, 2027; further rules clarifying the “materially influences” standard are permitted but not required.

Ogletree Deakins’ Cybersecurity and Privacy Practice Group and Technology Practice Group will continue to monitor developments and will provide updates on the Colorado, Cybersecurity and Privacy, Diversity, Equity, and Inclusion Compliance, Employment Law, and Technology blogs as additional information becomes available.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts