Ogletree Deakins Ogletree Deakins
Home > Insights & Resources > Blog Posts > Multistage Notices Under Colorado’s Revamped AI Act

Multistage Notices Under Colorado’s Revamped AI Act

By Jennifer G. Betts, Simone R.D. Francis, Danielle Ochs, and Zachary V. Zagger
Download PDFPrintShare

Colorado lawmakers have completed their hotly anticipated rewriting of the state’s landmark artificial intelligence (AI) law. While the new law shifts compliance from a risk-based to a transparency-based approach, it maintains significant notice-and-disclosure obligations for employers (referred to as “deployers” in the law), requiring them to disclose to employees and job applicants when an AI tool was used to make an adverse employment decision.

State Flag of Colorado

Quick Hits

  • SB 26-189, Colorado’s new law “concerning the use of automated decision-making technology in consequential decisions,” mandates that employers disclose the use of “automated decision-making technology” (ADMT) when making adverse employment decisions.
  • The law replaces the original Colorado Artificial Intelligence Act with a focus on specific notice and recordkeeping obligations for employers starting January 1, 2027.
  • Employers must provide a clear pre-use notice of ADMT’s application and provide a disclosure to employees or job applicants following an adverse outcome.

On May 14, 2026, Governor Jared Polis signed Senate Bill (SB) 26-189 into law, days after the state legislature passed it on May 9, 2026. The law repeals and reenacts provisions of the “Colorado Artificial Intelligence Act” (SB 24-205), which was enacted in May 2024 and was set to take effect on June 30, 2026, after having its initial effective date delayed.

SB 26-189 regulates employers’ use of ADMT in employment-related decisions, starting January 1, 2027, with specific notice, recordkeeping, and obligations with respect to employee/applicant rights when the technology materially influences an adverse employment outcome. Notably, the law directs Colorado’s attorney general to adopt rules on or before January 1, 2027, to clarify and implement the law’s requirements.

SB 26-189’s Multistage Notice Framework

The most significant aspect of the new law for employers is likely to be its two-step notice framework. Effective January 2027, employers using covered technology within the scope of the law must provide staged notices and potentially reconsider certain decisions.

  • Stage 1 (Before the Decision), Pre-Use Notice

Before using a covered ADMT to materially influence a “consequential decision”—such as a hiring or promotion decision about an employee or job applicant or a decision that will affect an employee’s compensation—an employer-deployer must “provide a clear and conspicuous notice” that the employer will use a covered ADMT affecting a “consumer” (i.e., an employee or job applicant). In addition, employers must also provide “instructions and a simple-to-follow process to request additional information” about the covered ADMT and the “types, categories, and sources of personal data used” to the extent employers receive the information from ADMT developers.

Employers may comply with the notice obligation by “maintaining a prominent public notice” that is reasonably accessible to employees and applicants close to the interaction in which a consequential decision may be made. Rulemaking from the Colorado attorney general may help clarify this compliance pathway by answering questions such as where the notice needs to appear—for example, whether a career page is sufficient or whether it would also be necessary to post the notice on an intranet to capture internal applicants for lateral roles or promotions.

  • Stage 2 (After Adverse Outcome), Post-Use Notice

Within thirty days after making a consequential decision, employers must deliver an additional individualized disclosure to those for whom the ADMT resulted in an adverse outcome. Such “adverse outcome[s]” include a non-selection for an employment opportunity, an employment termination/discharge, or any other decision that “materially reduces or restricts” an employee’s compensation or selection for promotion or other opportunity. In other words, adverse outcome notices are required for more situations than when an employer makes hiring or termination decisions.

As written, the law also covers demotions, pay cuts, pay increases, bonus determinations, and possibly performance improvement plans that could result in terminations of employment or other unfavorable outcomes. The notice obligation appears to be triggered by the date that the decision is made, but it is possible that future regulations could clarify that the obligation is triggered when the decision is communicated to an applicant or employee.

The post–adverse-outcome disclosure must contain three specific elements: (1) a plain language description of the consequential decision and the role the covered ADMT played in it; (2) instructions for requesting additional information about the ADMT, including the tool’s name, version number if applicable, the developer’s identity, and the types, categories, and sources of personal data used (to the extent the employer received this information from the ADMT developer); and (3) an explanation of the employee’s or applicant’s rights under the law and how to exercise them. The criteria for the “plain language description” of the ADMT’s role is likely to be a primary focus of the Colorado attorney general’s rulemaking, as the statute directs the attorney general to adopt standards for describing the ADMT’s role in a manner “reasonably understandable to a consumer.”

Employee Rights Following an Adverse Outcome

Among the rights that must be explained in the post–adverse-outcome notice is that employees and applicants may also request (1) instructions for accessing and correcting factually incorrect or materially inaccurate personal data used in the decision, and (2) “meaningful human review and reconsideration of the consequential decision, to the extent commercially reasonable.”

Hopefully, guidance from the Colorado attorney general will explain what “commercially reasonable” means, as employers have many unanswered questions about the new law. For example, in circumstances where employers have high-volume hiring needs in the state with hundreds or thousands of rejected applicants, would it be commercially reasonable to implement reconsideration of each and every consequential decision? What about, by contrast, fifteen applicants screened out by a resume-sorting tool—is individualized human review commercially reasonable there? What if employers discipline some employees using a productivity-monitoring algorithm, while others are disciplined using non-automated tools? Can differential levels of review be justified as commercially reasonable?

Next Steps

The enactment of SB 26-189 is a significant development for Colorado’s regulation of employers’ use of AI to make employment decisions and reflects the broader approach of state laws, which are coalescing around transparency obligations. Still, more clarification on post–adverse-outcome disclosure obligations, consumer rights, and responses to requests for human review of ADMT-aided employment decisions is warranted and expected through rulemaking by the attorney general. Employers may wish to monitor these developments and begin evaluating how to modify internal processes to satisfy the notice obligations imposed by SB 26-189.

Further, questions remain about state regulation of AI use, as the Trump administration is pushing to establish federal preemption of state and local AI laws, including through an executive order issued in December 2025.

Ogletree Deakins’ Technology Practice Group will continue to monitor developments and will provide updates on the Colorado, Cybersecurity and Privacy, and Technology blogs as additional information becomes available.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts

Authors

Jennifer G. Betts Profile Image
Jennifer G. Betts
Office Managing Shareholder, Pittsburgh
Simone R.D. Francis Profile Image
Simone R.D. Francis
Office Managing Shareholder, St. Thomas; Shareholder, New York
Danielle Ochs Profile Image
Danielle Ochs
Shareholder, San Francisco
Zachary V. Zagger Profile Image
Zachary V. Zagger
Senior Marketing Counsel, New York

Topics

Colorado , Cybersecurity and Privacy , Diversity, Equity, and Inclusion Compliance , State Developments , Technology

Browse More Insights

Podcasts Seminars Webinars
Fingerprint Biometric Authentication Button. Digital Security Concept
Practice Group

Technology

Ogletree Deakins is uniquely situated to provide tech employers and users (the “TECHPLACE™”) with labor and employment advice, compliance counseling, and litigation services that embrace innovation and mitigate legal risk. Through our Technology Practice Group, we support clients in the exploration, invention, and/or implementation of new and evolving technologies to navigate the unique and emerging labor and employment issues present in the workplace.

Learn more
Digital generated image of multi racial group of people forming circle on world map on blue background. Solidarity and support concept.
Practice Group

Diversity, Equity, and Inclusion Compliance

Our attorneys are ready to assist with the full spectrum of workplace DEI-related issues. The members of Ogletree Deakins’ Diversity, Equity, and Inclusion Compliance Practice Group have extensive and unique experience assisting employers.

Learn more
Modern dark data center, all objects in the scene are 3D
Practice Group

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly, transmits easily, and—increasingly—is processed by artificial intelligence (AI) systems that introduce new dimensions of legal risk. 

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now