June 1, 2026 | 5 minute read

On May 20, 2026, Colorado Governor Jared Polis signed Senate Bill 26-189, establishing comprehensive requirements for the use of automated decision-making technology (ADMT) in consequential decisions affecting consumers. The new law repeals and replaces the 2024 Colorado AI Act (SB 24-205), which had drawn criticism from business stakeholders for its broad risk-management obligations and impact assessment requirements. SB 26-189 shifts the framework away from that prescriptive approach toward transparency, disclosure and consumer rights. Similar to other AI laws, the Colorado law imposes obligations on both “developers” and “deployers” of covered ADMT systems, including notice requirements, consumer rights, record-keeping mandates and enforcement mechanisms. This alert summarizes the bill’s key provisions and highlights compliance considerations for businesses that develop, sell, license or use ADMT in Colorado.

What Is Covered?

  • Automated Decision-Making Technology. SB 26-189 defines ADMT as technology that processes personal data and uses computation to generate output such as predictions, recommendations, classifications, rankings or scores that are used to make, guide or assist a decision concerning an individual. The law excludes anti-malware, anti-virus, calculators, databases, firewalls, spell-checking, spreadsheets requiring human analysis (that do not use machine learning or LLMs) and other routine technologies. It also excludes tools used solely to summarize, organize, translate, draft, route or present information for human review. Chatbots used for informational purposes are excluded if not contracted or marketed for consequential decisions and subject to an acceptable policy prohibiting such use.
  • Consequential Decisions. A “consequential decision” is one that relates to a consumer’s access to, eligibility for, selection for or compensation in a “covered domain,” or a decision about differentiated pricing or material terms reasonably likely to materially limit or effectively deny a consumer’s access or opportunity in such a domain. Covered domains include education, employment, residential real estate, financial or lending services, insurance, health care and essential government services.

The law carves out low-stakes or routine decisions (scheduling, classroom personalization, customer service triage); advertising, marketing and content moderation; cybersecurity, fraud prevention and AML activities; and economic sanctions compliance.

  • Covered ADMT. A “covered ADMT” is an ADMT used to “materially influence” a consequential decision – meaning the output is a substantial factor that affects the outcome by constraining, ranking, scoring, recommending, classifying or otherwise meaningfully altering how the decision is made. Incidental, trivial or clerical uses are excluded.

Who Is Regulated?

  • Developers. A “developer” does business in Colorado and develops, offers, sells, leases, licenses or otherwise makes commercially available a covered ADMT; develops a component designed for use as part of a covered ADMT; or intentionally and substantially modifies an ADMT such that it becomes a covered ADMT. Exclusions apply for purely internal use, research purposes and unknowing component integration.
  • Deployers. A “deployer” does business in Colorado and deploys a covered ADMT.
  • Consumers. “Consumers” includes employees, job applicants who are Colorado residents, and any individual whose access or eligibility in Colorado is evaluated in a consequential decision by a person doing business in the state.

Developer Obligations

Beginning January 1, 2027, developers must provide deployers with the following information in a reasonably understandable form (protecting trade secrets):

  1. Intended and known harmful or inappropriate uses;
  2. Categories of data used to train the ADMT;
  3. Known limitations, risks and circumstances where the ADMT should not be used;
  4. Instructions for appropriate use, monitoring and meaningful human review; and
  5. Information reasonably necessary for the deployer to meet its own disclosure obligations.

Developers must also notify deployers of material updates, intentional modifications and changes to intended use or risk mitigation within a reasonable time – which may be satisfied through public release notes plus direct notice. Records demonstrating compliance must be retained for at least three years.

Deployer Obligations

  • Pre-Decision Notice. Before using a covered ADMT to materially influence a consequential decision, deployers must give consumers 1) clear and conspicuous notice that ADMT was or will be used, and 2) instructions for obtaining additional information. This can be satisfied by maintaining a prominent, publicly accessible notice at points of consumer interaction.
  • Post-Adverse Outcome Disclosures. If a covered ADMT materially influences a decision resulting in an adverse outcome, the deployer must provide the consumer, within 30 days:
  1. A plain language description of the decision and the ADMT’s role;
  2. A simple process to request additional information (including the ADMT’s name, version, developer and categories of personal data used); and
  3. An explanation of consumer rights and how to exercise them.
  • Record Keeping. Deployers must retain records reasonably necessary to demonstrate compliance for at least three years after the date of a consequential decision.
  • Accessibility. All notices and disclosures must be provided in a manner that is reasonably accessible to consumers with disabilities and/or limited English proficiency.

Consumer Rights

When a consumer experiences an adverse outcome from a consequential decision materially influenced by a covered ADMT, the consumer may request:

  1. Instructions for correcting factually incorrect personal data used in the decision; and
  2. Meaningful human review and reconsideration, to the extent commercially reasonable. “Meaningful human review” requires review by a trained individual who:
    • has authority to approve, modify or override the decision;
    • considers relevant primary evidence;
    • does not default to system output; and
    • has access to sufficient information to understand the output’s intended use, limitations and principal factors.

Enforcement and Penalties

The new law is enforced exclusively by the Colorado Attorney General under the Colorado Consumer Protection Act, and violations constitute deceptive trade practices. The law does not create a private right of action.

Before initiating enforcement, the AG must issue a notice of violation and provide a 60-day cure period, unless the violation was knowing or repeated. A cure effected within 60 days during enforcement may be considered a mitigating factor for penalties. These cure period provisions sunset on January 1, 2030.

Beginning January 2028, the AG must report annually on enforcement actions and cure periods offered.

Liability Framework

Under state anti-discrimination laws (including the Colorado Anti-Discrimination Act), developers and deployers may be liable for unlawful discrimination arising from consequential decisions materially influenced by a covered ADMT. Fault is allocated based on relative responsibility, and the law does not create joint and several liability beyond what existing law permits.

Developer liability is limited to situations where the ADMT was used in a manner intended, documented, marketed or contracted for by the developer. Deployers remain independently liable for their own acts or omissions, including using ADMT in ways the developer did not intend.

Notably, contractual indemnification provisions purporting to hold a developer or deployer harmless for their own discriminatory acts in the use of ADMT are void as against public policy.

Key Exemptions

The law includes several notable exemptions:

  • HIPAA covered entities (outside the employment context);
  • Medical devices under FDA oversight, and pharma/device R&D activities subject to FDA oversight;
  • Creditors complying with the Equal Credit Opportunity Act (ECOA), Regulation B and, where applicable, the Fair Credit Reporting Act (FCRA) for credit-related decisions; and
  • Education deployers subject to the Family Educational Rights and Privacy Act (FERPA), which may satisfy notice and consumer rights requirements through existing FERPA-compliant processes.

Attorney General Rulemaking

Under the new law, the Colorado AG is directed to adopt rules clarifying post-adverse outcome disclosure requirements (including sector-specific guidance and interaction with other laws) and the definition of “materially influence” (including presumptions and illustrative examples). The rulemaking process must include public notice, written comment and at least one public hearing.

Key Takeaways for Businesses

SB 26-189 is a significant development for any business that develops, sells or uses AI-powered tools in decisions affecting Colorado consumers across education, employment, housing, finance, insurance, health care and government services. Companies should begin preparing now for the January 1, 2027, effective date. Recommended actions include:

  • Inventory ADMT systems. Identify all automated decision-making tools in use or under development that could materially influence consequential decisions in covered domains.
  • Assess developer and deployer status. Determine whether your organization qualifies as a developer, a deployer or both under the law, as the obligations differ for each role.
  • Develop disclosure and notice documents. Build compliant pre-decision and post-adverse outcome notice processes, including plain language descriptions, consumer rights explanations and accessible formats.
  • Establish meaningful human review processes. Ensure that individuals are designated and trained to conduct meaningful human review, with authority to override ADMT-driven decisions.
  • Review vendor contracts. Evaluate existing ADMT vendor agreements for indemnification provisions that may be void under the new law, and confirm contracts address developer documentation and update-notification obligations.
  • Implement record-keeping protocols. Establish retention policies covering at least three years of compliance records.
  • Monitor AG rulemaking. Watch for forthcoming rules providing additional guidance on disclosure content, the definition of “materially influence” and sector-specific requirements.

For help determining how SB 26-189 obligations may impact your business, please contact Chiara Portner or your regular Lathrop GPM attorney.