Key point: The Colorado legislature passed a bill to replace Colorado’s existing artificial intelligence (AI) law with a more business-friendly regulatory regime focused on disclosures and limited consumer rights but, in doing so, added to the growing complexity of state AI regulation.

On May 12, the Colorado legislature passed SB 189, which repeals and replaces the Colorado AI Act. The bill will next head to Colorado Governor Jared Polis, who is expected to sign it, having been a driving force in the drafting of the bill.

SB 189 removes many of the hallmarks of the Colorado AI Act — such as a duty of care, risk management programs, and impact assessments — in favor of a disclosure-based framework with limited rights in narrow circumstances. That said, the bill’s January 1, 2027, effective date means that it will go into effect — the legislature will not reconvene until January 11, 2027 — thereby ending the uncertainty as to whether a Colorado AI law will go into effect.

The bill is complex, with many intertwined definitions and numerous exceptions. The article below provides an overview of the bill, digging into its many nuances. In addition, on May 18 from 12-1 p.m. ET, David Stauss will be hosting a webinar analyzing the bill. Click here to register.

Although the bill removes and narrows obligations under the existing law, Colorado still will have the most far-reaching legislatively enacted deployer/private sector AI law of any state. Further, the bill’s passage only adds to an increasingly complex state regulatory regime for businesses to navigate when deploying AI systems, including the California Consumer Privacy Act’s risk assessment and automated decision-making technology (ADMT) regulations and, in the employment context, laws in Illinois, New York City, and soon-to-be Connecticut.

History and Background

The Colorado AI Act (SB 205) became law in May 2024 and was originally set to go into effect February 1, 2026. This first-in-the-nation law created obligations for developers and deployers of high-risk AI systems, which were AI systems that, when deployed, make, or are a substantial factor in making a consequential decision. The law defined consequential decisions to include activities such as financial or lending services, health care services, housing, and employment. Developers and deployers were subject to a duty to use reasonable care to protect consumers from any known or reasonably foreseeable risk of algorithmic discrimination.

The law then created a rebuttable presumption that developers and deployers were using reasonable care if they engaged in certain activities. For example, developers would need to make certain information available to deployers using their AI systems about how the systems were trained and operated. In turn, deployers would need to have a risk management program, complete impact assessments for high-risk activities, notify consumers of the use of high-risk AI, provide consumers with a right to appeal adverse decisions, and make certain website disclosures. The law also contained a duty to disclose to consumers if they were interacting with an AI system unless it would be obvious to a reasonable person. Finally, the law placed requirements on developers and deployers to notify the Colorado attorney general if they learned that their high-risk AI systems had caused algorithmic discrimination.

Immediately after the bill was signed into law, it came under attack from advocates stating that it would stifle AI innovation. The legislature considered bills to amend the law during the following legislative session and a later special session, ultimately agreeing to extend the effective date of the law until June 30, 2026.

In March 2026, Polis announced that a workgroup he convened had agreed on a policy framework to replace the Colorado AI Act. On May 1, a group of lawmakers led by Colorado Senate Majority Leader Robert Rodriguez (an original sponsor of the law) introduced the workgroup framework as SB 189. The most notable change from the workgroup bill to the introduced bill was the sunsetting of the right to cure — a change Rodriguez insisted on.

SB 189 passed by a bipartisan 34-1 vote out of the Colorado Senate and bipartisan 57-6 vote out of the House. The Senate concurred in technical amendments made in the House on May 12, thereby passing the bill.

Context

Before analyzing SB 189, it is worth noting that, although the bill removes many of the Colorado AI Act’s obligations in favor of a more business-friendly regulatory regime, it is joining a far more complex state regulatory regime than existed when the Colorado AI Act became law. Since the Colorado AI Act became law in 2024, the California Privacy Protection Agency finalized its ADMT and risk assessment regulations; Illinois passed a bill to amend the state’s Human Rights Act relating to the use of AI in employment and another bill to regulate the use of AI in health care; California, Utah, and Washington passed provenance bills; Texas passed its Responsible AI Governance Act (TRAIGA); Connecticut passed a soon-to-become law concerning the use of AI in employment; and over a dozen states (and counting) passed laws regulating consumer interaction with AI. This does not include many more AI bills in other areas such as health care. Ultimately, SB 189 only adds to the increasingly complex state regulatory landscape for AI.

Overview of New Law

SB 189 repeals and replaces the existing Colorado AI Act with a framework that is significantly more business-friendly. SB 189 does not contain any reference to algorithmic discrimination, duties of care, risk management programs, impact assessments, attorney general notices, or disclosures to consumers if they are interacting with nonobvious AI systems. As with the prior law, SB 189 again divides obligations between developers and deployers, but those obligations are far less onerous than under the prior law and are primarily centered on notice and, if an adverse decision occurs, limited rights to access and correct personal data and a right to obtain a human review.

Relevant Definitions and Applicability

Developers and Deployers

As with the Colorado AI Act, SB 189 generally applies to all businesses operating in Colorado that engage in the covered activities. That said, the law contains numerous exceptions and qualifications that businesses will need to explore.

SB 189 defines “developer” as a person doing business in Colorado that: (a) develops, offers, sells, leases, licenses, or otherwise makes commercially available a covered ADMT; (b) develops a component that is designed, marketed, intended, documented, advertised, configured, or contracted to be used as part of a covered ADMT; or (c) intentionally and substantially modifies an ADMT such that it becomes a covered ADMT. SB 189 excludes persons that develop and use an ADMT for research purposes where the ADMT is not used in consequential decisions or for internal purposes.

A “deployer” is defined as a person doing business in Colorado that deploys a covered ADMT.

The use of the word “person” in the definitions is intentional. As with the prior law, SB 189 will be chaptered as part of Colorado’s consumer protection law, which defines “person” in C.R.S. § 6-1-102(6) to be “an individual, corporation, business trust, estate, trust, partnership, unincorporated association, or two or more thereof having a joint or common interest, or any other legal or commercial entity.”

Covered ADMT

The phrase “covered ADMT” is perhaps the most important in SB 189 as its definition and the definitions of terms used in its definition form a Russian nesting doll of complexity with each layer revealing another level of nuance and qualifications.

SB 189 defines “covered ADMT” to mean “automated decision-making technology that is used to materially influence a consequential decision.” Each of the terms used in that definition — ADMT, materially influence, and consequential decision — have their own definitions and the definition of consequential decision uses two terms — consumer and covered domain — that are further defined.

Automated Decision-Making Technology

SB 189 defines automated decision-making technology or ADMT broadly as “a technology that processes personal data and uses computation to generate output, including predictions, recommendations, classifications, rankings, scores, or other information that is used to make, guide, or assist a decision, judgement, or determination concerning an individual.” However, the definition excludes many activities such as anti-malware, calculators, networking, anti-virus, data storage, and spell-checking, among others.

The definition also excludes tools used by individuals solely to summarize, organize, translate, draft, route, or present information for human review or administrative processing. SB 189 does not define “human review” but does define “meaningful human review” as discussed later.

Further, SB 189 contains a chat feature exemption. Specifically, it excludes technology that communicates with consumers in natural language or other means readily understood by an average consumer for the purpose of providing consumers with information, making referrals or recommendations, answering questions, or generating other content, if the technology is not contracted, advertised, marketed, configured, or intended by a person to be used in a consequential decision and the technology is subject to an acceptable use policy that prohibits generated content from being used in a consequential decision.

Materially Influence

If the subject technology qualifies as ADMT, it next must materially influence a consequential decision.

SB 189 defines “materially influence” to mean “an ADMT output is a non-de minimis factor that is used in making a consequential decision” and “an ADMT output affects the outcome of a consequential decision, including by constraining, ranking, scoring, recommending, classifying, or otherwise meaningfully altering how a consequential decision is made. It does not include incidental, trivial or clerical uses.”

SB 189’s definition is vague — perhaps intentionally so. It does not define what a “non-de minimis factor” is or what it means to “affect” the outcome of a consequential decision. To that end, SB 189 grants the attorney general permissive (not mandatory) rulemaking authority to “clarify the application of the definition of ‘materially influence,’ . . . including presumptions, illustrative examples, and objective indicators.”

Consequential Decision

The final piece of the analysis is the definition of consequential decision, which requires examination of two other definitions — consumer and covered domain.

Consequential decision is defined as a decision, determination, or action made about a consumer that relates to the provision of or a consumer’s access to, eligibility for, selection for, or compensation for a covered domain or a decision, determination, or action about a consumer that relates to a differentiated price, cost sharing, compensation, or other material terms in a manner that is reasonably likely to materially limit, delay, effectively deny, or otherwise fundamentally alter the consumer’s access, eligibility, or opportunity for a covered domain.

The definition of consequential decision includes nine exemptions. These exemptions will require close attention from companies but, at a high level, they are (1) low-stakes or routine uses; (2) advertising and content tools; (3) basic spreadsheets; (4) tools that just summarize or organize information; (5) narrow procedural or data-processing tasks; (6) security activities such as cybersecurity, spam filtering and anti-money laundering controls; (7) activities relating to technology used for the Bank Secrecy Act, USA Patriot Act, Federal Trade Commission’s (FTC) Red Flags Rule and certain sanctions programs; (8) fraud prevention; and (9) routine academic administration and student support processes that do not materially influence consequential decisions.

Further, as discussed below, even if the activity falls into a covered domain, there are exceptions for regulated entities that will need to be taken into account.

Consumer

As noted, consequential decisions must be made about consumers. Rather than just define that term, SB 189 confusingly defines it first by reference to one part of the Colorado Privacy Act’s definition — C.R.S. § 6-1-1303(6)(a) — which states that a consumer is a “Colorado resident acting only in an individual or household context.” (Emphasis added.) However, SB 189 then states that a consumer includes an employee, a job applicant who is a Colorado resident, and any individual whose access to, eligibility for, or opportunity in Colorado is evaluated in a consequential decision by a person doing business in Colorado.”

The ultimate intent of this provision is apparently to cover individuals who are physically present in Colorado and individuals outside Colorado who are interacting with persons doing business in Colorado. SB 189 also defines “employee” by reference to C.R.S. § 8-4-101(5) (“any person, including a migratory laborer, performing labor or services for the benefit of an employer.”).

Covered Domains

SB 189 identifies seven covered domains: (1) an education enrollment or an education opportunity; (2) employment or an employment opportunity that creates or may create an employer-employee relationship; (3) the lease or purchase of residential real estate in Colorado; (4) a financial or lending service, (5) insurance, including underwriting, pricing, coverage, claims adjudication, or other determinations that materially affect access to benefits; (6) health care services; and (7) essential government services and public benefits, including eligibility and renewal determinations.

The definition of covered domains does not include legal services, which were in the Colorado AI Act.

Developer Obligations

Developers’ sole responsibility under SB 189 is to provide information to deployers. Specifically, when a developer creates a covered ADMT that is intended, documented, marketed, advertised, configured, or contracted to be used to make consequential decisions or if a developer becomes aware that the covered ADMT is being used to make consequential decisions consistent with the intended and contracted uses, it must provide deployers with the following:

  • A general statement describing the intended uses and known harmful or inappropriate uses of the covered ADMT;
  • A description of the categories of data, including personal data (as defined in the Colorado Privacy Act), used to train the covered ADMT, to the extent known;
  • Known limitations of the covered ADMT, including known risks and circumstances in which the covered ADMT should not be used;
  • Instructions for the deployer’s appropriate use, monitoring, and meaningful human review, where applicable; and
  • Information reasonably necessary for the deployer to comply with its obligations under the law.

Developers can provide this information through public release notes if they provide direct notice of the public release notes to each deployer of the covered ADMT. They also must update the information for material changes. Developers must retain these records for at least three years. Developers do not need to produce trade secret information when making these disclosures.

Deployer Obligations

Deployers have significantly more obligations than developers although far less obligations than they had under the Colorado AI Act. In general, SB 189 requires deployers to keep certain records, provide a consumer notice and post-adverse outcome disclosure, and provide consumers experiencing an adverse outcome with a limited right to access, correct, and meaningful human review. Each of these is discussed below.

Record Keeping

SB 189 creates a three-year record retention requirement for deployers to keep records necessary to show compliance with its provisions. The time period runs from the date of the consequential decision.

Consumer Disclosures

SB 189 creates two consumer disclosure obligations — a pre-use notice and a post-adverse outcome disclosure.

            Pre-Use Notice

The pre-use notice is required prior to deployers using a covered ADMT to materially influence a consequential decision. The notice must:

  • Be “clear and conspicuous;”
  • State that the deployer used or will use a covered ADMT in making a consequential decision; and
  • Provide instructions for how consumers can obtain “additional information” required by SB 189.

SB 189 does not define what constitutes a “clear and conspicuous” notice; however, the bill goes on to state that a deployer can comply by providing a point-of-interaction notice. Specifically, it states that a deployer can comply by “maintaining a prominent public notice that is reasonably accessible at points of consumer interaction, including through a link or posting that is reasonably proximate to the interaction or transaction in which a consequential decision may occur.”

Post-Adverse Outcome Notice

If a deployer uses a covered ADMT to materially influence a consequential decision that results in an adverse outcome for a consumer, then the deployer must provide the consumer with a post-adverse outcome notice within 30 days of making the decision.

SB 189 defines “adverse outcome” to mean either “(a) a decision that denies, terminates, revokes, or materially reduces or restricts a consumer’s access to, eligibility for, selection for, compensation for, or the provision of an opportunity or service; or (b) a decision that results in materially less favorable differentiated price, cost, compensation, or other material terms that are reasonably likely to materially limit, delay, or effectively deny, or otherwise fundamentally alter, a consumer’s access to, eligibility for, selection for, compensation for, or the provision of an opportunity or service compared to terms offered to similarly situated consumers. If a decision outcome imposes materially less favorable differentiated pricing or terms, the decision outcome materially influences price, cost sharing, compensation, or material terms.”

A post-adverse outcome notice must state three things:

  • A plain language description of the consequential decision and the role the covered ADMT played in the consequential decision;
  • Instructions and a simple-to-follow process to request additional information about the covered ADMT and the inputs, including the name of the covered ADMT, the covered ADMT version number, if applicable, the covered ADMT developer, and the types, categories, and sources of personal data used, to the extent the deployer receives the necessary information from the developer in compliance with the developer’s obligations discussed above; and
  • An explanation of the consumer rights described below and how to exercise them.

SB 189 does not further define the contours of the post-adverse outcome notice and instead states that the notice may “vary across consequential decision domains.” Accordingly, the attorney general is required to adopt rules prior to January 1, 2027, (the effective date) for the post-adverse notice requirements.

SB 189 also takes into account that businesses may already be providing post-adverse notices to comply with the Equal Credit Opportunity Act and Fair Credit Reporting Act. Such entities are not required to provide duplicative notices so long as the notice covers the information required by SB 189.

Businesses also are not required to provide post-adverse outcome notices if doing so would be prohibited by federal law or would compromise the confidentiality or integrity of cybersecurity, fraud prevention, anti-money laundering, counter-terrorist financing, or economic sanctions compliance programs required by law.

Finally, SB 189 provides specific rules for Family Educational Rights and Privacy Act (FERPA)-regulated entities to provide notices.

Consumer Rights

If a consumer experiences an adverse outcome, the consumer may request and the deployer must provide (a) “instructions for requesting personal data and correcting factually incorrect or materially inaccurate personal data used in a consequential decision that used a covered ADMT consistent with section 6-1-1306” of the Colorado Privacy Act (CPA) and (b) “an opportunity for meaningful human review and reconsideration of the consequential decision, to the extent commercially reasonable.” Each of these is discussed below. It also should be noted that the attorney general is charged with adopting rules prior to January 1, 2027, to clarify and implement this section.

            Rights to Access and Correct

Although SB 189 provides for the rights to access and correct, these rights will only apply in limited circumstances such that businesses will need to closely review SB 189’s language to determine if they need to provide these rights. As noted, SB 189 specifically refers to the rights as they exist in section 6-1-1306 of the CPA. However, the CPA exempts many of the entities and data that are used in consequential decisions. For example, Gramm-Leach-Bliley Act (GLBA)-regulated financial institutions have an entity level exemption in the CPA. By incorporating the CPA into SB 189, that exemption carries over to SB 189’s rights to access and correct even though GLBA does not provide consumers with those rights. This is not accidental. The working group linked the rights to the CPA knowing that they would not exist in many circumstances.

That said, SB 189 does carveout a few of the CPA’s exceptions, stating that “the exceptions to the definition of ‘consumer’ in section 6-1-1303 (6)(b) [of the CPA] and the exceptions in section 6-1-1304 (2)(k), (2)(n), and (2)(o) [of the CPA] do not apply to the right to request correction of factually incorrect or materially inaccurate personal data.” (Emphasis added.) However, as the italicized text indicates, the carveouts are limited to the right to correct. All of those exceptions still apply to the right to access. In that respect, for these limited carveouts, it is unclear how consumers will be in a position to correct personal data when SB 189 does not give them the right to access the personal data to see if it is incorrect.

Nonetheless, the limited carve outs from the CPA’s exemptions are:

  • 6-1-1303(6)(b) – Stating that the definition of consumer “Does not include an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.”
  • 6-1-1304(2)(k) – Stating that the CPA does not apply to “Data maintained for employment records purposes.”
  • 6-1-1304(2)(n) – Stating that the CPA does not apply to “Customer data maintained by a public utility as defined in section 40-1-103 (1)(a)(I) or an authority as defined in section 43-4-503 (1), if the data are not collected, maintained, disclosed, sold, communicated, or used except as authorized by state and federal law.”
  • 6-1-1304(2)(o) – Stating that the CPA does not apply to “Data maintained by a state institution of higher education, as defined in section 23-18-102 (10), the state, the judicial department of the state, or a county, city and county, or municipality if the data is collected, maintained, disclosed, communicated, and used as authorized by state and federal law for noncommercial purposes.”

Further, SB 189 provides that the rights do not require correction of opinions, predictions, scores, or protected evaluations. SB 189 also contains special rules for FERPA-regulated entities.

Again, the takeaway is that the rights to access and correct are narrow and businesses will need to closely scrutinize whether they need to provide those rights in their particular use cases.

            Opportunity for Meaningful Human Review

As noted, consumers that experience an adverse outcome must be provided with an opportunity for meaningful human review and reconsideration of the consequential decision, to the extent commercially reasonable. SB 189 defines “meaningful human review” as:

A individual designated by the deployer who has authority to approve, modify, or override a consequential decision and who: (a) considers relevant, available primary evidence; (b) is trained to conduct the review; (c) does not default to the system output; and (d) has access to sufficient information to understand: (i) the output’s: (a) intended use; (b) material limitations; and (c) categories of inputs; and (ii) the principal factors used to generate the output, without requiring disclosure of proprietary source code, model weights, or other trade secrets.

Enforcement

The Colorado attorney general has sole enforcement authority through the Colorado Consumer Protection Act. Prior to enforcing violations, the attorney general is required to provide a notice of violation “if a cure is deemed possible by the attorney general.” Developers and deployers will have 60 days to cure violations. However, the right to cure does not exist where violations are knowing or repeated. Starting in January 2028, the attorney general must provide an annual report on its enforcement actions and cure periods offered. The right to cure sunsets January 1, 2030.

The law specifically states — twice — that it does not create a private right of action.

Liability

One of the areas in which consumer advocates believed they had benefited consumers was SB 189’s liability provisions. Specifically, the bill states that a “developer or deployer may be held liable in an action alleging unlawful discrimination under state anti-discrimination laws, including the [Colorado Anti-Discrimination Act], arising from a consequential decision materially influenced by a covered ADMT.” In such an action, fault is to be allocated based on relative fault, and the bill does not create joint and several liability. A developer’s liability is also limited to instances such as the deployer using a covered ADMT for its intended purpose.

This section also makes certain defense/indemnity provisions void. Specifically, the bill states:

Notwithstanding any other provision of law, if a provision of a contract for the use of automated decision-making technology in making a consequential decision or any other contract between a developer and deployer purports to indemnify, defend, or hold harmless or has the effect of indemnifying, defending, or holding harmless the indemnitee from or against any liability for damages pursuant to this section resulting from the developer’s or deployer’s own acts or omissions related to the use of automated decision-making technology in making consequential decisions in violation of the [Colorado Anti-discrimination Act], or other Colorado anti-discrimination law, the provision is contrary to public policy and void.

This limitation does not apply to developers where, for example, the deployer’s use of covered ADMT was not an intended use.

Exemptions for Insurers, Covered Entities, Medical Devices, and GLBA Data

Insurers and Health Insurance Portability and Accountability Act (HIPAA)-covered entities are granted special exemptions under SB 189. Entities that fit into those regulated areas will need to closely scrutinize those exemptions to identify what, if any, obligations they have under the bill. Medical devices subject to U.S. Food and Drug Administration (FDA) oversight also are subject to special rules. Finally, the bill states that it “does not require a person to disclose nonpublic personal information in a manner that would violate” the GLBA.

Rulemaking

The attorney general is granted general permissible rulemaking authority in addition to the rulemaking authority discussed above.

Effective Date

The bill goes into effect January 1, 2027, and applies to consequential decisions made on or after that date. The rulemaking provisions are effective upon passage.