Colorado AI Act Repealed and Replaced by Narrower Statute Focused on Transparency Requirements and Enhanced Consumer Rights

On May 14, 2026, Colorado Governor Jared Polis signed legislation to repeal and replace the Colorado AI Act (CAIA). The new law, SB26-189 (SB 189), replaces the CAIA's regulation of "high-risk" artificial intelligence systems with a new framework governing the use of "automated decision making technology" (ADMT) to make "consequential decisions" about consumers. The new framework mandates specific transparency, documentation, and consumer rights when automated tools "materially influence" consequential decisions. SB 189 will take effect January 1, 2027, unless delayed by x.AI's pending legal challenge, and will apply to consequential decisions made on or after that date.

Background

Colorado was the first state in the country to pass a comprehensive artificial intelligence (AI) statute, SB24-205, the CAIA, nearly two years ago. The CAIA was intended to prevent algorithmic discrimination by mandating broad-based notice, disclosure, risk mitigation, and opt-out requirements for developers and deployers of "high-risk" AI systems. Following its passage, however, the measure was criticized for being overly complex and burdensome. At the time of signing the CAIA, Governor Polis noted that because the measure created a "complex compliance regime" for AI developers and deployers operating in Colorado, the statute should be amended to reduce those burdens. Indeed, shortly after passage, Governor Polis formed a working group to propose revisions to the CAIA, which culminated in the Colorado Legislature's adoption of SB26-189. The new law passed both houses of the legislature with an overwhelming majority and was signed into law by Governor Polis on May 14.

The impetus to revise the CAIA also came from extensive pushback by industry and recent litigation initiated in federal court by x.AI, which sought an injunction against enforcement of the CAIA. In response to x.AI's suit, the Colorado attorney general announced that his office would temporarily delay enforcement of the CAIA in a joint motion filed with x.AI. The federal district court considering the challenge, accepted the motion and ordered that the attorney general "not initiate enforcement, including but not limited to the initiation of an investigation, for alleged violations of SB24-205 (or any legislation replacing or amending SB24-205 enacted during this legislative session) that occurred or may occur on or before 14 days after the date the Court issues a ruling on x.AI's forthcoming motion for a preliminary injunction in this case."

While the new law dramatically narrows the scope of new duties on covered entities, the litigation may continue because x.AI has signaled its intent to file a new motion for preliminary injunction. SB 189 will take effect on January 1, 2027, unless the district court grants x.AI's new motion for preliminary injunction, which must be filed "within 28 days after … any legislation that may replace or amend" the CAIA, or no later than June 11.

Key Takeaways

• Scope of the new AI law is significantly narrower than its predecessor. The new law regulates the use of ADMT that "materially influence" consequential decisions, while excluding routine technologies and low-stakes use cases from scope.
• Burdensome risk management and governance obligations were removed. The measure abandons the CAIA's extensive risk‑management and impact‑assessment requirements and replaces those with new obligations to notify consumers when ADMT is used to make consequential decisions and to provide explanations following adverse outcomes.
• Enhanced consumer transparency and notice rights were created. Individuals may request correction of inaccurate data and meaningful human review and reconsideration of certain automated decisions.
• Enforcement by attorney general only. The Colorado attorney general will enforce violations pursuant to authority under the Colorado Consumer Protection Act, subject to a 60‑day cure period if a cure is deemed possible.

SB 189 Shifts Away From Burdensome Requirements Regulating "High‑Risk AI Systems" to Requiring Transparency When Using Automated Processing to Make "Consequential Decisions"

The most significant structural difference between SB 189 and the CAIA is the replacement of duties of care, risk assessments, and notices to the attorney general related to "high‑risk AI systems" with a regime that mandates notices regarding the use of ADMT to "materially influence a consequential decision" (Covered ADMT) and limited rights for consumers related to Covered ADMT with respect to decisions that result in adverse outcomes.

The new law applies to any entity doing business in Colorado that is either a "developer" or a "deployer" of Covered ADMT.

Key Definitions

SB 189's intersecting definitions play a critical role in understanding the scope of obligations and rights in the statute.

ADMT

ADMT means a technology that processes personal data and uses computation to generate output, including predictions, recommendations, rankings, and other information used to make, guide, or assist in decisions or determinations concerning an individual. It does not include a broad range of automated systems or technologies that do not have machine learning capabilities inherent in AI systems. ADMT, for instance, does not include antivirus software, spreadsheets, or tools used to summarize or translate. Technologies excluded from the ADMT framework also include routine infrastructure tools (e.g., antivirus, databases, firewalls), basic productivity tools (e.g., calculators, spell-checkers, non-ML spreadsheets), administrative tools used only to summarize or organize information for human review, and natural language systems used solely to provide information or generate nondecisional content.

Consumer

Although SB 189 refers to the Colorado Privacy Act (CPA) to define "consumer," it makes clear that the scope of the term is broader under SB 189. Specifically, it expands the definition to include not just Colorado residents acting in a personal or household capacity, but also an employee or job applicant who is a Colorado resident and an individual who is not necessarily a Colorado resident but whose access to, eligibility for, or opportunity in Colorado is evaluated in a consequential decision by a person doing business in Colorado.

Developer

A "developer" is any person doing business in Colorado who: (1) develops, offers, sells, leases, licenses, or otherwise makes commercially available a Covered ADMT; (2) develops a component that is designed, marketed, intended, documented, advertised, configured, or contracted to be used as part of a Covered ADMT; or (3) intentionally and substantially modifies an ADMT such that it becomes a Covered ADMT. A developer "intentionally and substantially modifies" an ADMT when it makes a deliberate change that results in a material change to the system's intended, documented, advertised, configured, or contracted use. SB 189 expressly excludes certain persons who develop and use an ADMT solely for research purposes that do not involve "consequential decisions" or for certain internal purposes where the system is not made available to another person for use in "consequential decisions," as well as other developers who develop and market ADMT or components of ADMT that are later used for or integrated into Covered ADMT without the actual knowledge of the developer.

Deployer

A "deployer" is any person doing business in Colorado that deploys a Covered ADMT.

Consequential Decision

The definition of "consequential decision" is quite broad and includes a decision, determination, or action about a consumer that relates to the provision of—or a consumer's access to or eligibility, selection, or compensation for—one of the following: education enrollment or opportunity, employment or employment opportunity, financial or lending service, insurance, healthcare services, or essential government services and public benefits (covered domains). It also includes such decisions that relate to differentiated prices, compensation, or other material terms that are reasonably likely to materially limit, delay, effectively deny, or otherwise fundamentally alter a consumer's access to or eligibility or opportunity for one of the covered domains.

Materially Influence

An ADMT output materially influences a consequential decision if it is a non-de minimis factor used in making a consequential decision and affects the outcome of the consequential decision, such as by ranking or otherwise meaningfully altering how a consequential decision is made. It does not include incidental, trivial, or clerical uses of ADMT. SB 189 gives the Colorado attorney general discretionary authority to further define this term through rulemaking.

Relaxed Developer and Deployer Obligations

Developer Obligations

On or after January 1, 2027, developers of Covered ADMT must provide deployers with technical documentation, in a form and manner that is reasonably understandable, that describes:

• Intended and known inappropriate/harmful uses of the Covered ADMT;
• Categories of training data used in the Covered ADMT, to the extent known;
• Known limitations, risks, and uses to be avoided;
• Instructions for deployers' appropriate use, monitoring, and meaningful human review, where applicable; and
• Information reasonably necessary for deployers to meet their disclosure obligations.

Developers must also notify deployers within a reasonable time of material updates or substantial modifications that may affect system performance or intended use.

Deployer Obligations

Deployers must provide clear and conspicuous pre-use notice when using Covered ADMT (i.e., ADMT to materially influence a consequential decision affecting a consumer). Deployers can satisfy this obligation in a flexible manner through prominent public notices available at consumer interaction points, including through links associated with the relevant transaction or process. The pre-use notice must explain that the deployer used or will use a Covered ADMT in making a consequential decision affecting the consumer and provide instructions regarding how the consumer can obtain certain information and meaningful human review and reconsideration, to the extent commercially reasonable, in the event of an "adverse outcome" defined below.

If Covered ADMT is used to materially influence a consequential decision that results in an adverse outcome, deployers must provide additional information in the form of an adverse-outcome notice within 30 days, including:

• An explanation of the decision and the role of the ADMT in the decision;
• Instructions for requesting additional information about the system and data inputs; and
• An explanation of available consumer rights and how to exercise them.

Both developers and deployers must retain compliance records for at least three years. All pre-use and adverse-outcome notices must be accessible to people with disabilities and consumers with limited English proficiency.

SB 189 provides carve-outs for certain creditors that use Covered ADMT and for deployers subject to the Family Educational Rights and Privacy Act (FERPA) who use ADMT for consequential decisions relating to education. Specifically, creditors required to provide an Equal Employment Opportunity Commission or Fair Credit Reporting Act notice and deployers that are subject to FERPA and required to provide FERPA notices may be able to modify those notices and avoid sending separate or duplicative notices.

Consumer Rights

Consumers who experience an adverse outcome from a consequential decision materially influenced by Covered ADMT may request:

• Access to and correction of factually incorrect or materially inaccurate personal data used in the decision, "consistent with" procedures in the CPA; and
• Meaningful human review and reconsideration of the decision, to the extent commercially reasonable.

An "adverse outcome" means a decision that:

• Denies, terminates, revokes, or materially reduces or restricts a consumer's access to, eligibility for, selection for, compensation for, or the provision of an opportunity or service in a covered domain; or
• Results in materially less favorable pricing, costs, compensation, or other material terms compared to what similarly situated consumers receive, where those worse terms are reasonably likely to materially limit, delay, effectively deny, or otherwise fundamentally alter the consumer's access to; eligibility, selection, or compensation for; or provision of that opportunity or service.

Therefore, not only outright rejections but also worse material terms offered to consumers in covered domains would trigger post-adverse-decision disclosures and consumer rights obligations.

Meaningful human review must be conducted by a person who has authority to approve, modify, or override the decision; considers relevant and available primary evidence; is trained to perform the review; does not simply defer to the automated output; and has access to sufficient information to understand the output's intended use, material limitations, categories of inputs, and the principal factors used to generate the output. SB 189 does not require correction of opinions, predictions, or scores generated by the system nor does it require disclosure of proprietary source code, model weights, or trade secrets.

Intersection With the Colorado Privacy Act

SB 189 is not the only Colorado statute that regulates the automated processing of personal data to make certain significant decisions. Indeed, the CPA requires controllers that process personal data for profiling in connection with a decision that results in the provision or denial of certain services—including lending or financial services, housing, insurance, education, employment, healthcare, and other "essential goods and services"—to provide a privacy notice that includes specific information, including the logic used in the profiling process and whether the system has been evaluated for accuracy, fairness, or bias, and gives consumers the right to opt out of such profiling. Controllers must honor such requests in accordance with Section 6-1-1306(2) of the CPA with respect to such decisions based on "solely automated processing" or "human reviewed automated processing," but may deny such requests with respect to "human involved automated processing" so long as the controller provides the consumer certain information about the decision. Although SB 189 refers in several places to the CPA, it does not address how SB 189 interacts with these provisions of the CPA regulations when a deployer is also a controller under the CPA. Hopefully, the Colorado attorney general will clarify this intersection through his rulemaking.

Enforcement and Liability Provisions

The Colorado attorney general has exclusive authority to enforce SB 189 through the Colorado Consumer Protection Act. Violations constitute unfair or deceptive trade practices.

The Colorado attorney general must adopt rules clarifying the specific content and format of the post-adverse outcome disclosure requirements referenced above, including sector-specific guidance, and related requirements by January 1, 2027. In addition, SB 189 gives the attorney general discretionary rulemaking power to adopt rules as needed to clarify and implement the statute.

Prior to initiating any enforcement action, the attorney general must issue a notice of violation and give the developer or deployer a 60-day opportunity to cure if the attorney general determines that a cure is possible. The attorney general is not required to provide a cure period if he or she can demonstrate that a developer or deployer knowingly violated the statute or has repeatedly done so. The right to cure sunsets on January 1, 2030. SB 189 expressly forecloses a private right of action.

SB 189 also has a dedicated liability allocation framework for civil actions alleging unlawful discrimination under state antidiscrimination laws arising from a consequential decision materially influenced by a Covered ADMT. Liability is allocated based on relative fault, and developers generally are not liable where deployers use systems outside the developer's intended or documented use, which is a significant change from the CAIA.

Further, SB 189 affirmatively prohibits certain indemnification terms in any developer-deployer contract. Specifically, terms attempting to indemnify a party's own conduct or shift liability for violation of Colorado's antidiscrimination law are deemed to be void under Colorado law.

Sector-Specific Exemptions

Insurers subject to Colorado's insurance law governing the use of algorithms and external consumer data are generally deemed compliant with SB 189 in the practice of insurance. HIPAA‑covered entities and their business associates are largely exempt from the statute's requirements, except for limited disclosure obligations in certain financial‑assistance eligibility determinations, and healthcare providers must provide general notice regarding their use of advanced technologies. The statute also excludes FDA‑regulated medical devices and related pharmaceutical or medical‑device research activities from most requirements. SB 189 also excludes from "consequential decisions" certain uses of ADMT related to cybersecurity, fraud prevention, spam and robo-call filtering, identity verification, anti‑money‑laundering and counter-terrorist financing controls, sanctions compliance, and system reliability.

What Organizations Should Do Now to Prepare

Although SB 189 is narrower than the repealed CAIA framework, organizations using Covered ADMT should monitor the existing x.AI litigation but begin preparing for the January 1, 2027, effective date.

Entities that develop ADMT should begin:

• Determining whether they are a "developer" under the statute;
• Preparing the required disclosures for deployers, if so, in a manner that protects trade secrets and other information protected by law; and
• Developing and implementing processes to ensure compliance with the record retention requirements.

Deployers covered by SB 189 should consider:

• Reassessing compliance posture and identifying the use of ADMT that materially influence consequential decisions;
• Reviewing developer disclosures and vendor contracts to consider indemnification and risk allocation terms;
• Developing and implementing advance consumer notice and adverse‑outcome disclosure processes;
• Establishing procedures for meaningful human review of adverse outcomes; and
• Retaining records demonstrating compliance.

Developers and deployers that are subject to the CPA should use their existing privacy compliance programs as a foundation on which to build a compliance program for SB 189. This will ensure that they can leverage existing processes and avoid inconsistencies across the enterprise.

+++

Nancy Libin is a partner in the Washington, D.C., office, David Rice is a partner in the Seattle office, K.C. Halm is a partner in the Washington, D.C., office, and Xelef Botan is an associate in the Los Angeles office of DWT. For questions or more insights, reach out to the authors or another member of our privacy & security group and artificial intelligence team and sign up for our alerts.