Media Centre

Colorado Scales Back its AI Act Ahead of Enforcement Deadline

Ariel Yosefi Yuval Glazer

25 May 2026

Recently, Colorado Governor Jared Polis signed SB 26-189 (the “Amended Act“) – a significant amendment to Colorado’s landmark AI legislation. The Amended Act repeals and replaces substantial parts of the original Colorado AI Act, which was enacted in 2024 (the “Original Act“) and was widely viewed as the first comprehensive state-level AI law in the United States. The Amended Act is scheduled to take effect on January 1, 2027.

The Original Act, which was set to take effect in June 2026, imposed broad obligations on developers and deployers of “high-risk artificial intelligence systems”, including duties relating to reasonable care, risk management programs, impact assessments, public disclosures, consumer notices, and mitigation of algorithmic discrimination. The Amended Act, which is scheduled to take effect on January 1, 2027, materially narrows this framework and shifts the focus from broad AI governance obligations to a more targeted regime regulating automated decision-making technology used in consequential decisions.

 

Scope of Application

The Amended Act applies to developers and deployers of covered automated decision-making technology, or covered ADMT.

ADMT is defined as technology that processes personal data and uses computation to generate outputs, including predictions, recommendations, classifications, rankings, scores or other information, where such output is used to make, guide or assist a decision, judgment or determination concerning an individual.

The Amended Act applies where such ADMT materially influences a consequential decision. This represents a key change from the Original Act, which was based on the concept of “high-risk AI systems” that made, or were a substantial factor in making, consequential decisions.

A consequential decision generally refers to a decision that affects an individual’s access to, eligibility for or terms of certain important services or opportunities. These covered domains include employment, education, financial or lending services, insurance, healthcare, residential real estate and essential government services.

The Amended Act therefore does not apply to all AI systems or all automated tools. Rather, its focus is on ADMT that processes personal data and materially affects significant decisions about individuals.

 

Key Change: Removal of the “High-Risk AI System” Framework

One of the most important changes introduced by the Amended Act is the replacement of the prior “high-risk AI system” framework with the narrower concept of covered ADMT.

Under the Original Act, developers and deployers were subject to a broad duty to use reasonable care to protect consumers from known or reasonably foreseeable risks of algorithmic discrimination. The Amended Act removes this general duty of care, as well as the Original Act’s broader AI governance requirements, including formal risk management programs and algorithmic impact assessments.

This change is significant for companies developing or using AI systems, as the Amended Act no longer requires a full AI risk management program or annual impact assessments as a general condition for using covered systems. Instead, the Amended Act focuses on notice, adverse outcome explanations, consumer rights, recordkeeping and documentation between developers and deployers.

 

Developer Duties

Developers of covered ADMT are required to provide deployers with documentation that is reasonably understandable and sufficient to allow deployers to comply with their own obligations under the Amended Act.

This documentation is expected to include information regarding the ADMT’s intended uses, known harmful or inappropriate uses, categories of data used to train the system, known limitations, instructions for appropriate use and information regarding monitoring and meaningful human review, where applicable.

Developers must also retain records reasonably necessary to demonstrate compliance for at least three years. This documentation and recordkeeping approach replaces the broader developer obligations under the Original Act, including the prior requirements for public disclosures and Attorney General notifications regarding algorithmic discrimination risks.

 

Deployer Duties

Deployers using covered ADMT are subject to several practical obligations.

First, deployers must provide consumers with clear and conspicuous notice when covered ADMT is used, or will be used, to materially influence a consequential decision affecting the consumer.

Second, where the use of covered ADMT materially influences a consequential decision that results in an adverse outcome, the deployer must provide the consumer with a plain-language explanation of the decision and the role played by the covered ADMT. The deployer must also provide information regarding the consumer rights available under the Amended Act.

Third, deployers must retain records reasonably necessary to demonstrate compliance for at least three years after making a consequential decision. Relevant records may include system version identifiers, changelogs, notices, adverse outcome explanations, and documentation of material mitigation changes.

 

Consumer Rights Following an Adverse Outcome

An “adverse outcome” generally means a decision that denies, terminates, revokes or materially restricts a consumer’s access to, eligibility for, selection for, compensation for or provision of an opportunity or service, including through materially less favorable pricing or other material terms compared to similarly situated consumers.

The Amended Act provides consumers with certain rights where covered ADMT materially influences a consequential decision that results in an adverse outcome. These rights include the right to request certain personal data used in the decision, the right to correct factually incorrect or materially inaccurate personal data used in the decision and the right to request meaningful human review and reconsideration.

The right to meaningful human review is particularly important. It requires review by an individual with authority to approve, modify or override the decision, rather than a merely formal or automated review process.

At the same time, the Amended Act narrows these rights in several respects. For example, the correction right does not require correction of opinions, predictions, scores or protected evaluations.

 

Enforcement and Rulemaking

The Amended Act is enforceable by the Colorado Attorney General through the Colorado Consumer Protection Act. A violation may be treated as a deceptive trade practice.

The Amended Act does not create a new private right of action. However, it does not limit existing rights or remedies available under other state or federal laws, including anti-discrimination, consumer protection, product liability or other applicable laws.

Before bringing an enforcement action, the Attorney General must generally provide notice of violation and a 60-day opportunity to cure, where the Attorney General determines that cure is possible. This cure period does not apply where the Attorney General can demonstrate knowing or repeated violations.

The Attorney General is also authorized to adopt rules to clarify and implement the Amended Act, including rules addressing consumer disclosures, consumer rights, and related compliance requirements. These rules will be important in determining the practical scope of the Amended Act before it becomes operative in January 2027.

 

Liability Allocation Between Developers and Deployers

The Amended Act also addresses liability allocation between developers and deployers in connection with unlawful discrimination claims involving covered ADMT.

Both developers and deployers may be held liable where covered ADMT materially influences a consequential decision that gives rise to unlawful discrimination, but liability is allocated based on each party’s relative responsibility. In general, a developer’s liability is tied to uses that were intended, documented, marketed, advertised, configured or contracted for by the developer.

The Amended Act also invalidates certain contractual provisions that attempt to indemnify or hold a party harmless for its own acts or omissions related to the use of covered ADMT in violation of Colorado anti-discrimination laws.

This may have practical implications for AI vendor agreements, procurement processes, SaaS agreements, and customer-facing AI terms.

 

Practical Implications

The Amended Act substantially reduces the compliance burden that would have applied under the Original Act. The removal of the broad duty of care, risk management program requirements, and algorithmic impact assessments is particularly significant for companies developing, licensing or deploying AI systems.

However, companies should not treat the Amended Act as merely deregulatory. Businesses that use automated tools in employment, credit, housing, insurance, healthcare, education or essential government services will still need to assess whether their systems qualify as covered ADMT and whether those systems materially influence consequential decisions.

Companies should begin mapping relevant AI and automated decision-making tools, reviewing vendor documentation, preparing consumer-facing notices, developing adverse outcome response procedures and ensuring that human review processes are meaningful and properly documented.

The Amended Act also highlights the increasing importance of contractual allocation of responsibilities between AI developers and deployers. Developers should prepare documentation packages for customers, while deployers should ensure that vendor agreements provide the information and cooperation needed to satisfy their own compliance obligations.

Although Colorado has moved away from the more burdensome model adopted in 2024, the Amended Act remains one of the most important state-level AI regulatory frameworks in the United States. Companies developing or using AI systems should continue to monitor Colorado Attorney General rulemaking and broader state-level developments in AI regulation.

Feel free to contact us if you have any questions regarding the Amended Act and its practical implications.

Related Practice Areas

Related Lawyers

More news

Louisiana to Join US States with Comprehensive Privacy Legislation
Herzog contributes Israel chapter to Chambers Tax Controversy 2026 Guide
Age Verification Laws Herzog’s Guide to the Evolving Legal Landscape
JOIN OUR
Newsletter

    © 2020, All rights reserved, Herzog Law
    Site by Gootte

    The information contained in this web site is provided for informational purposes only and should not be construed as legal advice on any subject matter and should not be relied upon as such. Herzog accepts no responsibility for any consequences whatsoever arising from use of the information contained in this web site. The accessing of information contained in this web site shall under no circumstances be considered as creating an attorney-client relationship between Herzog and any party accessing this web site. Contacting through email any lawyer named in this web site or sending information without prior agreement of Herzog shall not be construed as automatically creating an attorney-client relationship between Herzog and the party sending an email or information. The material contained in this web site has been created by and remains the property of Herzog. No reproduction, transmission, publication or any other form of dissemination shall be permitted unless the prior written consent of Herzog has been obtained. This web site may contain links to other web sites operated by third parties. Herzog does not sponsor, approve or endorse the content of any such web site and is not responsible for the materials appearing in such sites.