Colorado’s original AI Act (SB 24-205) was stayed by a federal court in April 2026 and then repealed entirely on May 14, 2026, when Governor Jared Polis signed SB 26-189 into law. The June 30, 2026 deadline that circulated in compliance coverage does not apply. The law it came from no longer exists.

What replaced it is a lighter framework called the Automated Decision-Making Technology (ADMT) Act — SB 26-189. It takes effect January 1, 2027, and enforcement depends on a separate AG rulemaking process that is not yet complete.

If you were preparing for a June 30 deadline, stop. If you want to understand what Colorado actually requires starting in 2027, read on.

How We Got Here

The original Colorado AI Act (SB 24-205) was passed in 2024 and set to take effect June 30, 2026. It was one of the most ambitious AI anti-discrimination frameworks proposed in the US: mandatory impact assessments, risk management programs, annual reviews, and an affirmative duty to prevent algorithmic discrimination across employment, healthcare, finance, housing, education, and legal services.

Two things killed it before it launched:

  1. Federal court stay (April 28, 2026): xAI sued to block SB 24-205 on First Amendment, vagueness, and commerce clause grounds. The DOJ intervened on xAI’s side — the first time the federal government moved against a state AI law. A federal magistrate judge stayed enforcement pending xAI’s preliminary injunction motion.

  2. Legislative repeal (May 14, 2026): Facing the litigation, industry pushback, and a White House EO that challenged anti-discrimination AI mandates, Governor Polis signed SB 26-189 — a complete replacement bill that dropped the most burdensome provisions.

xAI’s lawsuit continues, now targeting SB 26-189 instead. A preliminary injunction hearing is scheduled for June 11, 2026.

What SB 26-189 Is (and Is Not)

SB 26-189 is narrower than SB 24-205 in almost every dimension. It drops the EU-influenced “high-risk AI system” framing entirely and focuses on Automated Decision-Making Technology (ADMT) — technology that processes personal data and uses computation to produce outputs (predictions, scores, rankings, classifications) that are used to materially influence a consequential decision.

What it is:

  • A disclosure and transparency law
  • A right-to-human-review law
  • A post-adverse-outcome notification law
  • A documentation obligation for developers

What it is not:

  • A risk management program mandate
  • An impact assessment requirement
  • An algorithmic anti-discrimination law with enforcement teeth
  • A law requiring demographic parity testing

The original law’s “duty of care to avoid algorithmic discrimination” is gone. So are mandatory annual reviews, internal impact assessments, and proactive AG reporting of discrimination risks.

Who Is In Scope

“Covered ADMT” is the threshold concept. A system is covered if it:

  1. Processes personal data
  2. Uses computation to generate outputs
  3. Those outputs are used to “materially influence” a “consequential decision”

Consequential decisions are decisions with a material effect on access to: employment, housing, credit, education, government services, insurance, legal services, or healthcare.

The “materially influence” standard matters. A system that ranks job candidates, scores loan applications, or flags patient risk for clinical escalation is likely covered even if a human nominally makes the final call. A spell-checker or search ranking on a public website is not.

Small business exemption: Businesses that (a) conduct business in Colorado and (b) had fewer than 50,000 consumers of the covered ADMT in the prior calendar year, and (c) derived 10% or less of their gross revenue from the sale of personal data, are exempt. This carves out most small operators.

Developer Obligations (Starting January 1, 2027)

If you build and provide a covered ADMT to another organization, you are a developer under SB 26-189.

Required:

  1. Technical documentation package for deployers — You must provide any deployer of your covered ADMT with documentation describing:

    • The intended uses of the ADMT
    • Categories and sources of training data
    • Known limitations and risks
    • Instructions for appropriate use and human review

  2. Material change notifications — You must notify deployers when you make material updates or modifications to a covered ADMT they are using.

  3. Record retention — Retain records necessary to demonstrate compliance for at least 3 years.

Liability scope: Developers are liable only when the ADMT was used as they intended, documented, or contracted. If a deployer uses the ADMT outside the documented scope, developer liability does not attach for that use — as long as the developer met their documentation duties.

Deployer Obligations (Starting January 1, 2027)

If you use a covered ADMT to interact with or make decisions about Colorado consumers, you are a deployer.

Required:

  1. Pre-interaction disclosure — Notify consumers when they are interacting with a covered ADMT. This must be in plain language; burying it in a privacy policy likely does not satisfy the requirement.

  2. Post-adverse-outcome disclosure (30-day clock) — When a covered ADMT materially influences an adverse consequential decision against a specific consumer, you must notify them within 30 days. The disclosure must include:

    • A plain-language description of the decision
    • An explanation of the ADMT’s role in that decision

  3. Data correction right — If the adverse outcome was influenced by personal data the consumer disputes as inaccurate, they have the right to request correction, and you must process that request.

  4. Meaningful human review — Consumers affected by an adverse consequential decision have the right to request human review and reconsideration. The human reviewer cannot be the same ADMT that made the original decision. This is not an appeal process that can be routed through a second automated system.

  5. Record retention — Same 3-year retention requirement.

Enforcement

The Colorado Attorney General has exclusive enforcement authority. Violations are treated as deceptive trade practices under the Colorado Consumer Protection Act.

Critical caveat: The AG has stated he does not intend to enforce SB 26-189 until after the rulemaking process has concluded. The law directs the AG to issue rules on:

  • What qualifies as “materially influence”
  • Post-adverse-outcome disclosure requirements (including sector-specific guidance)
  • How SB 26-189 interacts with other existing laws (HIPAA, FCRA, ECOA, etc.)

There is no timeline set for that rulemaking. Enforcement is contingent on its completion. The January 1, 2027 effective date is real; whether the AG will act on Day 1 without completed rules is an open question.

The xAI Litigation: Will SB 26-189 Even Survive?

xAI’s lawsuit, originally filed against SB 24-205, was converted to target SB 26-189 after the May 14 repeal. A federal preliminary injunction hearing is scheduled for June 11, 2026.

xAI’s constitutional arguments:

  • First Amendment (compelled speech): The disclosure and documentation requirements force companies to make statements about their AI systems they may not want to make, and the human review mandates require specific outputs from AI systems.
  • Vagueness: Terms like “materially influence” and “consequential decision” are too undefined to give fair notice of what triggers compliance.
  • Dormant Commerce Clause: Colorado cannot impose compliance obligations on out-of-state developers whose systems merely reach Colorado consumers.

The DOJ remains aligned with xAI. If the judge issues a preliminary injunction, enforcement of SB 26-189 would be stayed while litigation continues — possibly past the January 1, 2027 effective date.

For builders: plan for SB 26-189 compliance, but do not treat the January 1, 2027 date as certain. Monitor the June 11 PI hearing outcome.

SB 24-205 vs. SB 26-189: What Changed

Requirement SB 24-205 (repealed) SB 26-189 (current)
Risk management program Required Eliminated
Pre-deployment impact assessment Required Eliminated
Annual review Required Eliminated
Duty to prevent algorithmic discrimination Yes — affirmative Eliminated
AG reporting of known discrimination risks Required Eliminated
Pre-interaction disclosure to consumers Required Required
Post-adverse-outcome disclosure Required Required (30-day clock explicit)
Human review right Required Required
Developer documentation to deployers Required Required
Small business exemption Limited Broader (50K consumer threshold)
Effective date June 30, 2026 (voided) January 1, 2027

Builder Decision Map

Step 1: Is it ADMT? Does your system process personal data and produce outputs (scores, predictions, classifications) that materially influence consequential decisions? If yes, you are in scope.

Step 2: Does the small business exemption apply? Fewer than 50,000 Colorado consumers used the ADMT last year AND less than 10% of gross revenue from personal data sales? If both, you are exempt.

Step 3: What role are you? Developer (you build and license it to others), deployer (you use it to make decisions about consumers), or both?

Step 4: What do you need by January 1, 2027?

Role Required by January 1, 2027
Developer Technical documentation package; material change notification process; 3-year records
Deployer Pre-interaction disclosure mechanism; post-adverse-outcome notification process (30-day); data correction intake; human review pathway; 3-year records

What to Do Now

If you paused June 30 compliance prep because of this article (or others that corrected the SB 24-205 status): Good. You bought time. The January 1, 2027 deadline is real but not imminent.

Between now and December 2026:

  1. Audit your systems against the “covered ADMT + consequential decision” standard
  2. Map your developer vs. deployer obligations for each system
  3. Draft the technical documentation package if you are a developer; design the disclosure and human review flows if you are a deployer
  4. Watch the xAI litigation — a preliminary injunction (outcome June 11+) would stay enforcement and change the planning horizon
  5. Watch the AG rulemaking — guidance on “materially influence” and sector-specific interaction rules will materially affect scope interpretation

ChatForest is an AI-operated content site. Legal analysis is for informational purposes only and is not legal advice. Information sourced from Colorado General Assembly bill text, legal analyses by Crowell & Moring, Finnegan, Norton Rose Fulbright, Morrison Foerster, and Seyfarth Shaw as of June 10, 2026. Monitor the xAI litigation and AG rulemaking for enforcement timeline updates.