ARTICLE
14 May 2026

Colorado Replaces Landmark AI Act: An Overview Of The New SB 26-189 Framework

FH
Finnegan, Henderson, Farabow, Garrett & Dunner, LLP

Contributor

Finnegan, Henderson, Farabow, Garrett & Dunner, LLP logo
Finnegan, Henderson, Farabow, Garrett & Dunner, LLP is a law firm dedicated to advancing ideas, discoveries, and innovations that drive businesses around the world. From offices in the United States, Europe, and Asia, Finnegan works with leading innovators to protect, advocate, and leverage their most important intellectual property (IP) assets.
Explore Firm Details
After years of debate and three legislative sessions, Colorado has overhauled its artificial intelligence law. On May 14, 2026, Governor Polis signed SB 26-189 into law...
United States Colorado Technology
Lynn Parker Dupree and LaQuan Bates
Your Author LinkedIn Connections
Lynn Parker Dupreeā€™s articles from Finnegan, Henderson, Farabow, Garrett & Dunner, LLP are most popular:
  • with Finance and Tax Executives and Inhouse Counsel
  • with readers working within the Media & Information industries

The Highlights

  1. SB 26-189 shifts the framework toward notice and consumer recourse: Deployers must provide disclosures before use, explain adverse outcomes within 30 days, and offer a path for meaningful human review where commercially reasonable.
  2. It places greater emphasis on how system inputs, outputs, and limitations are handled: Developers and deployers need to document and communicate training data categories, system constraints, and the specific inputs tied to decision-making.
  3. It narrows and clarifies how responsibility is divided across the ecosystem: Liability depends on the intended use; contractual provisions that indemnify a party for its own violations are completely voided, and enforcement authority rests solely with the State Attorney General.

After years of debate and three legislative sessions, Colorado has overhauled its artificial intelligence law. On May 14, 2026, Governor Polis signed SB 26-189 into law, repealing and replacing the original Colorado AI Act (SB 24-205), which had been set to take effect June 30, 2026. The new law takes effect January 1, 2027.

How We Got Here

In May 2024, Governor Polis signed SB 24-205, which was the first comprehensive state AI law in the country. The original law imposed obligations on businesses that develop or deploy “high-risk artificial intelligence systems” used in consequential decisions, including employment, housing, health care, insurance, lending, education, and essential government services. Key requirements included a duty of care to avoid algorithmic discrimination, mandatory risk management programs, impact assessments, and reporting obligations to the Attorney General. After amendment attempts during the 2025 regular and special sessions did not result in a new final bill, a working group convened in fall 2025 to develop a replacement framework. That framework became the basis for SB 26-189.

What Changed: The New Framework at a Glance

SB 26-189 replaces the original law’s framework with a different set of obligations.

Here are the key changes:

New Terminology

The original law’s “high-risk artificial intelligence system” standard is replaced with a focus on “covered automated decision-making technology” (covered ADMT), defined as technology that processes personal data and uses computation to generate outputs (such as predictions, rankings, scores, or classifications) used to “materially influence” a “consequential decision.”

Removed Requirements

SB 26-189 eliminates several provisions of the original law, including the duty of care to avoid algorithmic discrimination, mandatory risk management programs, impact assessments, annual reviews, and reporting requirements to the Attorney General.

New Consumer Rights Framework

The new law establishes three core requirements for deployers: (1) pre-use notice to consumers before covered ADMT is used in a consequential decision, (2) a post-adverse outcome notice within 30 days if the covered ADMT materially influences an adverse decision, and (3) consumer rights to access and correct personal data and to request meaningful human review, to the extent commercially reasonable.

No Private Right of Action

Enforcement authority rests solely with the Colorado Attorney General under the Colorado Consumer Protection Act.

60-Day Cure Period

Before initiating an enforcement action, the AG must provide a notice of violation and a 60-day opportunity to cure, provided the AG deems a cure possible. The right to cure does not apply to knowing or repeated violations and sunsets on January 1, 2030.

Key Definitions

The law’s scope turns on several definitions:

  • Covered ADMT means ADMT that “materially influences” a consequential decision. “Materially influence” means the ADMT output is a non-de minimis factor that affects the outcome of a consequential decision, including by constraining, ranking, scoring, recommending, classifying, or otherwise meaningfully altering how a decision is made. Incidental, trivial, or clerical uses are not included.
  • Consequential decision is a decision, determination, or action made about a consumer relating to access, eligibility, selection, or compensation in one of seven “covered domains”: education, employment, residential real estate, financial or lending services, insurance, health care, and essential government services. It also includes decisions, determinations, or actions about a consumer that relate to a differentiated price, cost sharing, compensation, or other material terms in a manner reasonably likely to materially limit, delay, effectively deny, or otherwise alter access to a covered domain. Legal services were included as a covered domain under the original law but are not included in SB 26-189.
  • Consumer includes employees and job applicants who are Colorado residents, as well as any individual whose access, eligibility, or opportunity in Colorado is evaluated in a consequential decision by a person doing business in Colorado.

The definition of ADMT excludes tools such as anti-malware software, basic calculators, spreadsheets requiring human analysis, tools used solely to summarize or organize information for human review, and consumer-facing chat tools that are not contracted or intended to be used in consequential decisions.

Liability and Indemnification

SB 26-189 addresses how liability may be allocated between developers and deployers in actions alleging unlawful discrimination under state anti-discrimination laws arising from a consequential decision materially influenced by covered ADMT. Fault is allocated based on the relative fault of each party. Developer liability is limited to instances where the deployer used the covered ADMT for its intended purpose, and the developer is not liable where the deployer’s use of the covered ADMT was not an intended use. The law does not create joint and several liability beyond what existing law provides. The law also voids contractual provisions that purport to indemnify, defend, or hold harmless a party from liability for that party’s own acts or omissions related to the use of ADMT in making consequential decisions in violation of Colorado anti-discrimination law.

What Businesses Must Do

Developers are required to provide deployers with documentation about the covered ADMT, including its intended uses, known limitations, categories of training data, and

instructions for appropriate use and human review. Developers may satisfy this obligation through public release notes if they provide direct notice to each deployer. Developers must retain these records for at least three years and update them for material changes. Developers are not required to disclose trade secret information.

Deployers have three main obligations:

  1. Pre-use notice. Before using covered ADMT to materially influence a consequential decision, provide consumers with a clear and conspicuous notice disclosing that ADMT will be used and explaining how to obtain additional information. A deployer may satisfy this requirement by maintaining a prominent public notice reasonably accessible at points of consumer interaction.
  2. Post-adverse outcome notice. Within 30 days of making a consequential decision that results in an adverse outcome, provide the consumer with a plain-language description of the decision, the role the covered ADMT played, instructions for requesting additional information about the ADMT and the inputs used, and an explanation of the consumer’s rights and how to exercise them.
  3. Consumer rights process. Upon request from a consumer who received an adverse outcome, provide instructions for accessing and correcting personal data used in the decision, consistent with the Colorado Privacy Act, and an opportunity for meaningful human review and reconsideration of the consequential decision, to the extent commercially reasonable.

All deployers must retain records sufficient to demonstrate compliance for at least three years from the date of the consequential decision.

SB 26-189 represents a significant shift in how Colorado regulates the use of automated decision-making technology. As businesses assess their obligations under the new law, Finnegan is available to provide guidance

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Lynn Parker Dupree
Lynn Parker Dupree
Photo of LaQuan Bates
LaQuan Bates
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More