The Colorado AI Policy Work Group Proposes an Updated Framework to Replace the Colorado AI Act
On March 17, 2026, the Colorado AI Policy Work Group, with strong support from Governor Jared Polis, proposed a new artificial intelligence (AI) legal framework to replace the Colorado Concerning Consumer Protections in Interactions with AI Systems (Colorado AI Act). As described in greater detail in our June 2024 Legal Update, the Colorado AI Act is currently the most comprehensive and robust AI law in the United States. Similar to the EU AI Act, the Colorado AI Act triggers obligations on developers and deployers of AI systems classified as “high risk” under the law. The law was originally set to go into effect on February 1, 2026, but was amended late last year to postpone the effective date to June 30, 2026.
The new proposed framework, entitled Concerning the Use of Automated Decision Making Technology in Consequential Decisions (the Proposed ADMT Framework), is a rewrite of the Colorado AI Act and modifies the obligations such that they are focused more on transparency, recordkeeping and consumer rights, instead of requirements under the Colorado AI Act, such as reporting algorithmic discrimination, implementing a risk management policy, and conducting AI impact assessments. In short, the Proposed ADMT Framework more closely mirrors automated decisionmaking technology (ADMT) requirements commonly seen under comprehensive data privacy laws, instead of the AI governance-related requirements seen under comprehensive AI laws like the EU AI Act.
If passed, the Proposed ADMT Framework will go into effect January 1, 2027, giving covered ADMT developers and deployers until the end of 2026 to modify their compliance program. Below, we describe some of the relevant changes and new requirements under the Proposed ADMT Framework.
Updates to Applicable Systems
The Colorado AI Act was originally drafted to apply to AI systems based on a broad definition that aligns with the OECD AI Principles and EU AI Act. Under the Proposed ADMT Framework, however, the law instead adopts common terminology and requirements observed under data privacy laws when decisions are made using ADMT. Specifically, ADMT is defined under the Proposed ADMT Framework as “any technology that processes personal information and uses computation to generate output including predictions, recommendations, classifications, rankings, scores, or other information that is used to make, guide, or assist a decision, judgment, or determination concerning an individual.” The Proposed ADMT Framework’s developer and deployer obligations apply to a “Covered ADMT” that is used to “materially influence” a consequential decision. By adopting the “materially influence” standard, the Proposed ADMT Framework creates a higher bar than the current “substantial factor” standard under the Colorado AI Act, which requires the AI system to simply assist and be capable of altering a high-risk decision. To meet the “materially influence” threshold, the ADMT output has to be a “non-de minimis” factor and affect the “outcome” of the decision, such as by constraining, ranking, scoring, recommending, classifying, or otherwise meaningfully altering how the decision is made. It does not include ADMT outputs that are merely incidental, trivial, or clerical uses.
Type of Decisions in Scope
The type of consequential decisions that trigger obligations under the Proposed ADMT Framework are largely consistent with the Colorado AI Act. There are, however, two notable differences. First, the Proposed ADMT Framework no longer includes AI decisions related to the provision or denial of legal services—that category has been removed. Second, the Proposed ADMT Framework clarifies some of the consequential decisions. For example, it states that (a) housing decisions involve the lease or purchase of residential real estate in Colorado; (b) insurance decisions include underwriting, pricing, coverage, claims adjudication, or other determinations that materially affect access to benefits; and (c) essential government services include public benefits and eligibility and renewal determinations.
Updated Obligations
Substantively, the Proposed ADMT Framework eliminates certain obligations present under the Colorado AI Act, such as the requirement to (a) report to the Colorado Attorney General regarding known or reasonably foreseeable risks of algorithmic discrimination; (b) conduct AI impact assessments; and (c) implement a risk management policy (e.g., NIST AI RMF or ISO/IEC 42001). However, similar to the Colorado AI Act, the Proposed ADMT Framework creates different obligations on businesses depending on whether they are developers or deployers of Covered ADMT, as summarized in the chart below:
| Developer Obligations | Deployer Obligations |
|---|---|
| Transparency: Provide technical documentation to the deployer regarding the Covered ADMT, which includes the intended uses, harmful or inappropriate uses, training data used, limitations and risks, instructions for use, and other information necessary for the deployer’s compliance. | Transparency: Provide a pre-use notice to consumers that the deployer is using a Covered ADMT for consequential decisions and how a consumer may obtain additional information under the law. This obligation may be satisfied by posting a public notice that is reasonably accessible at points of consumer interaction, including through links or posting that is reasonably proximate to the interaction or transaction in which a consequential decision may occur. |
| Change notice: Provide a notice to the deployer regarding material updates to the Covered ADMT. | Adverse outcome notice and rights: Provide within 30 calendar days a notice to consumers if the Covered ADMT rendered a consequential decision that was an adverse outcome. The adverse outcome notice must include a description of the decision and Covered ADMT’s role and instructions and a process to obtain additional information, including as necessary to exercise privacy rights and to request a meaningful human review or reconsideration. The Proposed ADMT Framework clarifies that deployers may provide a single combined notice when credit decisions are made under the federal Equal Credit Opportunity Act and Fair Credit Reporting Act and leverage and, where appropriate, notice and disclosure processes that are consistent with the federal Family Educational Rights and Privacy Act. |
| Records: Maintain records demonstrating compliance for not less than three years. | Records: Maintain records demonstrating compliance for not less than three years. |
Rulemaking
Like the Colorado AI Act, the Proposed ADMT Framework anticipates that the Colorado Attorney General will adopt rules to clarify the obligations under the law. Specifically, the Proposed ADMT Framework recognizes that the type of adverse outcome notice a deployer may need to provide could vary depending on the consequential decision domains specified in the Framework (e.g., employment, housing, lending, insurance, education, health care, and government services) and their interaction with other federal or state laws that also require or govern notices, explanations, or adverse decision disclosures. The rules will ultimately clarify these points and provide guidance.
Enforcement
Like the Colorado AI Act, the Proposed ADMT Framework does not have a private right of action and is enforced by the Colorado Attorney General. Before an enforcement action is commenced, however, the Colorado Attorney General must provide written notice of the alleged violation, and allow the developer or deployer 90 days after receipt of the notice to cure the alleged violation and provide a written statement describing the cure. If the alleged violation is cured within that time period, the Colorado Attorney General may not seek civil penalties for that specific violation, but may seek injunctive relief or other equitable relief as necessary to prevent future violations.
