Colorado Enacts New ADMT Law Replacing Colorado AI Act
On May 14, 2026, Colorado Governor Jared Polis signed Senate Bill 26-189 (the “Act”) into law, establishing a comprehensive regulatory framework governing the use of automated decision-making technology (“ADMT”) in consequential decisions affecting consumers in Colorado. The new law, which will take effect on January 1, 2027, replaces the prior Colorado AI Act framework with a substantially revised approach. This Legal Update summarizes the key provisions of the updated Colorado AI Act and provides takeaways for companies evaluating whether the law applies to their development or deployment of ADMT.
Updates to Applicable Systems
The Act applies to “automated decision-making technology” or “ADMT,” defined as technology that processes personal data and uses computation to generate output, including predictions, recommendations, classifications, rankings, scores, or other information that is used to make, guide, or assist a decision, judgment, or determination concerning an individual. However, the Act does not regulate all ADMT. Its substantive obligations apply only to “Covered ADMT,” which is ADMT that is used to “materially influence a consequential decision.” An ADMT “materially influences” a consequential decision when its output is a non-de minimis factor used in making the decision and affects the outcome of the decision, including by constraining, ranking, scoring, recommending, classifying, or otherwise meaningfully altering how the decision is made. Incidental, trivial, or clerical uses are excluded.
Exclusions from ADMT: The Act expressly excludes a broad range of routine technologies from the definition of ADMT, including anti-malware, anti-virus, calculators, databases, data storage, firewalls, internet domain registration, internet website loading, networking, spam and robocall filtering, spell-checking, spreadsheets that require human analysis and do not use machine-learning, foundation models or large language models, web caching, and web hosting. The Act also excludes tools used solely to summarize, organize, translate, draft, route, or present information for human review or administrative processing, as well as consumer-facing natural language tools (e.g., chatbots) that are not contracted, advertised, marketed, configured, or intended for use in a consequential decision and are subject to an acceptable-use policy prohibiting such use.
Types of Decisions in Scope
The Act’s obligations are triggered only when ADMT is used to materially influence a “consequential decision,” which is defined as a decision, determination, or action made about a consumer that relates to the provision of, or the consumer’s access to, eligibility for, selection for, or compensation for a “covered domain,” or that relates to differentiated price, cost-sharing compensation, or other material terms that are reasonably likely to materially limit, delay, effectively deny, or otherwise fundamentally alter a consumer's access, eligibility, or opportunity for a covered domain.
Covered Domains: The Act identifies seven covered domains: (1) education enrollment or opportunities; (2) employment or employment opportunities that create or may create an employer-employee relationship; (3) leases or purchases of residential real estate in Colorado; (4) financial or lending services; (5) insurance, including underwriting, pricing, coverage, claims adjudication, or other determinations that materially affect access to benefits; (6) healthcare services; and (7) essential government services and public benefits, including eligibility and renewal determinations.
Exclusions from Consequential Decisions: The Act contains carve-outs from the definition of “consequential decision,” including: (1) low-stakes or routine decisions such as scheduling, classroom personalization, administrative routing, customer service triage, communication of decisions, and workflow management; (2) advertising, marketing, differentiated product recommendations, search, and content moderation; (3) spreadsheets that require manual human analysis and do not use machine-learning, foundation models, or large language models; (4) actions in which an ADMT is used to summarize, organize, or present information for human review that do not present scores, rankings, recommendations, classifications, predictions, or other inferences that materially influence an outcome or decision; (5) narrow procedural tasks or data-processing functions that do not generate a prediction or inference about a consumer or materially influence a consequential decision or decision process; (6) activities relating to technologies used for cybersecurity, spam- and robo-call filtering, system reliability, and anti-money laundering and counter-terrorist financing controls; (7) activities relating to technologies used for economic sanctions compliance; (8) activities relating to technologies used for fraud prevention, including identity verification, consumer identification, monitoring, and reporting controls required under state or federal law; and (9) routine academic administration and student-support processes that do not materially influence a consequential decision.
Eliminated and Updated Obligations
Substantively, the Act eliminates certain obligations that existed under the prior version of the Colorado AI Act, such as the requirement to: (a) report to the Colorado Attorney General regarding known or reasonably foreseeable risks of algorithmic discrimination; (b) conduct AI impact assessments; and (c) implement a risk management policy. However, like the prior version of the Colorado AI Act, the new Act creates different obligations on businesses depending on whether they are developers or deployers of Covered ADMT, as summarized in the chart below:
| DEVELOPER OBLIGATIONS | DEPLOYER OBLIGATIONS |
|---|---|
| Transparency: Provide information to the deployer regarding the Covered ADMT, including the intended uses, harmful, or inappropriate uses, training data used, known limitations and risks, instructions for use, monitoring, and meaningful review, and other information necessary for the deployer’s compliance. | Transparency: Provide a pre-use notice to consumers that the deployer is using a Covered ADMT to materially influence a consequential decision and how a consumer may obtain additional information under the law. This requirement may be satisfied by posting a public notice that is reasonably accessible at points of consumer interaction, including through a link or posting reasonably proximate to the interaction or transaction. |
|
Change notice: Provide a notice to the deployer regarding material updates, intentional and substantial modifications, and changes to the intended use of, limitation for, or risk-mitigation for the Covered ADMT within a reasonable amount of time.
An “intentional and substantial modification” means a deliberate change made to an ADMT that results in a material change to the system’s intended, documented, advertised, configured, or contracted use. |
Post-adverse outcome notice and rights: Provide a notice to consumers within 30 days of the Covered ADMT materially influencing a consequential decision that results in an adverse outcome. The post-adverse outcome notice must include a description of the decision and Covered ADMT’s role and instructions on how to request additional information, including regarding the consumer’s rights to access and correct factually or materially inaccurate personal data and an opportunity for meaningful human review and reconsideration of the consequential decision, to the extent commercially reasonable. |
| Records: Maintain records demonstrating compliance for not less than three years after creation, including system version identifiers, changelogs, and documentation and notices of material updates provided to deployers. | Records: Maintain records demonstrating compliance for not less than three years or longer if required by other law. |
Rulemaking
The Act provides the Colorado Attorney General with authority to adopt rules as necessary to implement and clarify the Act, including rules clarifying the specific content and format of post-adverse outcome disclosures and a consumer’s rights to access, correct and request human review, and the definition of “materially influence,” including through presumptions, illustrative examples, and objective indicators. The rules will ultimately clarify these points and provide guidance.
Enforcement
The revised Colorado AI Act continues to be solely enforced by the Colorado Attorney General and does not provide a private right of action. Before bringing an enforcement action, the Attorney General must issue a notice of violation and provide the developer or deployer with 60 days’ notice to cure the alleged violation. If the Attorney General finds and can demonstrate that the developer or deployer knowingly or repeatedly violated the Act, the Attorney General is not required to provide a cure period before seeking penalties or other relief. The Act’s right-to-cure provision sunsets on January 1, 2030.
Key Takeaways
Companies evaluating the revised Act should determine whether they are developing or deploying ADMT in any covered domains. If so, they should consider whether any exceptions and carve-outs apply; if not, they must identify their party role obligations for each ADMT-use case. Organizations may also need to adopt internal policies and processes addressing how new ADMT use cases should be evaluated by appropriate oversight committees so that there is a consistent approach for each review and the implementation of appropriate compliance measures. Finally, companies operating in regulated sectors (such as financial services) should evaluate whether they can leverage adverse action in notification frameworks that they already provide to consumers to address the Act’s requirements.
