Status:Colorado’s original AI Act (SB 24-205, 2024) was repealed before its effective date and replaced by SB 26-189, signed in May 2026 and effective January 1, 2027. The model shifted from preventing algorithmic discrimination to transparency and disclosure about automated decisions. For the bill-by-bill detail, see the complete SB 26-189 guide.
What changed from SB 24-205 to SB 26-189
SB 24-205 was outcome-based: it required impact assessments and a duty to avoid algorithmic discrimination. SB 26-189 is disclosure-based. It removes the bias mandate and mandatory impact assessments, and instead requires consumer notice, a 30-day explanation after adverse decisions, and meaningful human review. It adds a 60-day cure period and removes the private right of action. See the full side-by-side comparison of SB 26-189 vs SB 24-205.
The seven covered domains
SB 26-189 applies to automated decision-making technology (ADMT) used in consequential decisions across seven domains: education, employment, financial services, government services, healthcare, housing, and insurance. A decision is consequential when it materially affects access to, or the cost or terms of, opportunities in one of these areas. See what each covered domain means for compliance.
Deployer vs developer obligations
Developers build or substantially modify AI systems. Under Section 6-1-1702 they must give deployers documentation covering intended uses, training-data categories, known limitations, and human-review instructions.
Deployers use those systems in consequential decisions. Under Section 6-1-1704 they must provide clear pre-decision notice, a plain-language explanation within 30 days of an adverse decision, consumer rights to access and correct data, and meaningful human review. Many organizations are both. The SB 26-189 compliance checklist breaks these into concrete steps.
The safe harbors
SB 26-189 includes activity-specific safe harbors for insurers under state insurance code (Section 10-3-1104.9), creditors under ECOA/Regulation B and FCRA, HIPAA-covered clinical activities, and FERPA-governed educational activities. These protect specific regulated activities, not the organization as a whole — an insurer using AI in employment decisions does not get safe-harbor coverage for those decisions.
Effective date and timeline
SB 26-189 takes effect January 1, 2027. The Attorney General’s implementing rules are expected before that date, but the statutory obligations are already defined, so organizations can begin building now. Several enforcement and rulemaking milestones are still moving — see how the 60-day cure period works.
Penalties and enforcement
Enforcement sits exclusively with the Colorado Attorney General under the Consumer Protection Act; there is no private right of action. Penalties typically range from about $2,000 to $20,000 per violation plus injunctive relief, with a 60-day cure period before penalties attach for organizations that remediate proactively.
Frequently asked questions
- What is the Colorado AI Act (SB 26-189)?
- The Colorado AI Act, SB 26-189, is a state AI transparency law signed in May 2026 and effective January 1, 2027. It requires developers and deployers of automated decision-making technology used in consequential decisions to provide documentation, consumer notices, and meaningful human review. It replaced the repealed SB 24-205.
- When does the Colorado AI Act take effect?
- SB 26-189 takes effect January 1, 2027. It was signed in May 2026, replacing the original Colorado AI Act (SB 24-205) before that earlier law ever took effect. Organizations have until the 2027 date to build disclosure, consumer-notice, human-review, and record-retention processes for covered AI systems.
- How is SB 26-189 different from SB 24-205?
- SB 24-205 was outcome-based, requiring impact assessments to prevent algorithmic discrimination. SB 26-189 is disclosure-based: it drops the bias mandate and impact assessments in favor of consumer notice, a 30-day adverse-decision explanation, and meaningful human review. It also adds a 60-day cure period and removes the private right of action.
- What are the seven domains covered by the Colorado AI Act?
- SB 26-189 applies to automated decision-making technology used in consequential decisions across seven domains: education, employment, financial services, government services, healthcare, housing, and insurance. A decision is consequential when it materially affects access to, or the cost or terms of, opportunities in one of these areas.
- Who is a developer versus a deployer under SB 26-189?
- A developer builds or substantially modifies an AI system; a deployer uses it to make or substantially influence a consequential decision. Developers must supply documentation under Section 6-1-1702; deployers must provide pre-decision notice, post-adverse-decision explanations, and meaningful human review under Section 6-1-1704. Many organizations are both.
- What are the penalties for violating the Colorado AI Act?
- The Colorado Attorney General holds exclusive enforcement authority under the Consumer Protection Act; there is no private right of action. Penalties typically range from about $2,000 to $20,000 per violation, plus injunctive relief. A 60-day cure period lets organizations remedy a violation before penalties attach.
Keep reading
- Colorado SB 26-189: the complete AI transparency law guide
- Colorado AI Act compliance: what to do before the deadline
- The Colorado AI Act compliance guide for deployers
- What SB 26-189 requires from your AI vendors
- Why smart deployers kept preparing during the enforcement pause
Check your AI governance posture
See how your company’s AI transparency compares against the seven domains SB 26-189 covers.