RegistryMethodologyBlogContactGet Rated
Regulation Guide

Colorado SB 26-189

The AI Transparency Law Taking Effect January 1, 2027

SB 26-189 requires organizations to disclose when AI is used in consequential decisions across seven regulated domains. This guide covers everything you need to comply — from developer obligations to consumer rights to the 60-day cure period.

What SB 26-189 Does

Signed into law in May 2025, Colorado SB 26-189 replaces the repealed SB 24-205 with a disclosure-based AI transparency framework. Where the original law tried to prevent algorithmic discrimination through impact assessments, SB 26-189 takes a different approach: require transparency, give consumers rights, and let the market and the Attorney General enforce accountability.

The Core Requirements

The law creates obligations for two types of organizations:

  • Developers — companies that build or substantially modify AI systems — must provide deployers with documentation covering intended uses, training data categories, known limitations, and instructions for meaningful human review.
  • Deployers — organizations that use AI in consequential decisions — must notify consumers before using automated decision-making technology (ADMT), provide post-adverse-decision explanations within 30 days, and offer meaningful human review.

Seven Covered Domains

SB 26-189 applies to AI used in consequential decisions across education, employment, financial services, government services, healthcare, housing, and insurance. A consequential decision is one that has a material legal or similarly significant effect on a consumer's access to opportunities in these domains.

Enforcement and the Cure Period

The Colorado Attorney General holds exclusive enforcement authority — there is no private right of action. Before penalties can attach, companies receive a 60-day cure period to remedy violations. This makes preparedness the most important compliance strategy: organizations with documented AI governance programs and tested response plans can cure quickly and credibly.

Safe Harbors

SB 26-189 provides safe harbors for insurers operating under state insurance code, creditors complying with ECOA, Regulation B, and FCRA, HIPAA-covered entities in clinical contexts, and FERPA-governed institutions. These safe harbors are activity-specific — they protect the regulated activity, not the organization as a whole.

How AI Clear Helps

AI Clear rates over 500 companies on 49 criteria anchored to NIST AI RMF and ISO/IEC 42001 — the same frameworks SB 26-189 aligns with. A transparency rating provides a standardized baseline that shows where your AI governance stands before a regulator or enterprise buyer asks. Search the registry or request your scorecard.

Deep Dives

Each topic below has its own detailed page covering a specific aspect of SB 26-189 compliance.

Compliance Checklist

Step-by-step compliance checklist for Colorado SB 26-189. Covers developer documentation, deployer notice, consumer rights, and Attorney General cure period requirements.

Read more

vs SB 24-205

Side-by-side comparison of Colorado's new AI law (SB 26-189) vs the original Colorado AI Act (SB 24-205). Key differences in scope, requirements, and enforcement.

Read more

Covered Domains

SB 26-189 applies to AI in consequential decisions across seven domains: education, employment, financial services, government, healthcare, housing, and insurance. What each means for compliance.

Read more

Vendor Requirements

What AI vendors must document and disclose to deployers under Colorado SB 26-189 Section 6-1-1702. Training data, limitations, human review instructions, and ongoing update obligations.

Read more

Meaningful Human Review

SB 26-189 requires meaningful human review of AI-assisted consequential decisions. What qualifies, who can do it, and how to build a compliant review process.

Read more

Cure Period

Colorado SB 26-189 gives companies 60 days to fix compliance violations before penalties attach. How the cure period works, what triggers it, and how to build a response plan.

Read more

Multi-State Comparison

Compare Colorado SB 26-189 to the EU AI Act, California EO N-5-26, GSA AI clause, and other state AI laws. Coverage, enforcement, and what multi-jurisdiction compliance requires.

Read more

Readiness Assessment

Assess your organization's readiness for Colorado SB 26-189. 20-question self-assessment covering AI inventory, documentation, consumer rights, human review, and cure preparedness.

Read more

Frequently Asked Questions

What is Colorado SB 26-189?

SB 26-189 is Colorado's AI transparency law, signed in May 2025 and taking effect January 1, 2027. It replaces the repealed SB 24-205 with a disclosure-based framework requiring organizations to notify consumers when automated decision-making technology (ADMT) is used in consequential decisions, provide post-adverse-decision explanations, and offer meaningful human review.

Who does SB 26-189 apply to?

The law applies to two groups: developers (companies that build or substantially modify AI systems) and deployers (organizations that use AI systems to make or substantially assist in consequential decisions). The seven covered domains are education, employment, financial services, government services, healthcare, housing, and insurance.

What is a consequential decision under SB 26-189?

A consequential decision is one that has a material legal or similarly significant effect on a consumer's access to, or the cost, terms, or availability of, opportunities in one of the seven covered domains. Examples include credit approvals, hiring decisions, insurance underwriting, and housing applications.

What is the 60-day cure period?

Before the Colorado Attorney General can pursue penalties for a violation, the company must be given 60 days to remedy the issue. If the violation is cured within that window — meaning the violating conduct is stopped and affected consumers are remedied — no penalties attach.

How is SB 26-189 different from SB 24-205?

SB 24-205 was outcome-based, requiring impact assessments to prevent algorithmic discrimination. SB 26-189 is disclosure-based, focusing on transparency requirements. SB 26-189 also adds a 60-day cure period, grants exclusive enforcement to the Attorney General (no private right of action), and includes safe harbors for federally regulated entities.

What are the penalties for non-compliance?

SB 26-189 is enforced through the Colorado Consumer Protection Act by the Attorney General. Penalties can include injunctive relief, civil penalties typically in the range of $2,000 to $20,000 per violation, and restitution to affected consumers. There is no private right of action.

Does SB 26-189 require impact assessments?

No. Unlike the repealed SB 24-205, SB 26-189 does not require impact assessments. The compliance model is built on disclosure and consumer rights rather than pre-deployment risk evaluation.

What is meaningful human review?

Meaningful human review means review by a qualified natural person who understands both the decision domain and the AI system, has access to the relevant data and system outputs, and has the authority to override the automated recommendation. Rubber-stamping algorithmic outputs does not qualify.

Check Your AI Governance Posture

Search your company in the AI Clear registry to see how your transparency practices compare — before a regulator or enterprise buyer does.

Search the RegistryRequest Your Scorecard