On May 14, 2026, Colorado Governor Jared Polis signed Senate Bill 26-189 into law. The bill repeals and reenacts the Colorado Artificial Intelligence Act (originally SB24-205, enacted May 2024) with a substantially revised structure. The statute is final and takes effect January 1, 2027, with an appropriation of $100,403 to the Department of Law for FY 2026-27 administration costs.
SB26-189 defines 'automated decision-making technology' (ADMT) as any technology that processes personal data and uses computation to generate output, including predictions, recommendations, classifications, rankings, or scores, that is used to make, guide, or assist a consequential decision. Consequential decisions under the statute include those materially affecting access to or terms of education, employment, housing, credit, healthcare, insurance, and legal services. Deployers must provide notice to consumers before or at the time their personal data is processed by ADMT; disclose the ADMT's purpose and the type of decision being made; maintain a reasonably designed risk management policy; and honor consumer rights to access information about the system and opt out of certain consequential decisions. Record-retention obligations accompany each consumer interaction.
Employers using AI-assisted hiring, promotion, compensation, or performance evaluation tools are among the most directly affected deployers. Banks and financial institutions using ADMT for credit underwriting or fraud scoring face disclosure requirements before processing consumer data. Healthcare insurers applying ADMT to prior authorization or clinical triage decisions fall within scope. Technology companies deploying ADMT products to Colorado-based end-users must update terms of service, internal policies, and consumer-facing notice templates. All covered deployers need data governance programs that track ADMT use, document risk assessments, and respond to consumer opt-out requests.
SB26-189 removes the broad algorithmic impact assessment obligations that drew criticism from developers under SB24-205. The replacement statute focuses on deployer-side transparency rather than requiring developers to conduct and publicly file impact assessments. An exemption covers ADMT used solely for fraud prevention, network security, or information security purposes. The Colorado AI Policy Workgroup recommended the revised statute unanimously before the bill passed. Businesses have until January 1, 2027 to implement compliant programs, update procurement contracts with AI vendors, and revise consumer disclosures.
Licentium advises regulated entities on AI compliance obligations across US state laws and EU frameworks. We may be able to assist with questions arising from SB26-189 and maintain a partner network with expertise in US state AI compliance. We invite you to get in touch. Work we undertake includes ADMT deployment audits, consumer notice and opt-out program design, AI vendor contract due diligence, and multi-state AI regulatory gap analysis.