From the journal

Colorado Enacts SB 26-189 Replacing Prior AI Consumer Protections Law, Effective January 2027

Governor Jared Polis signed Colorado SB 26-189 on 14 May 2026, repealing and replacing Senate Bill 24-205, Colorado's prior AI consumer protections statute. The new law regulates automated decision-making technology in consequential decisions and takes effect 1 January 2027, giving companies a seven-month compliance window.

2 min read

Governor Jared Polis signed Colorado Senate Bill 26-189 on 14 May 2026. The bill repeals Senate Bill 24-205 - the original Colorado AI consumer protections statute enacted in 2024 - and reenacts its provisions in revised form under the title Automated Decision-Making Technology. The new law takes effect 1 January 2027 and appropriates $100,403 to the Colorado Department of Law for FY 2026-27 enforcement functions.

SB 26-189 regulates the use of automated decision-making technology by developers and deployers in consequential decisions, defined as decisions producing legal or similarly significant effects on consumers. The statute retains a risk-tiered structure derived from SB 24-205 but separates obligations for developers and deployers into distinct compliance tracks. Colorado's AI Policy Workgroup, convened under Governor Polis, delivered unanimous support for the revised policy before the bill reached the Governor's desk. The prior statute, SB 24-205, had not entered into force; the revision process extended and then superseded its pending effective date.

Deployers making consequential decisions affecting Colorado consumers must conduct impact assessments for high-risk automated systems, implement risk management programmes, and disclose to consumers when automated decision-making is used in covered decisions. Developers must provide deployers with technical documentation sufficient to enable compliance. The law applies to entities deploying AI in employment decisions, financial services, housing, education, healthcare, and access to public accommodation in Colorado.

The statute retains carve-outs for low-risk applications present in the original SB 24-205. The 1 January 2027 effective date gives companies approximately seven months to align internal processes, contracts, and documentation. The law operates without an equivalent federal AI statute; companies subject to SB 26-189 should build compliance programmes that can be adjusted if Congress enacts preemptive federal AI legislation before the Colorado law takes effect.

Licentium advises clients on US state AI regulatory obligations, including Colorado SB 26-189 compliance. Work we undertake includes automated decision-making impact assessment design, developer-deployer contractual allocation, algorithmic discrimination risk analysis, and AI governance documentation for US-regulated entities.

Source: Colorado General Assembly, Senate Bill 26-189 (Automated Decision-Making Technology), signed 14 May 2026

AI Regulatory

More from the journal

See all

Illinois signs Artificial Intelligence Safety Measures Act into law, effective January 2027

Governor JB Pritzker signed the Illinois Artificial Intelligence Safety Measures Act on 6 July 2026, making Illinois the first US state to require mandatory annual third-party audits of frontier AI model developers. The Act applies to large frontier developers operating or deploying models in Illinois, requires transparency reports before each new or substantially modified frontier model deployment, and establishes civil penalties. Core obligations take effect 1 January 2027.

UK consults on modernising payment services regulation covering stablecoins and AI agents, 2026

HM Treasury launched a consultation on modernising the UK payment services regulatory regime, with responses due by 6 October 2026. The consultation addresses how to adapt regulation for tokenised payments including qualifying stablecoins, Open Banking expansion, and agentic AI systems authorised to conduct payments. It follows the February 2026 Payments Forward Plan and the government's decision to transfer Payment Systems Regulator functions to the Financial Conduct Authority.

Hong Kong SFC mandates phishing-resistant authentication for internet brokers and VATPs, July 2026

The Hong Kong Securities and Futures Commission issued a circular on 9 July 2026 requiring licensed corporations engaged in electronic trading and SFC-licensed virtual asset trading platform operators to replace one-time passwords with phishing-resistant authentication methods. Covered firms must implement passkeys or bound-device recognition for client login and device binding. Large internet brokers must act immediately. All other in-scope firms have up to 12 months to comply.