Colorado's new artificial intelligence law, signed last month, replaces the state's broad 2024 mandate to prevent algorithmic bias with a transparency-focused framework that imposes tiered disclosure requirements on companies that make and use automated decision-making technologies. The shift in SB 26-189 creates immediate trade secret governance challenges for both developers and deployers, while preserving liability under the state's anti-discrimination statute.
The law covers automated decision-making technologies, or ADMT, used to make significant decisions in employment, education, insurance, healthcare, and other specified domains. Developers - businesses that make ADMTs commercially available - and deployers - entities that use the technologies to decide about consumers - face distinct obligations, all enforced by the Colorado attorney general. Both are expressly subject to the Colorado Anti-Discrimination Law, which includes a private right of action after administrative remedies are exhausted.
Disclosure duties flow from developer to consumer
The statute layers information obligations in a sequence that starts with developers and ends with consumers. Before using a covered ADMT, a deployer must notify the consumer that the technology will be used and explain how to obtain information if an adverse outcome occurs. An adverse outcome is defined broadly: it includes denial or termination of an opportunity or service, such as employment or a public benefit, and materially less favorable pricing or terms, such as for a consumer finance product.
When a consumer receives an adverse outcome, the deployer must provide a plain-language description of the decision and the ADMT's role, plus an opportunity to request additional details. At minimum, that further disclosure must name the ADMT, identify the developer, and list the types and sources of personal data used. The deployer must also offer reasonable human review and reconsideration if the consumer asks.
Trade secret protections diverge
The path from developer to deployer carries heavier disclosure burdens and fewer shields. Developers must give deployers information about an ADMT's intended uses, known limitations, and known harmful or inappropriate applications. They also must supply instructions for use, a description of the training data to the extent known, and any other information the deployer needs to meet its own consumer disclosure obligations.
Deployers can withhold trade secrets from their consumer disclosures, provided they tell consumers they are doing so. Developers receive no comparable protection for most of their required disclosures. The law states developers must deliver information to deployers "in a form and manner that is reasonably understandable to a deployer and that protects trade secrets or information protected from disclosure by state or federal law." But only one of the five categories of mandated disclosures permits information to be withheld, and even then the statute does not clearly say trade secrets can justify the omission.
The contrast is deliberate. The 2024 bill gave identical trade secret protections to developers and deployers. Those protections began to erode in a governor's working group draft and narrowed further in the enacted legislation. A fair reading of today's law is that trade secrecy does not let developers limit their disclosures to deployers based on trade secret concerns. Instead, they must provide the required information and rely on confidentiality agreements to guard their secrets in those exchanges.
Liability structure drives the asymmetry
The reason for the uneven design becomes clearer in Section 1707 of the act. It clarifies that both developers and deployers remain subject to state anti-discrimination laws, and that contractual indemnification may not be available between them. By making compliant disclosures, a developer can shift some liability to the deployer and partially lift the indemnification restriction. The framework presumes that deployers will use the developer's information to choose and implement ADMTs wisely, while developers earn limited protection in return.
The incentive is weak in practice. Deployers receive the statutory information only after they become deployers, not during procurement. The mandated developer disclosures appear insufficient to determine whether an ADMT could produce discriminatory outcomes. The reward for compliant developers is correspondingly narrow.
Compliance steps for developers and deployers
Even an imperfect law demands attention. Developers and deployers should take several immediate steps to manage risk:
- Review the intended uses for their ADMTs and confirm alignment across marketing, contracts, and deployment.
- Draft compliant disclosures before they are needed and evaluate them for trade secret exposure. Developers must decide whether compliance compels disclosure of sensitive information; deployers need to determine what can be withheld, with notice to consumers. Where possible, align consumer-facing disclosures for a particular ADMT.
- Update agreements to include the delivery of required information under confidentiality provisions strong enough to protect trade secrets.
- Revisit indemnification provisions against the act's restrictions and refresh risk assessments accordingly.
- Monitor rulemaking that will refine the required disclosures.
Why this matters for legal professionals
The Colorado law creates a compliance environment where trade secret exposure shifts to developers, while deployers must manage consumer-facing obligations and human-review requirements. In-house counsel and outside advisors will need to revise contracts, draft disclosure forms, and assess where confidentiality clauses alone can substitute for statutory trade secret protections.
The interplay between disclosure duties, anti-discrimination liability, and restricted indemnification means legal teams must coordinate contract language with operational AI governance. For legal teams needing to understand AI regulations and practical trade secret management, AI for Legal Professionals Courses can provide guidance on these emerging intersections.
Your membership also unlocks:
