Colorado Replaces AI Law With Narrower Framework Focused on Employment Decisions
Colorado Governor Jared Polis signed Senate Bill 26-189 on May 14, 2026, replacing the state's 2024 AI Act with a substantially rewritten law that takes effect January 1, 2027. The new law abandons broad compliance obligations in favor of a notice-and-disclosure regime-but extends that regime to employees and job applicants, a population largely excluded from Colorado's privacy law.
The original 2024 act, signed by Polis himself, faced immediate criticism. The governor publicly asked the legislature to revisit it before it took effect. After two years of deadlock and a working group convened in fall 2025, lawmakers adopted a narrower framework that eliminates the most demanding compliance requirements while reaching workforce decisions the Colorado Privacy Act does not cover.
What the Law Covers
The new law applies to "covered automated decision-making technology" (ADMT) used to materially influence "consequential decisions" in seven domains: education, employment, housing, financial services, insurance, healthcare, and essential government services.
The definition excludes routine technologies: web hosting, firewalls, antivirus software, spell-check, calculators, and spreadsheets that do not use machine learning. General-purpose large language models are also excluded unless specifically configured or marketed for consequential decisions and subject to acceptable use policies.
To trigger the law's requirements, ADMT output must be a "non-de minimis factor" that "affects the outcome of the decision, including by constraining, ranking, scoring, recommending, classifying, or otherwise meaningfully altering how the decision is made." The law excludes incidental or trivial uses, low-stakes routine decisions, advertising and marketing, narrow procedural tasks, cybersecurity activities, and academic administration.
A significant carve-out applies when ADMT summarizes, organizes, or presents information for human review without producing a score, ranking, or recommendation that affects the outcome. This matters for employers using AI to prepare materials that humans then evaluate.
Three Points of Obligation
The law replaces the 2024 act's duty of care, risk management requirements, and impact assessments with three specific obligations.
Developer documentation: Creators of covered ADMT must provide deployers with descriptions of intended and known harmful uses, training data categories, known limitations, and instructions for appropriate use and meaningful human review. Developers must also notify deployers of material updates.
Pre-use notice: Deployers must provide clear notice before using covered ADMT. A prominent posting reasonably proximate to the consumer interaction-such as a link at the point of engagement-satisfies the requirement.
Post-adverse-outcome disclosure: When a consequential decision results in an adverse outcome, deployers must provide a plain-language disclosure within thirty days. On request, they must provide instructions for accessing and correcting inaccurate personal data and offer an opportunity for meaningful human review "to the extent commercially reasonable."
Meaningful human review has a five-part definition. The reviewer must have authority to approve, modify, or override the decision; consider relevant primary evidence; be trained for the review function; not default to the system output; and have access to sufficient information about the system's intended use, material limitations, and principal factors-without disclosure of trade secrets or proprietary code.
Employees and Job Applicants Are Now Covered
The law defines "consumer" to include Colorado residents in an individual or household context, plus three additional categories: employees, Colorado resident job applicants, and any individual whose access or opportunity in Colorado is evaluated by a business operating in Colorado.
The Colorado Privacy Act generally excludes individuals in employment contexts. SB 26-189 closes that gap for AI-influenced employment decisions. Employers using covered ADMT to materially influence hiring, compensation, promotion, or similar decisions about current or prospective employees must provide pre-use notice and, after an adverse outcome, offer a right to correct inaccurate personal data and an opportunity for human review.
National employers running centralized recruiting for Colorado-based roles should note that the third category reaches out-of-state applicants evaluated for Colorado positions.
Liability and Contract Provisions
The attorney general has exclusive enforcement authority. Developers and deployers have a sixty-day cure period after notice of violation to avoid civil penalties. The attorney general may bypass this period for knowing violations or repeat offenses and may seek injunctions regardless of cure to prevent future violations.
The law creates no private right of action. It preserves existing rights under state and federal antidiscrimination law, the Colorado Consumer Protection Act, and product liability law. Compliance with the new notice-and-disclosure regime does not shield against claims under Title VII of the Civil Rights Act, the Colorado Anti-Discrimination Act, or analogous statutes.
Liability between developers and deployers is several, not joint. Fault is allocated based on relative responsibility-a deliberate departure from the 2024 act, which imposed separate duties without specifying fault allocation.
The most immediate practical impact is the bar on contractual liability shifting. Any contract term that indemnifies, defends, or holds harmless a developer or deployer against liability for its own antidiscrimination violations involving covered ADMT is void as against public policy. Many enterprise AI vendor agreements contain mutual indemnities now partially unenforceable in Colorado as applied to these claims. The law preserves the ability to obtain and recover under applicable insurance.
Sectoral Exemptions
Insurers subject to Colorado's existing algorithmic discrimination insurance statute and HIPAA-covered entities are largely exempt. That carve-out does not extend to employment decisions. Health systems and carriers using AI in hiring or other workforce decisions remain fully subject to the law.
What Employers Should Do
Before the January 1, 2027, effective date, employers should consider these steps:
- Inventory current AI tools to identify which qualify as covered ADMT, with particular attention to hiring, compensation, and workforce decision tools.
- Review AI vendor contracts for indemnification provisions that may be void under the new framework.
- Evaluate whether existing human review processes satisfy the five-part meaningful human review standard, including override authority and required training.
- Assess post-adverse-disclosure infrastructure, particularly for high-volume hiring processes.
- Continue or initiate bias auditing. Discrimination liability remains under existing law regardless of whether a tool qualifies as covered ADMT.
Bias audits are no longer required by the law, but they remain important. Litigation involving AI tools in hiring continues to increase whether or not those tools fall within state AI statutes. Evidence of bias testing is explicitly relevant under California's Fair Employment and Housing Act regulations addressing AI in employment.
Federal Pressure Ahead
Federal preemption pressure on state AI laws has increased. President Donald Trump's December 2025 executive order established a Justice Department AI Litigation Task Force, and the White House urged Congress to broadly preempt state AI laws. Whether federal preemption legislation advances will significantly affect Colorado's framework's longevity.
The attorney general's rulemaking process began May 14, 2026. Rules on post-adverse-outcome disclosures and consumer rights are required by January 1, 2027. Further rules clarifying the "materially influences" standard are permitted but not required.
For more on how AI affects your profession, see AI for Legal and AI for Human Resources.
Your membership also unlocks:
