Colorado's 75th General Assembly today cleared the final legislative hurdle for Senate Bill 26-189, a comprehensive rewrite of the state's earlier artificial intelligence consumer protection statute. The House voted 57 to 6 on May 9, 2026, sending the bill to Governor Jared Polis with strong bipartisan support. The legislation, sponsored in the Senate by Robert Rodriguez and James Coleman and in the House by Monica Duran and Jennifer Bacon, repeals and replaces the contested Senate Bill 24-205, which the General Assembly enacted in 2024.

The shift matters beyond Colorado's borders. It represents the most detailed statutory framework for automated decision-making technology regulation adopted by any U.S. state legislature so far in 2026, arriving at a moment when federal courts are simultaneously reviewing the constitutional limits of state-level AI regulation.

What SB 26-189 actually does

The bill's central construct is the concept of a covered ADMT - an automated decision-making technology used to materially influence what the legislation calls a consequential decision. According to the bill text, an ADMT is "a technology that processes personal data and uses computation to generate output, including predictions, recommendations, classifications, rankings, scores, or other information that is used to make, guide, or assist a decision, judgment, or determination concerning an individual."

The definition is deliberately broad but includes meaningful carve-outs. Anti-malware, firewalls, spam filtering, spell-checking, databases, web hosting, web caching, and spreadsheets that require human analysis and do not use machine learning, foundation models, or large language models are all explicitly excluded. So are tools used solely to summarize, organize, translate, draft, route, or present information for human review of administrative processing. Chatbots and conversational tools are exempt provided they are not contracted, advertised, marketed, configured, or intended to be used in a consequential decision and are subject to an acceptable use policy that prohibits generated content from being used in such decisions.

The covered domains - the areas where a decision qualifies as consequential - are education enrollment and opportunities; employment and employment opportunities that create or may create an employer-employee relationship; the lease or purchase of residential real estate in Colorado; financial and lending services; insurance, including underwriting, pricing, coverage, claims adjudication, and other determinations that materially affect access to benefits; health-care services; and essential government services and public benefits, including eligibility and renewal determinations.

Importantly, advertising, marketing, differentiated product recommendations, search, and content moderation are all excluded from the definition of a consequential decision. That exclusion has direct implications for the programmatic advertising and ad tech industry. AI systems used to serve targeted ads, rank creative, or optimize bids do not fall within the regulatory perimeter as currently written.

The developer obligations

Starting January 1, 2027, developers of covered ADMTs must supply each deployer with a defined package of technical documentation. According to the bill, that package must include a general statement describing the intended uses and known harmful or inappropriate uses of the covered ADMT; a description of the categories of data, including personal data, used to train the covered ADMT, to the extent known; known limitations of the covered ADMT, including known risks and circumstances in which it should not be used; and instructions for the deployer's appropriate use, monitoring, and meaningful human review, where applicable.

The documentation obligation does not require disclosure of proprietary source code, model weights, or other trade secrets. Developers retain that protection. However, they cannot simply publish documentation once and leave it unchanged. The bill requires developers to provide deployers with notice of material updates, intentional and substantial modifications, and changes to intended use, limitations, or risk mitigation within a reasonable time. Public release notes satisfy the update notification requirement, provided the developer also sends direct notice to each deployer.

Record-keeping is non-negotiable. According to the bill, developers must retain records for at least three years after the creation of any record required under the legislation. Those records include system version identifiers, changelogs, and documentation of material updates provided to deployers.

The legislation is careful about what triggers a developer's obligations. A developer becomes subject to the disclosure requirements only when the ADMT was marketed, advertised, configured, contracted, sold, or licensed to be used to materially influence a consequential decision. A developer is also not defined as such when it develops an ADMT solely for internal research purposes where the system is not used in a consequential decision, or when it develops a system for purely internal functions that it does not make available to another person for use in a consequential decision.

The deployer obligations

Deployers - businesses doing business in Colorado that deploy a covered ADMT - carry their own distinct obligations. Before using a covered ADMT to materially influence a consequential decision, a deployer must provide a clear and conspicuous notice to the consumer that the ADMT is being used or will be used. The bill allows deployers to satisfy this by maintaining a prominent public notice that is reasonably accessible at points of consumer interaction, including through a link or posting that is reasonably proximate to the relevant transaction.

When a covered ADMT produces an adverse outcome for a consumer, the clock starts. According to the bill, deployers must provide within 30 days: a plain language description of the consequential decision and the role the covered ADMT played; instructions and a simple-to-follow process for the consumer to request additional information about the ADMT, including its name, version number where applicable, developer identity, and the types, categories, and sources of personal data used; and an explanation of the consumer's rights under the bill and how to exercise them.

The definition of an adverse outcome covers decisions that deny, terminate, revoke, or materially reduce a consumer's access to, eligibility for, selection for, or compensation for an opportunity or service. It also captures decisions resulting in materially less favorable differentiated pricing or terms compared to similarly situated consumers.

Deployers must retain records for at least three years after the date of a consequential decision. Those records may include covered ADMT version identifiers, changelogs, and documentation of material mitigation changes.

Meaningful human review - a technical definition

One of the more technically specific provisions is the definition of meaningful human review. The bill defines it as review by an individual designated by the deployer who has authority to approve, modify, or override a consequential decision, and who considers relevant available primary evidence, is trained to conduct the review, does not default to the system output, and has access to sufficient information to understand the output's intended use, material limitations, and categories of inputs, as well as the principal factors used to generate the output.

Crucially, that final condition does not require disclosure of proprietary source code, model weights, or other trade secrets. The bill threads a needle between consumer-facing transparency and protection of commercially sensitive technical information.

Consumer rights

Consumers who experience an adverse outcome have the right to request instructions for correcting factually incorrect or materially inaccurate personal data used in the consequential decision, consistent with existing Colorado data protection provisions. They also have the right to request meaningful human review and reconsideration of the decision, to the extent commercially reasonable.

The correction right has limits. According to the bill, it does not require correction of opinions, predictions, scores, or protected evaluations. That limitation may prove significant in practice: a credit score, a risk classification, or a job candidate ranking could each fall outside the correction right even if a consumer disagrees with the outcome.

Enforcement structure and the 60-day cure

Enforcement sits exclusively with the Colorado Attorney General, operating through the Colorado Consumer Protection Act. A violation of the bill is classified as a deceptive trade practice. Under the Colorado Consumer Protection Act, a person committing a deceptive trade practice may be subject to a civil penalty of up to $20,000 for each violation, with additional penalties possible for subsequent violations of a court order or injunction.

Before initiating an enforcement action, the Attorney General must issue a notice of violation and allow 60 days to cure the alleged violation, if a cure is deemed possible. That right to cure expires on January 1, 2030, after which it falls away. The Attorney General is not required to provide a cure period when a developer or deployer knowingly or repeatedly violated the bill's requirements.

Beginning in January 2028, and in January every year thereafter, the Attorney General must report to the General Assembly on enforcement actions, including the number of actions filed against developers and deployers respectively, the number of cure periods offered, the number of cure periods not met, and the number of violations where a cure was not deemed possible.

The bill does not create a new private right of action. Consumers cannot sue developers or deployers directly under this legislation. The bill does, however, establish how fault is allocated between developers and deployers in civil actions alleging unlawful discrimination under existing anti-discrimination law. Fault is allocated based on relative responsibility. Joint and several liability does not apply except to the extent already permitted under existing law. Contractual indemnification clauses between developers and deployers - where one party agrees to hold the other harmless from discrimination liability - are declared contrary to public policy and void under the bill.

Fiscal and administrative footprint

The fiscal note from Colorado's Legislative Council Staff projects state expenditures of $56,286 in fiscal year 2026-27, falling to zero in 2027-28. The increase stems from a requirement that the Department of Law complete stakeholder outreach and adopt implementing rules by January 1, 2027. That rulemaking process requires 0.4 full-time equivalent Assistant Attorney General. The bill appropriates $46,190 from the general fund to the Department of Law for this purpose, with the remaining $10,096 drawn from centrally appropriated costs.

The Office of Information Technology may take on additional work ensuring covered domains across state agencies comply with the bill and with rules adopted by the Department of Law. The fiscal note assumes that existing base-level funding is sufficient for initial compliance work, pending future court decisions and rulemaking.

The litigation shadow

Passing the legislation did not eliminate the legal uncertainty surrounding it. According to the fiscal note, on April 27, 2026, a U.S. District Court ordered the Colorado Attorney General not to initiate enforcement of SB 24-205, or any legislation amending SB 24-205, until the Attorney General completes rulemaking for AI enforcement and the court issues a ruling in the case "X. AI LLC v. Weiser."

As PPC Land has documented, the United States Department of Justice entered that case on April 24, 2026, filing a complaint in intervention under Civil Action No. 1:26-cv-01515-DDD-CYC. The DOJ joined xAI's challenge, arguing that Colorado's earlier law compels AI developers to accommodate particular messages in violation of the Equal Protection Clause. xAI filed its original federal lawsuit on April 9, 2026, challenging SB 24-205 on First Amendment, Dormant Commerce Clause, Due Process, and Equal Protection grounds.

SB 26-189 is structured as a repeal and replacement of SB 24-205, not a simple amendment. Whether that distinction is sufficient to place the new bill outside the scope of the court's April 27 order is a question that Colorado's Attorney General and the courts will need to resolve.

The pivot from SB 24-205

The conceptual gap between the two statutes is substantial. SB 24-205 required deployers to maintain risk management programs aligned with industry standards, conduct extensive risk assessments, and exercise reasonable care to avoid algorithmic discrimination. SB 26-189 removes all of those requirements. The new bill does not impose a duty to avoid algorithmic discrimination. It does not require bias mitigation programs. It does not mandate annual impact assessments.

What it adds instead is a layered documentation and disclosure framework - one that places the compliance burden primarily on the relationship between developers and deployers rather than on algorithmic outcomes themselves. The Attorney General retains rule-making authority to clarify the application of key definitions, including "materially influence," through presumptions, illustrative examples, and objective indicators.

Sectoral carve-outs

The bill navigates several sectoral exemptions with some care. Insurers subject to existing Colorado insurance regulation are deemed in compliance with the bill for the practice of insurance. However, that compliance deference does not extend to insurer employment decisions, which remain covered. HIPAA-covered health entities are largely exempt, except for consequential decisions related to employment or employment opportunities, and except for healthcare providers that use a covered ADMT to determine patient eligibility for financial assistance, where specific disclosures are required. FDA-regulated medical devices and pharmaceutical research and development activities subject to FDA oversight are entirely excluded. Creditors already providing notice under the Equal Credit Opportunity Act and the Fair Credit Reporting Act are deemed compliant with the bill's notice requirements for the same decisions, provided those federal notices satisfy the bill's disclosure requirements.

What it means for the ad tech and marketing industry

The explicit carve-out for advertising, marketing, differentiated product recommendations, search, and content moderation removes the bulk of programmatic advertising infrastructure from the bill's direct reach. A DSP algorithm that decides which ad to serve, a recommendation engine that ranks products on a retail media network, or a search advertising system that determines which ad placement a user sees - none of these constitute consequential decisions under SB 26-189 as written.

That said, the boundary is not absolute. AI systems used in employment advertising targeting - where the system helps determine which individuals receive job opportunity ads - could sit closer to the line, particularly if the underlying system is also used to evaluate candidates or influence hiring decisions. As PPC Land noted in coverage of the Workday case, AI-powered hiring tools have already attracted significant litigation even without a state statute imposing specific disclosure duties.

For marketing technology companies and agencies that sell AI tools to enterprise clients, the developer documentation obligations create real operational considerations. Any AI product marketed, advertised, configured, or contracted to be used in employment screening, insurance pricing, financial services, or healthcare eligibility will need to carry technical documentation packages meeting the bill's requirements by January 1, 2027. Version identifiers, changelogs, and update notices become compliance artifacts, not merely engineering records.

The bill's trajectory is closely tied to the broader pattern of state-level AI legislation that PPC Land has followed in its coverage of the Colorado regulatory situation. Connecticut passed its own AI bill with automated employment decision provisions in April 2026. The constitutional ceiling for state-level AI regulation remains unsettled, and Colorado's new law may face litigation of its own once it takes effect.

The Attorney General must complete rulemaking by January 1, 2027, engaging stakeholders including consumer advocates, deployers, developers, and sector regulators through public notice, opportunity for written comment, and at least one public hearing. That process, compressed into roughly seven months, will do much to determine how broadly or narrowly the bill's operative terms are applied in practice.

Timeline

  • May 17, 2024 - Governor Jared Polis signs Senate Bill 24-205 into law, establishing the original Colorado AI consumer protection framework, describing himself as having reservations about the legislation
  • August 2025 - Colorado General Assembly delays SB 24-205's effective date from February 1, 2026, to June 30, 2026, during a special legislative session, without amending substantive provisions
  • December 29, 2025 - xAI files a federal lawsuit challenging California's AI training data transparency law, AB 2013, in the U.S. District Court for the Central District of California
  • March 2026 - A working group convened by Governor Polis publishes proposed amendments to SB 24-205 that would remove the algorithmic discrimination mitigation requirement entirely
  • April 9, 2026 - xAI files a federal lawsuit against Colorado Attorney General Philip J. Weiser in the U.S. District Court for the District of Colorado under Civil Action No. 1:26-cv-01515, challenging SB 24-205 on First Amendment, Dormant Commerce Clause, Due Process, and Equal Protection grounds
  • April 24, 2026 - The United States Department of Justice files a complaint in intervention in xAI v. Weiser, becoming the first time the federal government directly joined litigation to contest a state AI law
  • April 27, 2026 - A U.S. District Court orders the Colorado Attorney General not to initiate enforcement of SB 24-205 or any legislation amending it until rulemaking is complete and the court rules in xAI v. Weiser
  • May 1, 2026 - SB 26-189 introduced in the Colorado Senate; assigned to the Business, Labor, and Technology Committee
  • May 5, 2026 - Senate Business, Labor, and Technology Committee refers the bill as amended to the Senate Appropriations Committee
  • May 6, 2026 - Senate Appropriations Committee refers the amended bill to the full Senate; Senate passes SB 26-189 on second reading with committee and floor amendments
  • May 7, 2026 - Senate passes SB 26-189 on third reading without further amendments; bill introduced in the House and assigned to the Judiciary Committee
  • May 8, 2026 - House Judiciary Committee refers the bill as amended to House Appropriations; House Appropriations Committee refers it unamended to the full House; House passes second reading with committee amendments
  • May 9, 2026 - Colorado House passes SB 26-189 on third reading, 57 to 6, with no further amendments; bill proceeds to Governor Polis for signature
  • January 1, 2027 - Most substantive provisions of SB 26-189 take effect; Attorney General's rulemaking on post-adverse outcome disclosures and consumer rights must be complete by this date
  • January 2028 - Attorney General begins annual reporting to the General Assembly on enforcement actions
  • January 1, 2030 - The 60-day right-to-cure provision for developers and deployers expires

Summary

Who: The Colorado General Assembly - 75th session, second regular session - passed SB 26-189, sponsored by Senators Robert Rodriguez and James Coleman in the Senate and Representatives Monica Duran and Jennifer Bacon in the House, with broad bipartisan support.

What: The bill repeals and replaces Senate Bill 24-205, Colorado's contested 2024 AI consumer protection law, substituting a new framework centered on automated decision-making technology disclosure obligations for developers and deployers, consumer notice and rights following adverse outcomes, and attorney general enforcement through the Colorado Consumer Protection Act. Key technical requirements include three-year record retention, 30-day post-adverse-outcome disclosure windows, and a defined standard for meaningful human review.

When: The House passed the bill on May 9, 2026. Most substantive provisions take effect January 1, 2027, with the Attorney General required to complete implementing rulemaking by the same date. The right-to-cure provision for enforcement expires January 1, 2030.

Where: Colorado, with direct application to any business doing business in Colorado that develops or deploys a covered ADMT affecting Colorado consumers. The bill explicitly covers consequential decisions in education, employment, residential real estate, financial and lending services, insurance, health care, and essential government services.

Why: The legislation addresses the legal and political collapse of SB 24-205, which faces a federal court injunction on enforcement, a DOJ-backed constitutional challenge, and a governor who has publicly expressed reservations about it since signing it in 2024. The new bill narrows the regulatory perimeter, removes the algorithmic discrimination mitigation requirements that drew litigation, and replaces them with a documentation, disclosure, and consumer rights framework intended to survive constitutional scrutiny while still imposing verifiable obligations on AI developers and deployers operating in the state.

Share this article
The link has been copied!