On May 14, 2026, Gov. Jared Polis signed into law the Colorado Automated Decision-Making Technology in Consequential Decisions Act (Colorado AI Act), a simplified AI regulation for developers and deployers of AI that repeals Colorado’s prior comprehensive AI regulation (the 2024 Colorado AI Act) that was set to take effect June 30, 2026, and replaces it with a more targeted framework governing the use of specific automated decision-making technologies (ADMT) to materially influence consequential decisions in certain “covered domains.” The new law takes effect Jan. 1, 2027, by which date the Colorado Attorney General must also adopt rules clarifying the disclosure requirements under the new law.
What the New Law Covers
The Act applies to “Covered ADMTs” – ADMTs used to materially influence a “Consequential Decision.” A Consequential Decision is a decision, determination, or action about a consumer that relates to a differentiated price, cost sharing, compensation, or other material terms in a manner reasonably likely to materially limit, delay, effectively deny, or otherwise fundamentally alter the consumer's access, eligibility, or opportunity within a “Covered Domain.”
Covered Domains include:
- Education enrollment and opportunities
- Employment or employment opportunities
- Real estate purchases or leases
- Financial or lending services
- Insurance
- Healthcare services
- Essential government services and public benefits
The Act defines ADMT as “technology that processes personal data and uses computation to generate output, including predictions, recommendations, classifications, rankings, scores, or other information that is used to make, guide, or assist a decision, judgment, or determination concerning an individual.”
In practical terms, the Act applies to ADMTs used to make decisions that materially affect a consumer’s access to, eligibility for, or opportunities in connection with the Covered Domains listed above.
The Act expressly excludes certain technologies from the definition of ADMT, including:
- Spreadsheets that require human analysis and do not use machine learning;
- Tools used solely by an individual to summarize or present information for human review of administrative processing; and
- Technologies that use natural language to provide information and recommendations to consumers, provided such technologies are not intended for use in consequential decisions and are governed by an acceptable use policy that prohibits their use in consequential decisions.
General Compliance Obligations
The new law imposes obligations on developers and deployers that create or use Covered ADMTs (i.e., ADMTs used to make Consequential Decisions in connection with a Covered Domain) including notice and disclosure requirements.
Developers of Covered ADMTs must provide deployers with documentation on intended uses, training data categories (to the extent known by the developer), known limitations and risks, and instructions for appropriate use, monitoring, and meaningful human review; and must provide notices of material updates to, or substantial modifications of, the same. Developers must retain such compliance records for at least three years.
Deployers of Covered ADMTs must provide clear notice to the consumer prior to the use of any such Covered ADMT in a Consequential Decision. Such notice may be satisfied via a reasonably accessible, prominent public notice. Deployers of Covered ADMTs must retain records demonstrating compliance with the law for at least three years after each use. If use of a Covered ADMT results in an Adverse Outcome, within 30 days of such decision, the deployer shall provide the impacted consumer with:
- a plain-language description of the decision and the Covered ADMT’s role in making that decision,
- instructions to request additional information (including system name, version, developer, and types, categories, and sources of personal data used, to the extent received from the developer), and
- an explanation of consumer rights detailed below.
These requirements build on similar obligations that already exist under the Colorado Privacy Act, as it relates to “profiling.”
The Act defines Adverse Outcome as “a decision that denies, terminates, revokes, or materially reduces or restricts a consumer’s access to eligibility for, selection for, compensation for, or the provision of an opportunity or service; or a decision that results in materially less favorable differentiated price, cost, compensation, or other material terms that are reasonably likely to materially limit, delay, or effectively deny, or otherwise fundamentally alter, a consumer’s access to, eligibility for, selection for, compensation for, or the provision of an opportunity or service compared to terms offered to similarly situated consumers. If a decision outcome imposes materially less favorable differentiated pricing or terms, the decision outcome materially influences price, cost sharing, compensation, or material terms.”
Alignment with Existing Federal and State Laws
The Act reflects the Colorado legislature’s intent to reduce regulatory burden on businesses by aligning with certain federal requirements. For example, a deployer may rely on its existing consumer notices as required by the Fair Credit Reporting Act (FCRA) or the Family Educational Rights and Privacy Act (FERPA), so long as such existing notices meet the notice requirements under the new law. In addition, if a deployer or developer is subject to, and deemed to be in compliance with, Colorado Revised Statutes Section 10-3-1104.0 (which prohibits unfair or deceptive practices by insurers) such deployer or developer will also be deemed to be in compliance with the obligations under the new law.
With respect to HIPAA, although the new law contains an exclusion for HIPAA Covered Entities doing business in Colorado, and Business Associates providing services to such Covered Entities, the exclusion is not a wholesale exemption. Importantly, the HIPAA exemption, as it relates to healthcare providers, applies only if the healthcare provider is operating from a location within Colorado, and all Covered Entities doing business in Colorado must provide general notice to patients about the use of advanced technologies, including Covered ADMTs. That notice can be incorporated into existing patient notices such as a HIPAA Notice of Privacy Practices.
In addition, if a Covered Entity uses a Covered ADMT to determine a patient’s eligibility for financial assistance, the Covered Entity must provide the patient with a plain-language description of the decision and the Covered ADMT’s role in making that decision, the types of information about the individual used by the Covered Entity in making the eligibility determination decision, information about how to request the correction of any inaccurate personal data held by the Covered Entity consistent with HIPAA, and an opportunity for meaningful human review and reconsideration where applicable.
The HIPAA exemption does not apply with respect to use of a Covered ADMT for purposes of consequential decisions related to employment or employment opportunities, such as hiring or promotion decisions.
Consumer Rights
In addition to the disclosure obligations above, where use of a Covered ADMT results in an Adverse Outcome, consumers may request instructions about how to request and correct factually incorrect or materially inaccurate personal data used, together with an opportunity for meaningful human review and reconsideration of the consequential decision.
Liability and Indemnification
The new law splits liability for any potential algorithmic discrimination claim between developers and deployers, explicitly clarifying that both may be held liable for unlawful discrimination under state anti-discrimination laws such as the Colorado Anti-Discrimination Act. However, a developer and deployer will only be held responsible to the extent of their relative fault. Where a deployer uses a Covered ADMT in the way it was “intended, documented, marketed, advertised, configured or contracted” to be used by the developer and the results are still discriminatory, then the developer would be liable. If a deployer uses a Covered ADMT in a way that it was “not intended, documented, marketed, advertised, configured or contracted” to be used by the developer, then deployer would be liable for such unlawful use. The new law does not create joint and several liability, except to the extent permitted under existing law.
The new law also invalidates contractual indemnification provisions against liability for a developer’s or deployer’s “own acts or omissions” related to the use of Covered ADMT in violation of the Colorado Anti-Discrimination Act or other Colorado anti-discrimination law. Such indemnification clauses that purport to shift a developer or deployer’s liability for unlawful algorithmic discrimination in Consequential Decisions onto the other are void as against public policy. This restriction does not apply to a developer where the Covered ADMT was used in a way “not intended, documented, marketed, advertised, configured or contracted” and the developer complied with its documentation obligations.
Enforcement
The new law does not provide for a private right of action. Instead, it will be enforced by the Colorado Attorney General under the Colorado Consumer Protection Act, with violations deemed a deceptive trade practice.
Practical Considerations
The new law eliminates many of the more onerous requirements from the 2024 Colorado AI Act and provides an opportunity for businesses in Colorado to develop and deploy AI with greater clarity.
Before the Jan. 1, 2027, effective date, covered organizations should consider:
- Assessing which platforms and tools in use (or under consideration) constitute Covered ADMTs
- Drafting required notices and disclosures and developing a plan for notifying consumers, including updating covered entities HIPAA notice of privacy practices.
- Training ADMT users and quality control reviewers/auditors on anti-discrimination/anti-bias laws and policies that will impact their interaction with the tool(s)
- Consulting with legal counsel and experienced vendors to identify or create privileged processes to evaluate, mitigate, and monitor potential discriminatory or biased impacts of ADMT use
- Reviewing the forthcoming rules published by the Colorado Attorney General, including for clarification of the disclosure requirements under the new law
Multi-state employers should continue to monitor for additional requirements. Dozens of AI-related bills remain under active consideration in state legislatures nationwide.