Colorado AI Act: Repeal and replacement after scrutiny

Last week, on May 14th, Governor Jared Polis signed legislation that softened the 2024 Colorado AI Act (2024 CAIA) after the legislature began facing immense pressure to change the regulation before it went into effect this summer. The original intent of the 2024 CAIA was to mitigate the risk of algorithmic discrimination based on unlawful differential treatment of individuals in protected classes. However, tech companies and business leaders scrutinized the law as too cumbersome, and Governor Polis warned that it may create a chilling effect on critical technological advancements in the state. To address these concerns, the Colorado legislature held a special session last fall to amend the law; however, negotiations failed and implementation of the law was delayed until June 2026.

Scrutiny of the law increased this spring after the Department of Justice joined Elon Musk’s xAI lawsuit challenging the 2024 CAIA for being too vague and alleging that it requires AI companies, like xAI, to “embed the State’s preferred views into the very fabric of AI systems,” violating the First Amendment. Amid the backlash, the new law, passed as Senate Bill 189, repeals and replaces the 2024 CAIA with new requirements about the use of AI in consequential decisions.

Rollbacks and updates

The new law rolls back many of the vague provisions of the 2024 CAIA. Notably, the new law no longer contains requirements to notify the attorney general within 90 days of discovering likely discrimination, implement risk management plans, nor conduct impact assessments. Instead, the law contains less cumbersome provisions that more clearly define requirements for developers and deployers of AI.

For example, the law specifically regulates automated decision-making technology (ADMT), which is “technology that processes personal data and uses computation to generate output, including predictions, recommendations, classifications, ranks, scores, or other information that is used to make, guide, or assist a decision, judgment, or determination concerning an individual.”

Many of the new requirements also surround “consequential decisions,” which are defined as “a decision, determination, or action made about a consumer that relates to the provision of or a consumer’s access to, eligibility for, selection for, or compensation” for a covered domain. Covered domains include an education enrollment or opportunity, employment opportunity, lease or purchase of real estate in Colorado, financial or lending service, insurance service or benefits, healthcare services, and essential government services and public benefits. Consequential decisions further include actions relating to “differentiated price, cost sharing, compensation, or other material terms” that are likely to “materially limit, delay, effectively deny, or otherwise fundamental alter” opportunities within covered domains.

New requirements for developers and deployers

The law imposes rules for covered developers and deployers of an ADMT including:

  • Documentation: A developer of an ADMT must provide a deployer of an ADMT with technical documentation of the ADMT’s intended uses, categories of training data, known limitations, instructions for appropriate use, and other reasonably necessary information to comply with the law.
  • Record keeping: Both developers and deployers are required to maintain records for at least 3 years. Developers are required to maintain records for no less than three years after the creation of the required record, and deployers are required to maintain records for no less than three years after the date of a consequential decision.
  • Notice to consumers: Deployers are obligated to provide “clear and conspicuous” notice to consumers at the point of interaction with the ADMT. If a covered ADMT is used to materially influence a consequential decision (as defined by the law) adverse to a consumer, deployers must provide the consumer with a description of the decisions and the ADMT’s role, instructions for requesting additional information, and an explanation of consumer rights within 30 days of the consequential decision.
Consumer rights

The law also prescribes consumer rights after an adverse consequential decision outcome. The consumer has a right to request personal data, correct factually incorrect or materially inaccurate personal data, and request a commercially reasonable human review of the consequential decision. The human review must provide for a “reasonable” and “meaningful” reconsideration of the consequential decision.  While enforcement power is given to the Colorado Attorney General, there is no private right of action for consumers.

Impact of the new law

Colorado’s new law more clearly defines parameters for AI developers and deployers and significantly scales back the obligations the 2024 CAIA was slated to impose this summer. The new law will help ease the tension between the legislature and AI companies, while also likely rendering the pending DOJ and xAI lawsuit moot. It creates important parameters for preventing discriminatory AI practices while not implementing overburdensome policies that deter companies from conducting business in Colorado.

The new law goes into effect on January 1, 2027, and businesses should begin updating their AI policies in compliance. Colorado is one of the leading states to develop AI regulation with more states likely to enact similar laws in the coming years. Even if AI companies are not currently operating in Colorado, they should use the new Colorado legislation as an example when implementing AI compliance in preparation for more states to adopt similar regulations.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.

balustrade37