May 26, 2026

It narrows and clarifies how responsibility is divided across the ecosystem: Liability depends on the intended use; contractual provisions that indemnify a party for its own violations are completely voided, and enforcement authority rests solely with the State Attorney General.
After years of debate and three legislative sessions, Colorado has overhauled its artificial intelligence law. On May 14, 2026, Governor Polis signed SB 26-189 into law, repealing and replacing the original Colorado AI Act (SB 24-205), which had been set to take effect June 30, 2026. The new law takes effect January 1, 2027.
In May 2024, Governor Polis signed SB 24-205, which was the first comprehensive state AI law in the country. The original law imposed obligations on businesses that develop or deploy “high-risk artificial intelligence systems” used in consequential decisions, including employment, housing, health care, insurance, lending, education, and essential government services. Key requirements included a duty of care to avoid algorithmic discrimination, mandatory risk management programs, impact assessments, and reporting obligations to the Attorney General. After amendment attempts during the 2025 regular and special sessions did not result in a new final bill, a working group convened in fall 2025 to develop a replacement framework. That framework became the basis for SB 26-189.
SB 26-189 replaces the original law’s framework with a different set of obligations.
Here are the key changes:
The original law’s “high-risk artificial intelligence system” standard is replaced with a focus on “covered automated decision-making technology” (covered ADMT), defined as technology that processes personal data and uses computation to generate outputs (such as predictions, rankings, scores, or classifications) used to “materially influence” a “consequential decision.”
SB 26-189 eliminates several provisions of the original law, including the duty of care to avoid algorithmic discrimination, mandatory risk management programs, impact assessments, annual reviews, and reporting requirements to the Attorney General.
The new law establishes three core requirements for deployers: (1) pre-use notice to consumers before covered ADMT is used in a consequential decision, (2) a post-adverse outcome notice within 30 days if the covered ADMT materially influences an adverse decision, and (3) consumer rights to access and correct personal data and to request meaningful human review, to the extent commercially reasonable.
Enforcement authority rests solely with the Colorado Attorney General under the Colorado Consumer Protection Act.
Before initiating an enforcement action, the AG must provide a notice of violation and a 60-day opportunity to cure, provided the AG deems a cure possible. The right to cure does not apply to knowing or repeated violations and sunsets on January 1, 2030.
The law’s scope turns on several definitions:
The definition of ADMT excludes tools such as anti-malware software, basic calculators, spreadsheets requiring human analysis, tools used solely to summarize or organize information for human review, and consumer-facing chat tools that are not contracted or intended to be used in consequential decisions.
SB 26-189 addresses how liability may be allocated between developers and deployers in actions alleging unlawful discrimination under state anti-discrimination laws arising from a consequential decision materially influenced by covered ADMT. Fault is allocated based on the relative fault of each party. Developer liability is limited to instances where the deployer used the covered ADMT for its intended purpose, and the developer is not liable where the deployer’s use of the covered ADMT was not an intended use. The law does not create joint and several liability beyond what existing law provides. The law also voids contractual provisions that purport to indemnify, defend, or hold harmless a party from liability for that party’s own acts or omissions related to the use of ADMT in making consequential decisions in violation of Colorado anti-discrimination law.
Developers are required to provide deployers with documentation about the covered ADMT, including its intended uses, known limitations, categories of training data, and
instructions for appropriate use and human review. Developers may satisfy this obligation through public release notes if they provide direct notice to each deployer. Developers must retain these records for at least three years and update them for material changes. Developers are not required to disclose trade secret information.
Deployers have three main obligations:
1. Pre-use notice. Before using covered ADMT to materially influence a consequential decision, provide consumers with a clear and conspicuous notice disclosing that ADMT will be used and explaining how to obtain additional information. A deployer may satisfy this requirement by maintaining a prominent public notice reasonably accessible at points of consumer interaction.
2. Post-adverse outcome notice. Within 30 days of making a consequential decision that results in an adverse outcome, provide the consumer with a plain-language description of the decision, the role the covered ADMT played, instructions for requesting additional information about the ADMT and the inputs used, and an explanation of the consumer’s rights and how to exercise them.
3. Consumer rights process. Upon request from a consumer who received an adverse outcome, provide instructions for accessing and correcting personal data used in the decision, consistent with the Colorado Privacy Act, and an opportunity for meaningful human review and reconsideration of the consequential decision, to the extent commercially reasonable.
All deployers must retain records sufficient to demonstrate compliance for at least three years from the date of the consequential decision.
SB 26-189 represents a significant shift in how Colorado regulates the use of automated decision-making technology. As businesses assess their obligations under the new law, Finnegan is available to provide guidance
Copyright © Finnegan, Henderson, Farabow, Garrett & Dunner, LLP. This article is for informational purposes, is not intended to constitute legal advice, and may be considered advertising under applicable state laws. This article is only the opinion of the authors and is not attributable to Finnegan, Henderson, Farabow, Garrett & Dunner, LLP, or the firm’s clients.
Hybrid Conference
Intellectual Property Law Institute 2026 – California
October 19-20, 2026
San Francisco
Hybrid Conference
Intellectual Property Law Institute 2026 – New York
September 28-29, 2026
New York
Due to international data regulations, we’ve updated our privacy policy. Click here to read our privacy policy in full.