Colorado Revises AI Law, Shifts to Disclosure Regime

Per the Colorado General Assembly bill text (SB26-189) and contemporaneous reporting (FPF; Consumer Finance Monitor), Colorado repealed and reenacted its 2024 AI statute. The enacted bill, reported by commentators as the Colorado ADM Act (CADMA) (FPF), defines regulated systems as automated decision-making technology (ADMT) that process personal data and are used to "materially influence" a "consequential decision" (SB26-189). The law establishes operational disclosure and documentation duties rather than the broader governance and risk-management mandates in the 2024 statute (Consumer Finance Monitor; Colorado Sun).

Per the bill text (SB26-189), developers of a covered ADMT must provide deployers with technical documentation describing intended uses, categories of training data, known limitations, and instructions for appropriate use and human review. Developers must notify deployers of material updates, and both developers and deployers must retain compliance records for 3 years (SB26-189). Deployers must give clear, conspicuous notice at the point of interaction when a covered ADMT is used, and must provide a plain-language description of the ADMT's role within 30 days after a consequential decision produces an adverse outcome for a consumer (SB26-189). The Attorney General is assigned enforcement authority and reporting notes there is no private right of action under the new law (FPF).

For practitioners: shifting from a governance-driven, anti-discrimination duty toward a disclosure-and-remedy framework changes engineering and compliance priorities. Systems teams that previously focused on comprehensive impact assessments and documented risk-management programs will now need reliable logging, explainability artifacts, and data pipelines that can produce post-adverse explanations within statutory timeframes. Industry reporting highlights three concrete engineering implications: record retention and auditability for 3 years (SB26-189), mechanisms to generate plain-language explanations within 30 days (SB26-189), and developer-deployer interfaces for transfer of technical documentation and update notices (SB26-189).

Editorial analysis: public coverage frames Colorado's rewrite as a substantive retreat from the state's original 2024 experiment in risk-based AI governance. Reporting by Consumer Finance Monitor and The Colorado Sun documents a two-year negotiation involving the Governor's office, the Attorney General, industry, and civil-society groups, culminating in a narrower regulatory regime focused on transparency and post-decision remedies rather than upfront prevention (Consumer Finance Monitor; Colorado Sun). The revised law also removes certain conditional federal exemptions present in the earlier statute, which commentators say may bring additional federally regulated entities into scope (Consumer Finance Monitor).

Editorial analysis: for practitioners, Colorado's overhaul matters because it trades prescriptive governance requirements for operational disclosure and explanation obligations. That shift reduces the need for immediate large-scale organizational risk programs while increasing demand for dependable explanation pipelines, recordkeeping, and developer-deployer contractual controls. The law also centralizes enforcement with the Colorado Attorney General, which concentrates regulatory risk into administrative enforcement rather than private litigation (FPF).

• •Editorial analysis: rulemaking and guidance from the Colorado Attorney General, which the bill instructs the AG to adopt by statutory deadlines, will clarify post-adverse disclosure content and timing (SB26-189).
• •Editorial analysis: whether federal regulators, litigants, or impacted industry sectors seek clarifications on the definitions of "materially influence" and "consequential decision," both of which determine scope (SB26-189; Consumer Finance Monitor).
• •Editorial analysis: monitoring of enforcement actions and any litigation challenging the statute or its interpretation, including the earlier-reported xAI legal challenge referenced in coverage (Colorado Sun; CPR).

Robert Rodriguez described the legislative compromise as mixed: "Everybody lost and everybody won," reported The Colorado Sun. Anya Robinson of the ACLU testified that "access to clear, timely and actionable information is what allows individuals to exercise their rights," reported CPR.

Editorial analysis: overall, SB26-189 reorients obligations toward transparency and post-decision remedies, which reduces some compliance burdens while raising operational requirements for explainability, recordkeeping, and developer-deployer documentation. Practitioners should prioritize engineering workflows that produce timely, plain-language explanations and retain the records necessary to support AG oversight and consumer requests (SB26-189).