Colorado Automated Decision-Making Law
Colorado SB26-189 is a state automated decision-making law for consequential decisions. It replaces Colorado's earlier high-risk AI framework with developer documentation, deployer notice, correction rights, human review, record retention, and attorney-general enforcement.
Definition
Colorado SB26-189, Automated Decision-Making Technology, became law on May 14, 2026. The Colorado General Assembly summary says it repeals and reenacts the 2024 SB24-205 artificial-intelligence consumer-protection provisions with new requirements for automated decision-making technology, or ADMT, used in consequential decisions.
The act defines ADMT as technology that processes personal data and uses computation to generate outputs such as predictions, recommendations, rankings, scores, or classifications used to make, guide, or assist a decision about an individual. A consequential decision concerns access, eligibility, or compensation for education, employment, housing, financial or lending services, insurance, health-care services, or essential government services and public benefits.
The result is not a general AI safety statute. It is a rights-and-records framework for systems that materially influence high-stakes decisions about people.
Snapshot
- Status: SB26-189 became law in the 2026 regular session as Chapter 131.
- Predecessor: SB24-205 was signed in 2024 and used a high-risk AI framework.
- Core pivot: the 2026 law moves to covered ADMT that materially influences consequential decisions.
- Effective duties: developer, deployer, notice, record, and consumer-right provisions begin January 1, 2027.
- Regulator: the Colorado Attorney General enforces the act through the Colorado Consumer Protection Act.
Scope
The scope is built around roles. A developer creates or substantially modifies covered ADMT. A deployer uses it. The covered technology is not every spreadsheet, database, filter, or business rule; the bill summary narrows the regime to ADMT used to materially influence a consequential decision.
This makes the framework important for AI procurement. Employers, lenders, insurers, schools, health-care providers, housing actors, and public agencies often rely on vendor systems. The law makes responsibility follow both the tool and the organization using it.
Duties
Starting January 1, 2027, a developer of covered ADMT must give deployers technical documentation describing intended uses, training-data categories, known limitations, and instructions for appropriate use and human review. Developers must also notify deployers of material updates or modifications.
Developers and deployers must retain compliance records for at least three years. Deployers have a two-stage notice duty: a clear notice at the point of interaction with covered ADMT, and a plain-language description of the ADMT's role within 30 days after an adverse consequential decision.
The Attorney General must adopt rules clarifying post-adverse-outcome disclosure by January 1, 2027.
Consumer Rights
The act gives consumers the right to request personal data used by covered ADMT, correct factually incorrect personal data, and request meaningful human review and reconsideration after an adverse consequential decision.
Those rights are governance pressure points. A correction right requires data lineage. Human review requires a reviewable decision file, not only a model score.
Enforcement
The Attorney General enforces SB26-189 through the Colorado Consumer Protection Act, and a violation is deemed a deceptive trade practice. Before initiating an action before January 1, 2030, the Attorney General must provide 60 days' notice and an opportunity to cure if a cure is possible.
The act does not create a new private right of action. Instead, it allocates fault between developers and deployers in civil actions alleging unlawful discrimination under existing law.
Governance Record
- System identity: vendor, model or tool name, version, deployment date, material updates, and intended uses.
- Decision scope: education, employment, housing, lending, insurance, health care, or essential government services.
- ADMT role: whether the system guides, ranks, scores, recommends, classifies, or materially influences the decision.
- Data record: personal data used, sources, correction path, and dispute handling.
- Notice record: point-of-interaction notice, adverse-outcome description, date, and plain-language explanation.
- Review record: human reviewer, evidence reviewed, reconsideration outcome, and reasons for sustaining or changing the decision.
Limits
SB26-189 is narrower than many summaries of "AI law" imply. It does not regulate every AI system, recommender, chatbot, or synthetic-media workflow. It attaches to covered ADMT used to materially influence consequential decisions about individuals.
The law also does not prove a decision is fair. Documentation, notice, correction, and review can still be weak. The statute creates an evidence architecture; its quality depends on implementation, rulemaking, and enforcement.
Source Discipline
Use the Colorado General Assembly bill page, signed-act PDF, and session-law materials for deadlines, definitions, duties, and enforcement. Use SB24-205 only to explain the predecessor framework. Do not describe SB26-189 as a chatbot, frontier-model, synthetic-media, or copyright statute.
Spiralist Reading
Spiralism reads Colorado's ADMT law as the file cabinet returning to the machine decision. The model score is not enough. The person affected needs notice, the data that mattered, a correction path, and a human who can reopen the case.
Open Questions
- How will Colorado's Attorney General define adequate post-adverse-outcome disclosure?
- What counts as meaningful human review when a vendor score shaped the original decision?
- Can fault allocation prevent vendors and deployers from pushing responsibility onto each other?
Related Pages
- U.S. AI Policy
- Algorithmic Impact Assessments
- Algorithmic Transparency
- Algorithmic Bias
- Algorithmic Recourse
- Notice and Appeal
- Human Oversight in AI
- AI in Employment
- AI in Finance
- AI in Healthcare
- AI Procurement
- AI Audit Trails
- AI Governance
- The State AI Law Becomes the Regulator
Sources
- Colorado General Assembly, SB26-189 Automated Decision-Making Technology, 2026 regular session, became law May 14, 2026.
- Colorado General Assembly, SB26-189 signed act PDF, Chapter 131, signed May 14, 2026.
- Colorado General Assembly, SB24-205 Consumer Protections for Artificial Intelligence, 2024 regular session, approved May 17, 2024.
- Church of Spiralism, Algorithmic Impact Assessments, Algorithmic Recourse, AI Liability and Accountability, and U.S. AI Policy, related internal references.