Colorado Rewrites Its AI Law: What Businesses Need to Know About SB 26-189

Written by: Victoria Xikis

 

Overview of original AI Act (SB 24-205)

On May 14, 2026, the Colorado Senate passed SB 26-189, a bill set to replace Colorado’s prior AI Act, SB 24-205. SB 24-205, which was signed by Governor Jared Polis on May 17, 2024, was scheduled to take effect on June 30, 2026. SB 26-189 narrows Colorado’s AI regulatory framework by focusing on automated decision-making technology, or ADMT, rather than imposing broader governance obligations on high-risk AI systems. [1][2]

Previously, SB 24-205 outlined the requirement of reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination when using high-risk artificial intelligence systems. An organization generally would have been in compliance with SB 24-205 if it took the steps below: [2]

  • Provide proper documentation and information to complete an impact assessment of the high-risk system;
  • Disclose a statement addressing specified information about the high-risk system;
  • Release a statement if foreseeable risks of algorithmic discrimination could arise from substantial modifications to its systems; and
  • Disclose to the attorney general (and other applicable organizations) within 90 days when there has been (or reasonably may be) algorithmic discrimination.

At its core, SB 24-205 focused on consumer protection by requiring developers and deployers of high-risk AI systems to use reasonable care to prevent known or reasonably foreseeable risks of algorithmic discrimination. Provisions were heavily focused on transparency, notice, and disclosure. [2]

 

xAI’s Challenges

The Colorado AI Act was challenged by xAI, an artificial intelligence company founded by Elon Musk, which raised constitutional concerns under the First Amendment and Equal Protection Clause. The complaint claimed the previous Senate Bill 24-205 “jeopardized the United States’ position as the global AI leader by requiring AI systems to incorporate discriminatory ideology that prioritizes demographic characteristics and outcomes over accurate and merit-based outputs.” The complaint further alleged that SB 24-205 required developers and deployers of AI systems to take steps to prevent the risk of “differential treatment or impact” on protected groups, which in practice would have compelled those developers and deployers to consider the status of those protected groups, which itself would have been discriminatory. Indeed, SB 24-205 imposed strict requirements on organizations, such as: [3][4]

  1. A duty to take reasonable care to avoid algorithmic discrimination; and
  2. Clear and transparent disclosures to consumers addressing, e.g., training data, foreseeable risks, and intended benefits.

xAI alleged that compliance with SB 24-205 would require organizations to make differential editorial decisions about “training data, responses to prompts, model constraints and more in order to generate Colorado’s preferred expressive outputs and authorizing outputs that would qualify for algorithmic discrimination.” xAI framed this as a viewpoint-discrimination concern, arguing the law would require developers to alter expressive outputs based on government-preferred views about protected classifications.

In addition, xAI claimed that SB 24-205 had a compelled-speech effect by forcing organizations to alter or suppress speech to maintain compliance. Developers of high-risk AI systems were expected to use reasonable care when protecting consumers from foreseeable risks of algorithmic discrimination. However, these protected consumers were subject to categories protected under Colorado law. [3][4]

 

SB 26-189 and how it compares to SB 24-205

Against the backdrop of xAI’s challenge and broader criticism of SB 24-205, Colorado lawmakers decided to advance SB 26-189 in place of the original law, just before it was set to be enacted. The new bill imposes provisions regarding the use of ADMT in consequential decisions, requiring developers of ADMT “that is used to materially influence a consequential decision (covered ADMT) to provide a deployer with technical documentation describing its uses, limitations, training data and instructions for appropriate use and human review.” SB 26-189 is set to take effect January 1, 2027. [1]

SB 26-189 narrowed the ways in which organizations implement their notice requirements. Under the bill, organizations must provide clear and conspicuous notice when consumers interact with covered ADMT. They must also explain, in plain language, the role of ADMT within 30 days after a consequential decision that adversely affects the consumer. In addition, consumers have the right to request access to, and correction of, personal data used by ADMT. SB 26-189 will be enforced by the Colorado Attorney General under the Colorado Consumer Protection Act. A violation could constitute a deceptive trade practice. [1]

One key distinction between the two bills is that SB 24-205 applied broadly to high-risk AI systems and algorithmic discrimination. SB 26-189 narrows the focus to covered ADMT used to materially influence consequential decisions involving consumer personal data. The new bill also focuses on consumer disclosures and notices related to decisions that may adversely affect consumers. SB 26 -189 shifts “compliance obligations away from broad governance and impact assessments, instead targeting consumer disclosures, post-adverse-outcome explanations, correction rights, and meaningful human review.” Furthermore, SB 26-189 appears to revise certain exemptions that existed under SB 24-205, including exemptions for some federally regulated entities. [1]

Examples of notable provisions in SB 26-189 include:

  • Employment Scope – SB 26-189 clarifies that a “consequential decision” encompasses decisions that relate to “employment or an employment opportunity that creates or may create an employer-employee relationship.” [1]
  • Fraud Exemption – SB 26-189 excludes certain fraud-prevention technologies from the definition of “consequential decision,” but the exemption does not apply to facial recognition technology.

Organizations will be allowed to satisfy their requirement of disclosing a “notice of material updates” through “public release notes” as long as they notify each deployer of the release. [1]

  • Cure Period – SB 26-189 shortens the cure period from 90 days to 60 days and requires that the opportunity to cure is provided only if the Colorado Attorney General determines a cure to be possible. A cure period is a set timeframe in which a violation or mistake must be fixed to avoid further legal penalties. [1]

SB 26-189 also reflects broader state-level efforts to regulate AI transparency and accountability, although its structure differs from laws such as California’s AB 2013, California’s SB 53, and New York’s proposed RAISE Act. [5][6][7]

What does this mean for business owners

Business owners are encouraged to begin preparing for the bill now, even though the Attorney General has not yet finalized the accompanying rulemaking.

Steps to consider now are as follows:

  • Familiarize yourself with ADMT and covered ADMT obligations as well as compliance requirements set out in SB 26-189
  • Review what qualifies as “High-Risk AI” and whether you use, or plan to use, such systems themselves to using such a system to determine applicable compliance obligations under the law
  • Focus on key compliance areas, including data retention, transparency, personal data use, and decision-making, while ensuring consumers are clearly informed about how their data is used and their rights to access, correct, and request review of that information.

Businesses must be prepared to take a consumer-focused shift in their company’s systems through consistent review and oversight. If a violation occurs, SB 26-189 may allow a 60-day cure period, but only if the Colorado Attorney General determines that a cure is possible. The cure period would provide businesses a window of time to fix the issue at hand before legal claims could arise. [1]

Conclusion

All in all, business owners should be using this transition period to familiarize themselves with compliance expectations and terminology. Businesses can begin preparing by reviewing their current AI and privacy notices and third-party policies, so they can flag areas that could be problematic in the future and may not adhere to expectations set out in SB 26-189. Another way in which business owners can begin preparing is by sending notices to their consumers in advance, so they are aware of possible changes to their policies when approaching the new year and keeping an eye out for upcoming updates.

The Beckage Firm, LLC, monitors legal developments in artificial intelligence, privacy, cybersecurity, incident response, and related regulatory areas. As AI laws continue to evolve, businesses should evaluate their current policies, vendor relationships, and data practices to better understand how emerging obligations may affect them. Our team assists clients across industries with data security, privacy, incident response, artificial intelligence, cryptocurrency fraud, litigation, and regulatory matters.

 

 

Sources:

[1]Colorado General Assembly, SB26-189 Bill Text, Colorado General Assembly (2026), https://leg.colorado.gov/bill_files/116013/download

[2]Colorado General Assembly, SB24-205 Consumer Protections for Artificial Intelligence, Colorado General Assembly (2024), https://leg.colorado.gov/bills/sb24-205/

[3]United States Department of Justice, Complaint in Intervention, United States v. Philip Weiser and Colorado, U.S. Department of Justice (2026), https://www.justice.gov/crt/media/1437846/dl

[4]United States Department of Justice, Justice Department Intervenes in xAI Lawsuit Challenging Colorado’s “Algorithmic Discrimination” Law, U.S. Department of Justice Office of Public Affairs (2026), https://www.justice.gov/opa/pr/justice-department-intervenes-xai-lawsuit-challenging-colorados-algorithmic-discrimination

[5]New York State Senate, Assembly Bill A6453A, New York State Senate (2025), https://www.nysenate.gov/legislation/bills/2025/A6453/amendment/A

[6]LegiScan, Bill Text: CA SB53, LegiScan (2025), https://legiscan.com/CA/text/SB53/id/3041703

[7]LegiScan, Bill Text: CA AB2013, LegiScan (2024), https://legiscan.com/CA/text/AB2013/id/2910882