Latest Posts:
Search for:

Analyzing critical legal trends and developments across data, cyber, AI and digital regulations from around the world and beyond borders

In AI

Colorado Legislature Approves Comprehensive Rewrite of State AI Law

by , , , , , , and 5 Mins Read

On May 12, 2026, Colorado lawmakers passed SB 26‑189 (the “2026 Law”), a sweeping rewrite of the state’s landmark artificial intelligence law. The new bill repeals and replaces much of Colorado’s existing AI regulatory framework, enacted as SB 24‑205 in 2024 (the “2024 Law”), narrowing some of the more burdensome requirements and shifting the focus on transparency, consumer notice, and consumer rights when automated decision‑making tools are used in high‑impact contexts. The legislation represents a significant recalibration of Colorado’s approach to AI regulation and mirrors broader global trends to streamline AI regulation following an initial push to enact comprehensive frameworks.

Background

In May 2024, Colorado became the first U.S. state to enact a comprehensive, cross‑sector AI law with the passage of the 2024 Law. Partially modeled on the EU AI Act, the law regulated the development and use of “high‑risk artificial intelligence systems” that make or materially influence “consequential decisions” affecting areas such as employment, housing, credit, insurance, healthcare, education, and essential government services. The 2024 Law imposed extensive requirements on both developers and deployers, including mandatory impact assessments, risk‑management programs, bias mitigation measures, and incident reporting obligations enforced by the Colorado Attorney General.

From the outset, the 2024 Law drew skepticism from technology companies, trade groups, and even Colorado Governor Jared Polis. With the law slated to take effect in February 2026, lawmakers postponed its effective date to June 30, 2026 to consider amendments and a governor‑sponsored working group issued a draft proposal to replace much of the existing framework with a more disclosure‑focused approach. This framework eventually developed into the 2026 Law. Meanwhile, with its June 2026 effective date approaching, the 2024 Law became the subject of litigation. In late April, a federal district court approved a joint request to stay enforcement and pause litigation deadlines, barring Colorado from initiating enforcement actions while legislative and regulatory developments unfolded. For additional details of the litigation and the stay, refer to our earlier alert.

In Detail

Against this backdrop, and with the legislative session due to adjourn May 13, 2026, the General Assembly enacted the 2026 Law, which repeals and substantially changes Colorado’s AI law. An outline follows of some of the key features of the new law and how it modifies the 2024 Law.

Scope and Effective Date: The 2026 Law shifts the focus away from “high‑risk AI systems” regulated by the 2024 Law to “automated decision‑making technology” (ADMT) that uses personal data to make or assist “consequential decisions” concerning individuals. The definition of ADMT aligns substantially with existing privacy frameworks, such as California’s. The law covers a broad cross-section of sectors and use cases, applying to ADMT that makes decisions affecting employment, education, housing, financial and lending services, insurance, healthcare, and public benefits. Like its predecessor, the 2026 Law assigns different responsibilities depending on whether an entity is considered a “developer” or “deployer” of an ADMT system.

If signed, most operational requirements would take effect on January 1, 2027.  The 2026 Law authorizes the Attorney General to engage in rulemaking to clarify or implement the law’s requirements. The law directs the Attorney General to adopt most such rules by January 1, 2027, though certain rulemaking authorizations are not time-bound.

Elimination of Impact Assessments and Bias Audits: The 2026 Law eliminates some of requirements the 2024 Law’s core requirements, including mandatory impact assessments, ongoing bias audits, developer and deployer risk‑management programs, and affirmative defenses tied to adherence to formal AI risk‑management frameworks such as the NIST AI Risk Management Framework.

New Disclosure‑ and Rights‑Based Obligations: The 2026 Law introduces more targeted obligations focused on transparency. Developers must provide deployers with documentation describing intended uses, limitations, and material updates to covered systems. Deployers must in turn bear disclosure obligations toward individuals subject to ADMT decisions; they must provide clear notice when ADMT is used to materially influence a consequential decision and must issue post‑decision disclosures following adverse outcomes, including an explanation of the role the system played.

Consumer Rights: The 2026 Law allows individuals affected by an adverse ADMT decision to exercise certain rights. They may request information to access or correct personal data used by the ADMT in accordance with existing rights under the Colorado Privacy Act. Affected consumers may also request meaningful human review and reconsideration of the consequential decision if it is commercially reasonable.

Modified Anti-Discrimination Provisions: While the new law nixes the 2024 Law’s establishment of a new affirmative duty to avoid algorithmic discrimination, it does confirm that a developer or deployer may be liable under existing anti-discrimination laws for consequential decisions made by an ADMT. In such actions, liability is to be allocated between the developer and deployer based on their relative fault in respect of the violation and developers are not to be held liable for uses of their ADMT that were not intended, documented, marketed, advertised, configured, or contracted for.

Enforcement: Enforcement authority remains exclusively with the Colorado Attorney General. Unlike the 2024 Law, which was silent on the existence of a private right of action, the 2026 Law expressly states that there is no private right of action for violations. The bill also introduces a 60-day cure period for violations and requires the Attorney General to report annually on enforcement activity.

Looking Ahead

SB 26‑189 now arrives on Governor Polis’ desk and he is expected to sign the bill into law. If enacted, attention will turn to the Colorado Attorney General, who is tasked with promulgating rules implementing the law. While the new law is scheduled to come into effect January 1, 2027, enforcement of the law may be stayed beyond that date depending on the timing of rulemaking and the outcome of the litigation challenge. Companies developing or deploying automated decision‑making tools subject to the law should closely monitor the bill’s final enactment, forthcoming rulemaking, and the status of the stayed litigation as the state transitions to a reshaped, transparency‑centered AI regulatory regime.

Categories:
Tags:
Author

Adam Aft helps global companies navigate the complex issues regarding intellectual property, data, and technology in product counseling, technology, and M&A transactions. He leads the Firm's North America Technology Transactions group and co-leads the group globally. Adam regularly advises a range of clients on transformational activities, including the intellectual property, data and data privacy, and technology aspects of mergers and acquisitions, new product and service initiatives, and new trends driving business such as platform development, data monetization, and artificial intelligence.

Author

Brian Hengesbaugh is Global Chair of Baker McKenzie's Data & Cyber Practice. Formerly special counsel to the general counsel of the US Department of Commerce, Brian played a key role in the development and implementation of the US Government’s domestic and international policy in the area of privacy and electronic commerce. In particular, he served on the core team that negotiated the US-EU Safe Harbor Privacy Arrangement (Safe Harbor) and earned a Medal Award from the US Department of Commerce for this service.

Author

Lothar has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto.

Author

Susan Eandi is the head of Baker McKenzie's Global Employment and Labor Law practice group for North America, and chair of the California Labor & Employment practice group. She speaks regularly for organizations including ACC, Bloomberg, and M&A Counsel. Susan has been published extensively in various external legal publications in addition to handbooks/magazines published by the Firm. Susan has been recognized as a leader in employment law by The Daily Journal, Legal 500, PLC and is a Chambers ranked attorney.

Author

Cristina Messerschmidt is a partner in the Data and Cyber practice group based in Chicago, advising global organizations on data privacy and cybersecurity compliance requirements, data security incident response, and legal issues related to AI.

Author

Keo McKenzie is a partner in Baker McKenzie's Intellectual Property and Technology Practice Group (IPTech), based in the Firm’s Palo Alto office. Keo has significant experience advising multinational technology, life sciences, and healthcare companies with complex matters related to regulatory and transactional issues presented by digital health technologies.

Author

Avi Toltzis is a Knowledge Lawyer in Baker McKenzie's Chicago office.

Author

Caroline Burnett is a Knowledge Lawyer in Baker McKenzie’s North America Employment & Compensation Group. Caroline is passionate about analyzing trends in US and global employment law and developing innovative solutions to help multinationals stay ahead of the curve.

Related Posts