Categories: Artificial Intelligence, Employment Compliance
, , , ,

On May 14, 2026, Colorado Governor Jared Polis signed SB 26-189 into law, which repeals and reenacts the Colorado Artificial Intelligence Act (“CAIA” or “SB 24-205”) and substantially alters the obligations of employers using AI to make employment-related decisions.

This law marks a shift in regulating high-risk artificial intelligence and automated decision-making technology (“ADMT”). SB 26-189 becomes effective on January 1, 2027.

As background, we have previously reported that Colorado passed and signed SB 24-205 (also referred to as CAIA), which enacted broad restrictions on private companies using AI by seeking to prevent algorithmic discrimination affecting “consequential decisions”—including employment-related decisions. Notably, had SB 24-205 become effective, employers implementing AI in making employment-related decisions would have been required to conduct impact assessments, risk management programs, and anti-discrimination safeguards by June 30, 2026.

On April 27, 2026, in xAI v. Weiser, No. 1:26-cv-01515 (D. Colo.), a federal court enjoined enforcement of the CAIA pending the submission of a decision on a preliminary injunction to be submitted jointly by xAI, the U.S. Department of Justice, and the Colorado Attorney General.  This injunction was the last of many actions signaling the end of the landmark CAIA, as originally enacted on May 17, 2024.

Now, under SB 26-189, covered employers are no longer required to establish risk management programs or conduct annual impact assessments when using AI.  Instead, SB 26-189 implements a more targeted and procedural framework, including notice and disclosure requirements, specific consumer rights (including rights for Colorado applicants and employees), and record-retention obligations.

Key Developments of SB 26-189

SB 26-189 covers consequential decisions that materially affect consumers’ access, eligibility, or compensation in specific areas, including employment, education, real estate, financial or lending services, insurance, and healthcare, among others.

Developers Must Provide the Following to Deployers:

  • general statement describing the intended uses and known harmful or inappropriate uses of the ADMT;
  • description of the data used to train the ADMT;
  • known limitations of the ADMT; and
  • instructions for the deployer’s appropriate use, monitoring, and meaningful human review.

Deployers are Required To:

  • notify covered consumers when an ADMT materially influences a consequential decision affecting that consumer and provide instructions regarding how the consumer may obtain additional information;
  • explain any adverse outcomes from a decision influenced by ADMT;
  • provide consumers with a procedure to request additional information about the ADMT;
  • explain consumer rights; and
  • retain records demonstrating compliance for three years.
  • Consumers who experience adverse outcomes from a decision influenced by a covered ADMT have the right to request from the deployer instructions on how to correct materially incorrect data.
  • Consumers may also request meaningful human review when reasonable.
  • SB 26-189 does not offer a private right of action; all violations are considered deceptive trade practices and are brought by the Colorado Attorney General.
  • Under SB 26-189, both developers and deployers may be liable under state anti-discrimination laws when there is a “consequential decision materially influenced by a covered ADMT.”

Overview of SB 26-189

SB 26-189 applies to developers and deployers and regulates “covered ADMT,” which is defined as automated decision-making technology that is used to materially influence a consequential decision. In turn, SB 26-189 defines these terms as:

Automated Decision-Making Technology

Technology that processes personal data and makes computations that include predictions, recommendations, classifications, rankings, scores, or other information that is used to make, guide, or assist a decision, judgment or determination concerning an individual.

Materially Influence

A “non-de minimus factor” that is used to make a consequential decision, including by constraining, ranking, scoring, recommending, classifying, or otherwise meaningfully altering how a consequential decision is made. SB 26-189 explicitly excludes coverage of incidental, trivial, or clerical uses of ADMT.

Consequential Decision

A decision that relates to a consumer’s access to, eligibility for, or compensation in “covered domains,” including employment, education, residential real estate, financial services, healthcare, and essential government services. Consequential decisions are also decisions that relate to differentiated price, cost sharing, compensation, or other material terms that are reasonably likely to materially limit, delay, effectively deny, or alter the consumer’s access, eligibility, or opportunity to these covered domains.

SB 26-189 incorporates the definition of “consumer” found in the Colorado Privacy Act, but also expressly includes employees, job applicants who reside in Colorado, and any individual whose access to, eligibility for, or opportunity in Colorado is evaluated in a consequential decision by a person doing business in Colorado. 

SB 26-189 establishes compliance obligations for both developers and deployers of covered ADMT.  A developer is any person doing business in Colorado that develops, offers, sells, leases, licenses, or otherwise makes commercially available a covered ADMT, as well as any individual who develops components of the ADMT or substantially modifies a covered ADMT, with few exceptions. The law defines “deployer” as “a person doing business in Colorado that deploys a covered ADMT.”

Developer Obligations

Incorporating some of the notice requirements of the original CAIA, SB 26-189 requires developers to provide deployers of their covered ADMT with the following:

  • A general statement of the ADMT’s intended use and known harmful and/or inappropriate uses;
  • A description of the categories of data, including personal data, that trained the ADMT;
  • The known limitations of the ADMT;
  • Instructions for the appropriate use and monitoring of the ADMT and meaningful human review; and
  • Information necessary for deployers to comply with the revised statute.

When the developer makes material updates, modifications, and changes to the intended use of limitations for or risk mitigation of the ADMT affecting a consequential decision, the developer must notify the deployer within a reasonable time.

Deployer Obligations

SB 26-189 imposes three key obligations on deployers of covered ADMT:

Clear Notice to Individuals

Before using an ADMT to materially influence a consequential decision, deployers must provide “clear and conspicuous notice” to a consumer about the use of the ADMT and instructions on how to secure additional information. Deployers may provide this notice through prominent public notice that is reasonably accessible during the consumer interaction, which can include a link or post that is proximate to the interaction or transaction that may utilize the consequential decision. (In the case of hiring decisions, this likely means placing the notice in the job posting and/or on the employer’s Careers page.)  The notice must be accessible to all consumers, including those with disabilities and limited English proficiency.

A Structured Adverse Action Process

If the covered ADMT materially influences a consequential decision that has an adverse outcome for the consumer, the deployer has up to 30 days to provide to the consumer: (i) a plain language description of the role the ADMT played in the consequential decision; (ii) instructions and a ”simple-to-follow” process to request additional information about the ADMT; and (iii) an explanation of the consumer rights under the statute.

    1. An “adverse outcome” is a decision that:
      1. denies, ends, revokes, reduces, or limits the consumer’s access to a service or opportunity;
      2. makes the consumer ineligible or less likely to be selected;
      3. lowers compensation or benefits; or
      4. gives the consumer worse pricing, costs, or terms than similar consumers.
    2. Decisions that significantly delay, restrict, or effectively prevent a consumer from getting the same opportunities or services available to others in similar situations also result in an adverse outcome.
    3. If a decision outcome imposes materially less favorable differentiated pricing or terms, the decision outcome materially influences price, cost sharing, compensation, or material terms.

Retention of Records

Deployers must maintain the records necessary to demonstrate compliance for a minimum of three years after the date of the consequential decision.

Consumer Rights

When a consumer experiences an adverse outcome resulting from a consequential decision that a covered ADMT materially influences, the consumer may request and the deployer must provide:

  • Instructions for requesting personal data and correcting factually incorrect or materially inaccurate personal data used by the covered ADMT; and
  • An opportunity for meaningful human review and reconsideration when commercially reasonable.

Enforcement

Most notably, SB 26-189 does not create a new private right of action for consumers.  Rather, the Colorado Attorney General will pursue all alleged violations and treat them as deceptive trade practices under the Colorado Consumer Protection Act. Prior to any enforcement action, the Attorney General must issue a notice of violation and a 60-day opportunity to cure, if a cure is possible. There is no right to an opportunity to cure for knowing or repeated violations.

Liability Framework

SB 26-189 introduces a new liability and indemnification framework. Both developers and deployers may be liable under state anti-discrimination laws as a result of consequential decisions materially influenced by a covered ADMT.  The developer, however, is liable only to the extent that the deployer used the ADMT in a manner that was intended, documented, marketed, advertised, configured, or contracted for by the developer. The statute does not create joint and several liability.

Exempt Entities

Creditors, FERPA-covered educational institutions, and state-regulated insurers are considered compliant when they follow their existing sector-specific notice and disclosure requirements, while FDA-regulated medical devices and pharmaceuticals are excluded entirely. HIPAA-covered entities are generally exempt unless they use a covered ADMT in employment related decisions or financial assistance eligibility determinations.

Rulemaking and Reporting

SB 26-189 directs the Attorney General to adopt rules, on or before January 1, 2027, clarifying the requirements for post-adverse outcome notices and the definition of “materially influence,” including presumptions, illustrative examples, and objectives. Additionally, beginning January 2028, and every January thereafter, the Attorney General must produce a report identifying the enforcement actions brought and the cure periods offered.

What Should Employers Do Now

Although the Attorney General may not issue interpretive rules until January 1, 2027, the same day the new law takes effect, employers should not sit idle.  Because the operational changes necessary to meet these requirements can take several weeks or months to implement, employers using ADMT to make employment-related decisions should act now.

Employers should consider taking the following steps as soon as practicable:

Identify ADMT Exposure

Assess any technology utilized in business decision-making and determine whether it qualifies as a covered ADMT under the new definition.

Review Third Party and Vendor Contracts

Identify contracts that may be impacted by the new liability framework and confirm that any developers can meet their documentation and notification obligations.

Develop Notice and Adverse Action Processes

Prepare the consumer notifications when ADMT materially influences a decision regarding that consumer. Additionally, begin developing a reasonable process for explaining adverse outcomes and facilitating human review requests.

Update Record Retention Policies

SB 26-189 requires a minimum three-year retention of compliance documentation, and this system should be developed and implemented prior to January 1, 2027.

Conduct Regular Audits of AI Tools

Conduct formal AI audits to ensure the tools are functioning as intended and that there is transparency around how the AI tool generates results.

Tags: ADMT, Artificial Intelligence, Colorado, Senate
Back to Workforce Bulletin Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Workforce Bulletin posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.