What it is

Senate Bill 26-189 — the Automated Decision-Making Technology Act. Signed by Governor Jared Polis on May 14, 2026, in the same action that repealed the original Colorado AI Act (SB 24-205). Effective January 1, 2027.

SB 26-189 reframes Colorado’s AI law from an EU-style high-risk classification regime into a disclosure-and-rights framework for Automated Decision-Making Technology (ADMT) used in consequential decisions.

If your compliance program was built against the repealed SB 24-205, most of the operational scaffolding (model inventories, impact-assessment templates, incident-disclosure pipelines) carries over — but the legal trigger and the specific deliverables have changed materially.

Who it covers

Developers and deployers of “covered ADMTs” used in consequential decisions. Consequential decisions include those affecting employment, housing, lending, education, healthcare, government services, and similar high-impact categories.

Developer obligations (effective Jan 1, 2027)

Developers must provide deployers with technical documentation describing:

  1. Intended uses and known harmful or inappropriate uses — a general statement of what the ADMT is for and where it should not be deployed
  2. Categories of training data — not the raw data, but a description of the data classes used
  3. Known limitations — including documented risks and circumstances in which the ADMT should not be used
  4. Instructions for appropriate use, monitoring, and meaningful human review

The documentation requirement does not require disclosure of proprietary source code, model weights, or trade secrets. Developers retain that protection.

Deployer obligations (effective Jan 1, 2027)

Two layers of notice:

1. Point-of-interaction notice. Clear and conspicuous notice to consumers at the moment they interact with a covered ADMT.

2. Post-adverse-outcome notice. If an ADMT makes a consequential decision that results in an adverse outcome for a consumer, the deployer must provide:

  • A plain-language description of the technology’s role in the decision
  • A process for the consumer to request additional information about the decision within 30 days

Consumer rights:

  • Right to request the personal data used by the covered ADMT
  • Right to correct factually incorrect personal data
  • Right to request meaningful human review and reconsideration following an adverse outcome

Recordkeeping

Both developers and deployers must retain records sufficient to demonstrate compliance with SB 26-189 for at least 3 years.

This is the load-bearing operational requirement. Recordkeeping requirements without specified format become de facto evidence requirements once enforcement begins — and the 3-year window means the records you produce in 2027 must still be retrievable and explainable in 2030.

AG rulemaking (deadline: Jan 1, 2027)

The Colorado Attorney General must adopt rules clarifying the post-adverse-outcome disclosure requirements by January 1, 2027.

Watch this rulemaking closely. Disclosure-and-rights regimes live or die on the specifics of what counts as a “plain-language description” and a “meaningful human review” — and those specifics will come from AG rules, not from the statute.

Enforcement

  • Exclusive enforcement authority sits with the Colorado Attorney General
  • A violation of SB 26-189 is deemed a deceptive trade practice under the Colorado Consumer Protection Act
  • No new private right of action — but SB 26-189 establishes how fault is allocated between developers and deployers in existing civil actions alleging unlawful AI discrimination

The “no private right of action” point is the structural difference from Illinois HB 3773, which does allow private suits. Colorado’s litigation calculus is materially lower than Illinois’s.

What changed from SB 24-205

| | SB 24-205 (repealed) | SB 26-189 (active) | |---|---|---| | Effective | Was June 30, 2026 | Jan 1, 2027 | | Framework | High-risk classification + reasonable care | Disclosure-and-rights | | Annual impact assessments | Required | Not required | | Developer documentation | Implicit | Explicit (4 categories) | | Consumer notice | Required | Required + adverse-outcome layer | | Human review right | Where technically feasible | Right to request, post-adverse outcome | | Recordkeeping | Not specified | 3-year retention | | Enforcement | AG (deceptive trade practice) | AG (deceptive trade practice) | | Private right of action | None | None |

Practical posture

  • Map every covered ADMT against the developer/deployer roles — the obligations split by role, and many enterprises occupy both
  • Build the post-adverse-outcome notice templates before the AG rulemaking lands; the rules will refine wording, not introduce new categories
  • Keep the documentation deliverables (intended use, training-data categories, limitations, instructions) under version control with timestamped releases — the 3-year retention window assumes you can produce the version that was in effect on any given day
  • Treat SB 26-189 documentation as a minimum — buyers, EU AI Act conformity, and ISO 42001 alignment all benefit from the same artifacts at higher fidelity
  • The “meaningful human review” standard is undefined in the statute. Build evidence that your human reviewers had the data, the authority, and the time to override the ADMT’s output — not just a checkbox

What to watch

  • AG rulemaking process (RFI / NPRM expected late 2026)
  • The first enforcement action — likely a deceptive-trade-practice case framed around inadequate adverse-outcome notice
  • Whether other states adopt SB 26-189 as a model (it is materially easier to comply with than the repealed CAIA, which may make it the new bipartisan template)