Colorado just rewrote its AI law, and if your company assumed federal oversight kept you out of scope, you’ve got a problem. SB 26-189, passed May 9 and expected to be signed by Governor Polis, eliminated every conditional exemption that covered federally regulated entities — banks, insurers, and health systems are now inside the tent. The law takes effect January 1, 2027.
For most AI deployers, the compliance burden shrank. SB 26-189 trades the old law’s broad governance requirements (impact assessments, risk-management programs, annual reviews, public summaries) for targeted consumer rights: targeted disclosures, post-adverse-outcome explanations, correction rights, and the ability to request human review. Three-year record-retention obligations survive the rewrite.
The bill also reframes enforcement. SB 26-189 closes the private-right-of-action ambiguities in SB 24-205, the 2024 original, so plaintiff’s lawyers can’t exploit that gap anymore; AG rulemaking is now mandatory and must complete by January 1, 2027. Don’t expect scope expansion; Colorado’s AG used Privacy Act rulemaking to clarify, not grow, the law’s reach.
One clock you can’t set aside: a 60-day right-to-cure provision expires January 1, 2030. After that, violations go straight to the AG under the Colorado Consumer Protection Act.
Monday morning, map your covered ADMTs. Consumer rights workflows, adverse-action pipelines, and correction flows are months of engineering, not weeks. The rules aren’t final, but the framework is clear enough to start building now.
Nathan Zakhary