Colorado Just Rewrote Its AI Law. Here's What Changed.

Colorado Governor Jared Polis signed Senate Bill 26-189 on May 14, 2026, replacing the state’s 2024 AI law before it ever took effect. The original law, SB 24-205, was the first comprehensive state AI regulation in the country. After two years of industry opposition, failed compromise attempts, a special legislative session, and a federal lawsuit filed by Elon Musk’s xAI (later joined by the DOJ), the legislature replaced it with something much narrower.

What the old law required. SB 24-205 was built around a risk management model. Developers had to assess their systems for algorithmic discrimination, document how they worked, and disclose that information to deployers, the Colorado Attorney General, and, in some cases, consumers. Deployers had to complete impact assessments, conduct annual reviews, and publicly summarize how they managed discrimination risks. The goal was substantive transparency: not just notice that AI was involved, but some accounting of how it reached its conclusions.

Why it didn’t survive. The tech industry objected almost immediately. Concerns centered on the compliance burden, undefined terms, and the risk of chilling development. Even Rodriguez, the bill’s own sponsor, signed a letter after passage acknowledging changes were needed. By April 2026, xAI had filed a federal suit calling the law unconstitutionally vague, and the DOJ had joined, arguing the law’s requirements would “disproportionately burden small businesses and start-ups.” The legislature had already delayed the effective date twice.

The new law's approach. SB 26-189 drops the impact assessment and public disclosure requirements entirely. The core obligation is now notice: deployers must inform consumers when a covered AI system materially influences a consequential decision (hiring, lending, housing, insurance, healthcare, education, and government benefits). If the outcome is adverse, the deployer has 30 days to provide a plain-language explanation of the decision, the AI’s role in it, and instructions for exercising consumer rights. Consumers can request correction of factually inaccurate data and an opportunity for meaningful human review. Developers must give deployers documentation covering intended uses, known limitations, and training data categories. In an approach similar to almost all state privacy laws, the Attorney General enforces the law exclusively; there is no private right of action, and a 60-day cure period for violations expires January 1, 2030. Most of the law takes effect January 1, 2027.

Important note for contract negotiators. Section 6-1-1707(7) voids any indemnification clause that would shield a developer or deployer from liability for its own discriminatory acts under Colorado anti-discrimination law. That is a departure from the default freedom-of-contract baseline and worth flagging when reviewing or drafting AI deployment agreements with Colorado exposure.

What it signals for other states. Colorado’s retreat from the explain-how-it-works model to a notify-and-appeal model is likely to influence other state legislatures still drafting AI bills. The DOJ’s posture in the xAI litigation added federal weight to the argument that substantive disclosure requirements go too far, at least under the current administration. States that were watching Colorado as a template now have a different template to consider.