Colorado AI Accountability Law Takes Effect June 30 Setting New Compliance Bar

--- headline: "Colorado AI Accountability Law Takes Effect June 30 Setting New Compliance Bar" slug: colorado-ai-accountability-june-2026 category: policy story_number: "12" date: 2026-05-24 ---

# Colorado AI Accountability Law Takes Effect June 30 Setting New Compliance Bar

Colorado's landmark artificial intelligence accountability law was signed in May 2024, delayed once, legally challenged, rewritten, and signed again - and with five weeks left before the latest deadline, companies subject to it are still scrambling to understand exactly what it requires of them. The June 30 date is no longer a cliff for the original SB 24-205; Governor Jared Polis signed a replacement bill, SB 189, on May 14, resetting the effective date to January 1, 2027. But the regulatory pressure that Colorado has generated over the past two years has already reshaped how companies think about AI compliance across the country.

The arc of Colorado's AI law is a case study in the difficulty of regulating a technology that the legislature, the tech industry, federal regulators, and the courts all view differently - and a preview of the patchwork that American companies now have to navigate in place of federal coherence that has not arrived.

From SB 205 to SB 189: What Changed and Why

When Colorado enacted SB 24-205 in May 2024, it was the most comprehensive state AI law in the country. The law targeted "high-risk artificial intelligence systems" - defined as systems that function as a substantial factor in consequential decisions about education, employment, housing, financial services, legal services, or healthcare for Colorado residents. Developers and deployers faced a demanding set of obligations: formal risk-management programs, pre-deployment impact assessments, annual algorithmic discrimination reviews, consumer disclosures, human review mechanisms, and mandatory reporting to the Colorado Attorney General within 90 days of discovering discrimination.

Almost immediately, the law drew fire from the technology industry and federal officials. A special legislative session in August 2025 pushed the original February 2026 effective date back to June 30, 2026. That reprieve did not end the controversy. In April 2026, a large AI developer filed a federal constitutional challenge to SB 205, and the U.S. Department of Justice - acting under the Trump administration's December 2025 executive order targeting what it called "excessive State regulation" of AI - intervened to support the lawsuit. A federal magistrate judge stayed enforcement.

The Colorado legislature responded by passing SB 189 on May 7-9, 2026. Polis signed it six days later. The replacement law retains the core purpose - protecting consumers from discriminatory AI decisions - but strips out most of what made SB 205 burdensome to implement. Gone are mandatory risk management programs, annual impact assessments, and the affirmative duty to use "reasonable care" to prevent algorithmic discrimination. What remains is a disclosure-based framework that Holland & Knight attorneys, writing in a May 18 client alert, characterized as representing a shift from "broad obligations" to a "lighter framework governing automated decision-making technology in consequential decisions."

The revised law also shifts terminology. "High-risk AI system" is replaced by "covered automated decision-making technology" (ADMT) - a definitional change with real scope implications. Unlike SB 205, which required AI systems to use inference to qualify, ADMT under SB 189 covers any system that "materially influences" a consequential decision, including systems that merely check whether a value falls within a range. Cybersecurity and fraud prevention are explicitly excluded. HIPAA-covered entities receive a broad exemption for non-employment uses. FDA-regulated medical devices are excluded entirely.

What the New Law Actually Requires

Under SB 189, which takes effect January 1, 2027, companies divide into two categories with distinct obligations.

Developers - companies that create, sell, license, or substantially modify covered ADMT - must provide deployers with documentation that includes a description of intended uses, known harmful uses, categories of training data, known limitations and risks, and instructions for appropriate use and human review. They must retain records for at least three years and notify deployers of material updates within a reasonable time. Developers bear no liability for "off-label" uses that deployers choose to make of their systems.

Deployers - companies that use covered ADMT to make consequential decisions - must provide consumers with clear notice before such use, which can be satisfied through a "prominent public notice accessible via a link." After an adverse outcome influenced by ADMT, deployers must provide a plain-language explanation of the decision, the technology's role, and how consumers can request more information. Consumers gain the right to access and correct factually incorrect personal data used in a decision and to request meaningful human review - defined as a reviewer with actual authority to approve, modify, or override the outcome who does not simply default to the system's output.

Enforcement remains exclusively with the Colorado Attorney General, with no private right of action. The AG must issue a 60-day cure notice before acting unless the violation was knowing or repeated. That right to cure sunsets on January 1, 2030. Violations constitute deceptive trade practices under the Colorado Consumer Protection Act.

The Compliance Picture Right Now

The transition from SB 205 to SB 189 has not simplified compliance planning as much as the scaled-back requirements might suggest. The law passed less than two weeks ago. The AG must adopt rules clarifying key provisions - including post-adverse-outcome disclosure requirements - by January 1, 2027, the same day the law takes effect. That leaves companies preparing against statutory text without implementing regulations and with seven months to build disclosure infrastructure, vendor documentation requirements, and human review processes.

Companies that spent 2025 building compliance programs for SB 205 now face a different set of obligations. The impact assessment apparatus they constructed - while no longer legally mandated - may remain a practical necessity for identifying ADMT risk. Law firms including Cooley and Wilson Sonsini have advised clients to maintain compliance readiness for the current SB 205 framework even as SB 189 works its way through implementation, given the compressed timeline between the new law's passage and its effective date.

The broader compliance context has grown more complicated, not simpler, over the past year. As Cooley noted in its April 2026 state AI law survey, even the EU AI Act - often cited as a global regulatory anchor - is being revisited, with the European Commission's November 2025 "Digital Omnibus" proposal likely to push key compliance deadlines from 2026 to 2027-2028.

The Federal Wildcard

Colorado's legislative pivot reflects pressure that is partly federal in origin. The Trump administration's AI executive order explicitly targeted SB 205. The DOJ's intervention in the constitutional lawsuit against the original law signaled that the administration is prepared to use litigation as a regulatory tool. Cooley attorneys advised clients in April to "monitor both congressional developments and near-term federal activity" given the administration's multiple pathways to reshape the state AI landscape.

A federal preemption bill - which the White House has urged Congress to enact - would displace Colorado's framework entirely. No such bill has passed. Until it does, or until the constitutional litigation reaches a decisive conclusion, Colorado's revised law stands as the operative framework for any company using automated decision-making technology to influence consequential decisions affecting Colorado residents.

What Colorado has demonstrated, in two years of legislative and legal turbulence, is that the demand for AI accountability is durable even when specific legislative vehicles are not. SB 205 did not survive intact. SB 189 is materially narrower. But the requirement that companies document what their AI systems do, disclose that use to affected consumers, and provide a path to human review - that core structure has survived every round of revision. Companies that treat the June 30 date as a reason to pause compliance planning until 2027 are likely underestimating how quickly the AG's rulemaking process will sharpen obligations that currently look manageable in outline.