Colorado repealed its original AI law and replaced it with SB 189. The newer, lighter-touch framework, signed into law by Governor Polis last week, moves away from previous obligations like risk assessment, discrimination, and annual reviews. The law is now more focused on a transparency-and-consumer-rights model built around automated decision-making technology (ADMT).

We discussed the proposed changes in the new draft in a previous blog. But now that the SB 189 is signed into law, it is likely to take effect by January 1, 2027 (unless delayed by a pending legal challenge from xAI), the compliance window is tighter than it looks. Therefore, let’s understand the scope and compliance requirements of the law by asking the right questions.

Question 1: Which of My AI Systems Are Covered Under the New Law?

The new law has shifted focus within AI systems, redefining the scope of its application in different businesses. It specifically targets “covered ADMTs,” AI systems that can use personal data to generate outputs such as predictions, recommendations, classifications, or rankings.

• Automated decision-making technology (ADMT): The law applies to ADMTs that “materially influence” any outcome by constraining, ranking, scoring, recommending, or classifying.
•  Consequential Decision: The consequential decisions in this context are described as decisions about a consumer’s access, eligibility, or compensation in one of seven domains:
  • Education
  • Employment
  • Real estate
  • Financial and lending services
  • Insurance
  • Healthcare
  • Essential government services or public benefits.
• Consumer: The law goes beyond Colorado residents while defining “consumers” and covers employees, job applicants, and any individual whose access to opportunities in Colorado is being evaluated, even by companies based outside the state.
• Exemptions: The law exempts certain HIPAA-covered entities, Colorado insurers, some FDA-regulated entities, creditors subject to federal lending laws, and schools. However, the exemptions still require compliance with the relevant obligations under the respective laws for those entities.

Question 2: Are We a Developer, a Deployer, or Both?

SB 189 places different obligations on developers and deployers, and the compliance track your company follows depends on which side of that line you sit on. Understanding their role will help companies determine what they have to do and who they must do it for.

• Developer companies: Companies that develop, offer, sell, lease, license, or otherwise make commercially available a covered ADMT or that intentionally and substantially modify an existing ADMT such that it becomes covered. The developers are required to provide deployers with the information they need to comply with their own obligations, including:
  • A general statement of intended uses and known harmful or inappropriate uses
  • A description of data categories used to train the system (to the extent known)
  • Known limitations and circumstances in which the ADMT should not be used
  • Instructions for appropriate use, monitoring, and meaningful human review
  • Any material updates, modifications, or changes to the intended use or risk profile provided within a reasonable time
• Deployers companies: Companies that use a covered ADMT in practice. They carry the heavier compliance burden:
  • Pre-Use Notice: Before using ADMT to influence a consequential decision, deployers must provide consumers with a clear and conspicuous notice that ADMT will be used and how to get more information. This can be satisfied through a prominent public notice at relevant points of consumer interaction.
  • Adverse Outcome Notice: If the ADMT contributes to a decision that negatively impacts a consumer, denying, terminating, or materially reducing their access or eligibility, the deployer has 30 days to notify the consumer with a plain-language explanation of the decision, the ADMT’s role, and the consumer’s rights.
• Both developers and deployers must retain documentation demonstrating compliance, including ADMT version identifiers, changelogs, and records of material updates, for a minimum of three years.

Question 3: What Happens When Something Goes Wrong?

Along with the upfront disclosure requirements, it is also important to take care of the operational weight of the post-adverse-outcome framework. Understanding what triggers these obligations, and what they require will also help strategize compliance better:

• Adverse outcome: The law defines adverse outcome as a decision that denies, terminates, revokes, or materially reduces a consumer’s access, eligibility, or compensation or that results in materially less favorable pricing or terms compared to similarly situated consumers.
• Consumer rights: These rights kick in when a consequential decision materially influenced by ADMT results in an adverse outcome. At that point, the affected consumer may request:
  • Access and correction: Their personal data is used in the decision, and the ability to correct factually or materially inaccurate information
  • Meaningful human review: Reconsideration of the decision by a designated human reviewer, someone with actual authority to approve, modify, or override the decision, who considers relevant evidence, does not default to the system’s output, and is trained for the role

Since there is no private right of action under SB 189, consumers cannot sue companies directly. Enforcement runs exclusively through the Colorado Attorney General, who can bring actions under the Colorado Consumer Protection Act and treat violations as deceptive trade practices. Before filing an action, the AG must provide a 60-day notice and opportunity to cure, except for knowing or repeated violations.

Preparing for SB 189

Lighter doesn’t mean inconsequential. The most important thing companies can do right now is take stock by identifying every AI or ADMT tool currently in use and determining which vendor relationships need to be revisited. Consumer notice templates, human review workflows, and three-year recordkeeping practices all need to be in place before the law takes effect. The AG’s forthcoming rulemaking, particularly around “materially influence,” will be critical to watch. Businesses should start building their compliance infrastructure now, before the rules arrive.