Colorado’s Not Finished Regulating AI

Regulation of artificial intelligence in the United States is following in privacy regulation’s footsteps: fragmented. Without a comprehensive federal statute preempting state laws, Colorado’s May 2026 reenactment of its landmark artificial intelligence law adds (again) to the patchwork of evolving state-level regulation.[1] Colorado’s amendment focuses on how artificial intelligence is used and how it affects individuals. In May 2024, Colorado enacted a first-in-the-nation law “requir[ing] a developer of a high-risk artificial intelligence system (high-risk system) to use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination in the high-risk system.”[2] The law defined “algorithmic discrimination” as

any condition in which the use of an artificial intelligence system results in an unlawful differential treatment or impact that disfavors an individual or group of individuals on the basis of their actual or perceived age, color, disability, ethnicity, genetic information, limited proficiency in the English language, national origin, race, religion, reproductive health, sex, veteran status, or other classification protected under the laws of this state or federal law.[3]

The original law was to become effective on February 1, 2026. But, in August 2025, the effective date was delayed until June 2026,[4] and Colorado’s governor convened an AI Policy Working Group to propose revisions to the law.[5] The AI Policy Working Group published its recommended revisions in March 2026,[6] which formed the basis for Colorado’s May 2026 reenactment and repeal of the law enacted in May 2024. (While the legislature was considering the AI Policy Working Group’s proposal, in April 2026 an artificial intelligence developer challenged the constitutionality of the original law, and the United States intervened to support the challenge. The United States, Colorado, and the artificial intelligence developer stipulated to temporarily stay enforcement of the original law, which was granted by the court.) Colorado’s reenacted artificial intelligence law focuses instead on adverse outcomes in consequential decisions made using artificial intelligence.[7] By January 1, 2027, organizations doing business in Colorado will need to understand how they use AI tools to make decisions and when those decisions can be consequential for, and adverse to, the individuals to whom the decisions relate. Governance and oversight are critical to success. 

Why This Matters: Compliance with the reenacted Colorado artificial intelligence law will require careful governance and oversight of artificial intelligence use. Organizations doing business in Colorado will need to carefully evaluate their use of artificial intelligence and establish governance structures to identify, disclose, and manage use cases where artificial intelligence is a “material influence” on “consequential outcomes.” With the reenactment, Colorado, like other states, continues to focus on artificial intelligence outcomes rather than the technology itself. Most state comprehensive privacy laws enacted to date, beginning with Virginia’s Consumer Data Protection Act in 2021 and including the existing Colorado Privacy Act, require providing to residents a right to object to profiling using their personal data in furtherance of decisions having a legal or similarly significant effect.[8] This concept is based on the European Union’s General Data Protection Regulation (GDPR) and has been extended in states such as Minnesota, through 2024’s Minnesota Consumer Data Privacy Act,[9] and the new regulations governing use of automated decision-making technologies issued in 2025 by CalPrivacy.[10] Colorado’s reenactment further refines those emerging regulations. Organizations across the United States should take note to begin the governance and oversight processes as these types of laws and regulations continue to be enacted across the country. 

Colorado’s reenacted law comprises five important components:

First, the reenacted law expands the artificial intelligence tooling that may be subject to its scope. 

The 2024 law sought to regulate “high-risk artificial intelligence systems,” defined as “any artificial intelligence system that, when deployed, makes, or is a substantial factor in making, a consequential decision,” with enumerated exclusions.[11] (The meaning of “consequential decision” is addressed in the next paragraph.) In contrast, the 2026 law addresses “automated decision-making technology,” “a technology that processes personal data and uses computation to generate output, including predictions, recommendations, classifications, rankings, scores, or other information that is used to make, guide, or assist a decision, judgment, or determination concerning an individual.”[12] There are still exclusions, such as “anti-malware” and “anti-virus,” “calculators,” “databases,” “spell-checking,” “web hosting,” and any other technology “subject to an acceptable use policy that prohibits generated content to be used in a consequential decision.”[13] 

Organizations will need to examine a list of exclusions to determine which artificial intelligence solutions are subject to the law and which may not be.

Second, the 2026 law focuses on “adverse outcomes” of “consequential decisions” in six “covered domains.” 

• The six covered domains are education, employment, housing, financial services, insurance, health care, and government services and public benefits.[14] Colorado removed “legal services,” which was included in the prior 2024 law, from the set of covered domains.[15]
• The 2026 law offers more certainty about what is a “consequential decision.” The 2024 law (and state comprehensive privacy laws, including the Colorado Privacy Act) relied upon language drawn from Europe’s GDPR about “material legal or similarly significant effects.” [16] Because that language was drawn from the GDPR, organizations often need to look to European regulatory guidance for interpretation. In its place is a more defined concept accompanied by nine exceptions that organizations can look to to determine what is and is not a consequential decision:[17]

(i) A decision, determination, or action made about a consumer that relates to the provision of or a consumer’s access to, eligibility for, selection for, or compensation for a covered domain; or (ii) a decision, determination, or action about a consumer that relates to a differentiated price, cost sharing, compensation, or other material terms in a manner that is reasonably likely to materially limit, delay, effectively deny, or otherwise fundamentally alter the consumer’s access, eligibility, or opportunity for a covered domain. 

Importantly, the nine excluded areas include “low stakes or routine decisions, actions, and business processes,” such as “scheduling, classroom personalization, administrative routing, customer service triage, communication of decisions, and workflow management.”[18] Other excluded areas are artificial intelligence use cases for compliance and security purposes, such as “advertising, marketing, differentiated product recommendations, search, or content moderation,” “activities relating to technologies used for cybersecurity, spam- and robo-call filtering, system reliability, and anti–money laundering and counter-terrorist financing controls,” and “activities relating to technologies used for fraud prevention, including identity verification, consumer identification, monitoring, and reporting controls required under state or federal law.”[19]

• Finally, through its definition of “adverse outcome,” the 2026 law moves from determining whether the artificial intelligence impacts the “provision or denial to any consumer” or “the cost or terms” to what reads like a simpler construct in theory: does the outcome “den[y], terminate[], revoke[], or materially reduce[] or restrict[]” access to a covered domain or “result[] in materially less favorable differentiated price, cost, compensation, or other material terms that are reasonably likely to materially limit, delay, or effectively deny, or otherwise fundamentally alter” access to a covered domain.[20]

In short, the 2026 law puts the onus on organizations to determine at a decision-by-decision level if an adverse outcome occurs for a given individual, with a focus on harm to the individual. An outcome that aids an individual is not adverse. In turn, that approach enhances alignment with existing consumer protection frameworks and may avoid exposing organizations to legal risk for positive-to-consumer outcomes from the use of artificial intelligence.

Third, the 2026 law expands the set of potentially affected decisions.

The 2026 law applies to any affected decisions that artificial intelligence “materially influence[s],”[21] an expansion from the original law’s “substantial factor” test.[22] “Materially influence” is defined as where “[a]n [artificial intelligence] output is a non–de minimis factor that is used in making a consequential decision” or “an [artificial intelligence] output affects the outcome of a consequential decision, including by constraining, ranking, scoring, recommending, classifying, or otherwise meaningfully altering how a consequential decision is made.”[23] This approach is broader than other laws enacted to date: Consider California’s new artificial intelligence regulations, which apply only to artificial intelligence that “replace[s]” or “substantially replace[s] human decision[-]making,”[24] and the Colorado Privacy Act, which provides the right to object to “profiling in furtherance of decisions that produce legal or similarly significant effects.”[25] 

Effective governance programs able to identify situations in which the “materially influence” test is satisfied will be required. Those situations may change over time, as the Colorado attorney general is authorized, but not required to, adopt rules to clarify the meaning of “materially influence,” “including presumptions, illustrative examples, and objective identifiers.”[26] 

In short, organizations may not be able to rely upon the presence of a human in the loop or as the final decision-maker to avoid making potentially consequential decisions subject to Colorado’s reenacted law.

Fourth, organizations doing business in Colorado may be subject to advance notice requirements.

Organizations conducting business in Colorado and that deploy artificial intelligence subject to the 2026 law will need to provide advance notice to individuals about their use of artificial intelligence and what are post–adverse outcome notices.[27] The post–adverse outcome notice will need to inform an individual experiencing an adverse outcome how artificial intelligence was involved in the outcome, how the individual may correct inaccurate information that contributed to the outcome, and that the individual has a right to request meaningful human review and reconsideration.[28] These concepts are not new: For many years, the Fair Credit Reporting Act has required organizations to provide advance notice of using credit reports for employment decisions and a copy of credit reports and consumer rights when using credit reports for employment decisions that are adverse to the consumer,[29] and notices at or before the point of collection are common features of US federal and state privacy laws.[30] 

The reenacted law expands the post–adverse outcome disclosure obligation to new domains, decisions, and subject matters. The adverse effect notice may differ depending upon the domain through which a decision is made. The Colorado attorney general is directed to, before the reenacted law takes effect, adopt rules “to clarify and implement the post–adverse outcome disclosure requirements,” including “sector-specific guidance or illustrative examples tailored to different covered domains” and “guidance addressing how the disclosure requirements described in [the reenacted law] interact with federal or state laws that require or govern notices, explanations, or adverse outcome disclosures.”[31] This means organizations will need to monitor Colorado law for guidance and, for organizations operating across covered domains (such as health care, financial services, and education), develop workflows to ensure the appropriate post–adverse outcome notice is provided to each individual depending upon the subject matter of a given adverse outcome.

Fifth, artificial intelligence developers will need to document their development process.[32] 

Developers need to determine an artificial intelligence tool’s intended use(s) and reasonably foreseeable harmful uses, describe the categories of data used to train the artificial intelligence, identify limits on the artificial intelligence and circumstances in which the artificial intelligence tool should not be used, and prepare instructions for the appropriate use, monitoring, and incorporation of human review in the use of the artificial intelligence tool.[33] To be sure, the obligation in the reenacted law is limited to developers doing business in Colorado (because it defines “developers” as “persons doing business in Colorado”).[34] But because artificial intelligence development occurs in an ecosystem with many contributors, and many artificial intelligence tools rely upon base and foundational models and other pre-trained or pre-tuned components, developers outside of Colorado may want to comply voluntarily with the reenacted law’s document obligations to allow their products and services to be deployed by organizations doing business in Colorado or integrated into Colorado developers’ own artificial intelligence solutions. Similarly, organizations doing business in Colorado that deploy artificial intelligence solutions are likely to request information that satisfies the reenacted law’s documentation obligations because that information will enhance the ability of those organizations to comply with their own documentation and notice obligations under the reenacted law.[35]

Conclusion

Colorado’s 2026 artificial intelligence law represents an evolutionary step in how US states seek to regulate artificial intelligence. Other states are likely to follow with their own refinements and rules. These variations exist in the patchwork of state data-breach notification laws in effect in every state and across the states that have adopted comprehensive privacy laws. 

In advance of the law’s January 1, 2027 effective date, organizations will need to build effective artificial intelligence governance policies and programs to identify decisions that are in-scope for the reenacted law and ensure documentation, disclosure, and rights management consistent with the reenacted law’s requirements. An effective program requires a thorough understanding of current and anticipated artificial intelligence use cases and organizational workflows and procedures, and organizations that have not yet laid the groundwork to gather this information should begin to do so today. Each organization’s governance policies and programs will need to fit within the context of the organization’s operations and missions, while maximizing the benefits of artificial intelligence in streamlining operations and enhancing productivity and results.

Subscribe To Viewpoints