Colorado passed the first comprehensive AI consumer protection law in the United States in 2024 — and it has since been substantially revised. The Colorado AI Act, originally enacted as SB 24-205 and signed by Governor Jared Polis on May 17, 2024, was replaced in May 2026 by a streamlined successor (SB 26-189) that takes full effect on January 1, 2027. Both versions share one central principle: when an AI system plays a meaningful role in a decision that affects your life, you have the right to know, to question, and to appeal.
What counts as a “consequential decision”?
The law targets automated decision-making in areas where a wrong outcome can significantly affect a person’s life. Covered domains include:
- Employment: hiring, firing, pay, and promotion decisions
- Housing: rental applications and mortgage approvals
- Financial services: loans, credit, and insurance
- Healthcare: treatment recommendations and coverage decisions
- Education: enrollment and scholarship decisions
- Government services: eligibility determinations for public programs
Only AI systems that play a material role in these decisions fall under the law — a calendar app or spell-checker does not. Under the 2026 revision, the covered technology is formally called “Covered Automated Decision-Making Technology” (ADMT): software that processes personal data to generate rankings, recommendations, or scores that materially influence one of these consequential decisions.
What rights does the law give you?
If a company uses Covered ADMT when making a consequential decision about you, the 2026 law entitles you to:
Advance notice. Before the system is used, the company must clearly notify you that an automated tool will play a material role in the decision.
An explanation if the outcome is negative. If you are denied a job, rejected for housing, refused a loan, or receive another adverse outcome, the company has 30 days to give you a plain-language explanation: what the system concluded, what role it played, and what personal data it relied on.
The ability to correct your data. You can request to see and correct the personal information the system used.
Human review. You can ask that a trained human — not an algorithm — review the decision. That reviewer must think independently and cannot simply defer to the system’s output.
What businesses must do
Companies that deploy Covered ADMT in Colorado (or targeting Colorado residents) must build compliance into their processes:
- Post clear pre-use notices wherever automated decision-making applies to consequential decisions
- Deliver adverse-outcome explanations within 30 days of a negative decision
- Train human reviewers to evaluate cases on their merits, not automatically approve what the AI decided
- Keep records — system version IDs, change logs, mitigation documentation — for at least three years
Developers who build ADMT systems must document known limitations, training data categories, and potential harms, and share that documentation with companies that deploy their tools.
Enforcement rests with the Colorado Attorney General; there is no private right of action, meaning individuals cannot sue companies directly under this law. Violations carry fines of up to $20,000 per violation under Colorado’s consumer protection statute. A 60-day cure period applies for first offenses (except for knowing or repeated violations).
How it compares to the EU AI Act
The Colorado law and the EU AI Act share a risk-based philosophy — both concentrate requirements on AI in high-stakes domains — but they differ substantially in scope and mechanism:
| Colorado AI Act | EU AI Act | |
|---|---|---|
| Type | Consumer protection statute | Product-safety regulation |
| Focus | Individual rights; notice and human review | Developer conformity assessments; CE marking |
| Enforcement | State Attorney General; max $20,000/violation | National regulators; fines up to 35M euros or 7% of global revenue |
| General-purpose AI | Not directly regulated | Explicitly covered, with extra rules for “systemic risk” models |
Where the EU Act functions like a product-safety certification regime — similar to CE marking for electronics — Colorado’s approach is closer to a privacy law: it grants individual rights, requires disclosure, and is enforced through consumer protection channels.
In the news
Colorado’s AI law reached a milestone in 2026 as its revised framework moved toward implementation, keeping the state at the forefront of US AI governance. See the full story: Colorado’s AI Consumer Protection Law Takes Effect, a First for the US.
FAQ
Does the Colorado AI Act apply to companies headquartered outside Colorado?
Yes. It covers any developer or deployer doing business in Colorado or whose Covered ADMT processes the personal data of Colorado residents — regardless of where the company is based.
Can I sue a company directly if my rights are violated?
No. The law is enforced exclusively by the Colorado Attorney General. There is no private right of action under this legislation.
Does this law cover chatbots like ChatGPT?
Only if they are used to make consequential decisions about you in a covered domain. A general-purpose chatbot governed by an acceptable use policy and not deployed for employment, housing, or similar decisions falls outside the law.
When does the 2026 revised law actually take effect?
SB 26-189 takes effect on January 1, 2027. The Colorado Attorney General is required to issue implementing rules by that date.
Sources: Colorado General Assembly — SB 24-205 | IAPP | Littler | Norton Rose Fulbright | Skadden | Troutman Privacy