Colorado’s Second Take on AI Regulation

Firm Publication

Key Takeaways

  • SB 189 replaces the Colorado AI Act with a narrower, business-friendly AI regulation that applies only when AI materially influences consequential decisions in areas like employment, lending, and healthcare.
  • Businesses that develop or deploy AI systems must implement transparency requirements, including pre-use notices, post-adverse outcome disclosures, and documentation on data, risks, and human oversight.
  • The law introduces consumer rights, including data correction and human review, and shared liability rules, requiring companies to reassess AI compliance programs, vendor contracts, and prepare for the January 1, 2027 effective date.

On May 14, Colorado Governor Jared Polis signed SB 189 into law, repealing the Colorado AI Act and replacing it with a narrower, more business-friendly regulatory framework governing the use of automated decision-making technology in consequential decisions. The new law takes a different approach to regulating artificial intelligence (AI) compared to the Colorado AI Act, which was enacted in May 2024.

Rather than broadly regulating all “high-risk” AI systems, SB 189 focuses specifically on systems that materially influence consequential decisions and affect consumers in defined domains by creating disclosure and notice obligations for developers and deployers, and providing consumers with rights if they experience adverse outcomes.

SB 189 will go into effect January 1, 2027.

Background of Colorado AI Act

The Colorado AI Act was notably the first comprehensive attempt to regulate AI at the state level, but had drawn criticism from the technology industry and Governor Polis himself for its broad scope and potential to stifle AI innovation. More recently, the Colorado AI Act was specifically identified in the Ensuring a National Policy Framework for Artificial Intelligence Executive Order as problematic due to its ban on “algorithmic discrimination,” likely further incentivizing the state to revise its approach to AI regulation.

Key Definitions and Scope of SB 189

  • Automated Decision-Making Technology (ADMT) is defined as technology that processes personal data and uses computation to generate outputs that are used to make decisions concerning an individual.
  • Covered ADMT means ADMTs that are used to “materially influence” a “consequential decision.” Materially influence requires that the ADMT output be a non-de minimis factor in the decision and affects the outcome by meaningfully altering how the decision is made.
  • Consequential Decision means a decision about a consumer that relates to the consumer’s access to, eligibility for, selection for, or compensation for a “covered domain.”
  • Covered Domains include education enrollment, employment, residential real estate, financial or lending services, insurance, healthcare services, and essential government services and public benefits.
  • Developers are persons doing business in Colorado that make a Covered ADMT commercially available.
  • Deployers are persons doing business in Colorado that deploy a Covered ADMT.

Developer Obligations Under SB 189

Developers of Covered ADMT systems have obligations under SB 189 to provide to Deployers the following information:

  • A general statement describing the intended uses and known harmful or inappropriate uses of the Covered ADMT.
  • A description of the categories of data, including personal data, used to train the Covered ADMT.
  • Known limitations, including known risks and circumstances in which the ADMT should not be used.
  • Instructions for appropriate use, monitoring, and meaningful human review.
  • Information reasonably necessary for the Deployer to comply with its own disclosure obligations.

Additionally, Developers must provide notice to Deployers of material updates, modifications, and changes to intended use, limitations, or risk mitigation within a reasonable time. Developers are required to retain records demonstrating compliance for at least three years.

Deployer Obligations Under SB 189

  • Pre-Decision Notice: Prior to using a Covered ADMT, the Deployer must provide clear and conspicuous notice to the consumer that ADMT will be used. This requirement may be satisfied by maintaining a prominent public notice reasonably accessible at points of consumer interaction.
  • Post-Adverse Outcome Disclosure: If a Deployer uses a Covered ADMT to materially influence a decision that results in an adverse outcome, the Deployer must provide, within 30 days: (1) a plain language description of the decision and the ADMT’s role; (2) instructions for requesting additional information about the ADMT and its inputs; and (3) an explanation of the Consumer’s rights and how to exercise them.

Consumer Rights Established by SB 189

SB 189 establishes consumer protections for individuals who experience adverse outcomes from consequential decisions materially influenced by a Covered ADMT. Consumers may request, and Deployers must provide:

  • Instructions for requesting and correcting factually incorrect or materially inaccurate personal data used in the decision.
  • An opportunity for meaningful human review and reconsideration of the consequential decision.

SB 189 Liability and Indemnification Provisions

SB 189 includes liability provisions that allocate responsibility between Developers and Deployers. A Developer or Deployer may be held liable for unlawful discrimination under Colorado’s anti-discrimination laws arising from a consequential decision materially influenced by a Covered ADMT, with fault allocated based on relative fault.

A Developer is liable only to the extent the Covered ADMT was used in a manner intended or contracted by the Developer. Developers are not liable for violations arising from a Deployer’s use that diverges from the intended or contracted purpose.

Additionally, SB 189 voids any contractual indemnification provision that purports to hold a party harmless from liability for its own acts or omissions in violation of Colorado anti-discrimination law when using ADMT in consequential decisions. However, this prohibition does not apply where the Developer’s ADMT was used in a manner not intended or contracted for by the Developer.

Enforcement Considerations Under SB 189

The Colorado Attorney General has exclusive enforcement authority over SB 189, and the law does not provide for a private right of action. Additionally, before taking enforcement action, the Attorney General must issue a notice of violation and provide a 60-day cure period, unless the Attorney General can demonstrate that the Developer or Deployer knowingly or repeatedly violated the law. This notice and cure period requirement sunsets as of January 1, 2030.

Exemptions for Certain Entities

SB 189 includes exemptions for insurers subject to existing requirements under Colorado Revised Statutes Section 10-3-1104.9, HIPAA-covered entities and their business associates, and medical devices and pharmaceutical research activities subject to FDA oversight. Additionally, creditors complying with the disclosure requirements of the Equal Credit Opportunity Act and Fair Credit Reporting Act satisfy the notice and disclosure obligations under SB 189.

Going Forward

While narrower in scope than the Colorado AI Act, SB 189 still imposes meaningful obligations on companies that develop or deploy ADMTs to be used in consequential decisions affecting Colorado consumers. Organizations that develop or deploy AI systems used in covered domains should review their documentation and disclosure practices to ensure compliance with the new obligations. Further, deployers of ADMT subject to SB 189 should ensure that their human review processes satisfy the requirements of SB 189 and are adequately documented. Companies should also review their contractual arrangements with AI vendors in light of the law’s indemnification restrictions.

Although SB 189’s primary obligations take effect January 1, 2027, several rulemaking provisions took effect upon passage on May 14, 2026. The Attorney General is directed to adopt rules by January 1, 2027, to clarify the post-adverse outcome disclosure requirements, which may include sector-specific guidance and standards for describing the ADMT’s role in a decision. Separately, the Attorney General must adopt rules to clarify the consumer rights provisions, including the correction and human review processes.

The Bass, Berry & Sims AI team is closely monitoring these developments. Please contact one of the authors if you have any questions regarding SB 189 or how it may impact your business.

Related Professionals
Related Services
Firm Publication

Key Takeaways

  • SB 189 replaces the Colorado AI Act with a narrower, business-friendly AI regulation that applies only when AI materially influences consequential decisions in areas like employment, lending, and healthcare.
  • Businesses that develop or deploy AI systems must implement transparency requirements, including pre-use notices, post-adverse outcome disclosures, and documentation on data, risks, and human oversight.
  • The law introduces consumer rights, including data correction and human review, and shared liability rules, requiring companies to reassess AI compliance programs, vendor contracts, and prepare for the January 1, 2027 effective date.

On May 14, Colorado Governor Jared Polis signed SB 189 into law, repealing the Colorado AI Act and replacing it with a narrower, more business-friendly regulatory framework governing the use of automated decision-making technology in consequential decisions. The new law takes a different approach to regulating artificial intelligence (AI) compared to the Colorado AI Act, which was enacted in May 2024.

Rather than broadly regulating all “high-risk” AI systems, SB 189 focuses specifically on systems that materially influence consequential decisions and affect consumers in defined domains by creating disclosure and notice obligations for developers and deployers, and providing consumers with rights if they experience adverse outcomes.

SB 189 will go into effect January 1, 2027.

Background of Colorado AI Act

The Colorado AI Act was notably the first comprehensive attempt to regulate AI at the state level, but had drawn criticism from the technology industry and Governor Polis himself for its broad scope and potential to stifle AI innovation. More recently, the Colorado AI Act was specifically identified in the Ensuring a National Policy Framework for Artificial Intelligence Executive Order as problematic due to its ban on “algorithmic discrimination,” likely further incentivizing the state to revise its approach to AI regulation.

Key Definitions and Scope of SB 189

  • Automated Decision-Making Technology (ADMT) is defined as technology that processes personal data and uses computation to generate outputs that are used to make decisions concerning an individual.
  • Covered ADMT means ADMTs that are used to “materially influence” a “consequential decision.” Materially influence requires that the ADMT output be a non-de minimis factor in the decision and affects the outcome by meaningfully altering how the decision is made.
  • Consequential Decision means a decision about a consumer that relates to the consumer’s access to, eligibility for, selection for, or compensation for a “covered domain.”
  • Covered Domains include education enrollment, employment, residential real estate, financial or lending services, insurance, healthcare services, and essential government services and public benefits.
  • Developers are persons doing business in Colorado that make a Covered ADMT commercially available.
  • Deployers are persons doing business in Colorado that deploy a Covered ADMT.

Developer Obligations Under SB 189

Developers of Covered ADMT systems have obligations under SB 189 to provide to Deployers the following information:

  • A general statement describing the intended uses and known harmful or inappropriate uses of the Covered ADMT.
  • A description of the categories of data, including personal data, used to train the Covered ADMT.
  • Known limitations, including known risks and circumstances in which the ADMT should not be used.
  • Instructions for appropriate use, monitoring, and meaningful human review.
  • Information reasonably necessary for the Deployer to comply with its own disclosure obligations.

Additionally, Developers must provide notice to Deployers of material updates, modifications, and changes to intended use, limitations, or risk mitigation within a reasonable time. Developers are required to retain records demonstrating compliance for at least three years.

Deployer Obligations Under SB 189

  • Pre-Decision Notice: Prior to using a Covered ADMT, the Deployer must provide clear and conspicuous notice to the consumer that ADMT will be used. This requirement may be satisfied by maintaining a prominent public notice reasonably accessible at points of consumer interaction.
  • Post-Adverse Outcome Disclosure: If a Deployer uses a Covered ADMT to materially influence a decision that results in an adverse outcome, the Deployer must provide, within 30 days: (1) a plain language description of the decision and the ADMT’s role; (2) instructions for requesting additional information about the ADMT and its inputs; and (3) an explanation of the Consumer’s rights and how to exercise them.

Consumer Rights Established by SB 189

SB 189 establishes consumer protections for individuals who experience adverse outcomes from consequential decisions materially influenced by a Covered ADMT. Consumers may request, and Deployers must provide:

  • Instructions for requesting and correcting factually incorrect or materially inaccurate personal data used in the decision.
  • An opportunity for meaningful human review and reconsideration of the consequential decision.

SB 189 Liability and Indemnification Provisions

SB 189 includes liability provisions that allocate responsibility between Developers and Deployers. A Developer or Deployer may be held liable for unlawful discrimination under Colorado’s anti-discrimination laws arising from a consequential decision materially influenced by a Covered ADMT, with fault allocated based on relative fault.

A Developer is liable only to the extent the Covered ADMT was used in a manner intended or contracted by the Developer. Developers are not liable for violations arising from a Deployer’s use that diverges from the intended or contracted purpose.

Additionally, SB 189 voids any contractual indemnification provision that purports to hold a party harmless from liability for its own acts or omissions in violation of Colorado anti-discrimination law when using ADMT in consequential decisions. However, this prohibition does not apply where the Developer’s ADMT was used in a manner not intended or contracted for by the Developer.

Enforcement Considerations Under SB 189

The Colorado Attorney General has exclusive enforcement authority over SB 189, and the law does not provide for a private right of action. Additionally, before taking enforcement action, the Attorney General must issue a notice of violation and provide a 60-day cure period, unless the Attorney General can demonstrate that the Developer or Deployer knowingly or repeatedly violated the law. This notice and cure period requirement sunsets as of January 1, 2030.

Exemptions for Certain Entities

SB 189 includes exemptions for insurers subject to existing requirements under Colorado Revised Statutes Section 10-3-1104.9, HIPAA-covered entities and their business associates, and medical devices and pharmaceutical research activities subject to FDA oversight. Additionally, creditors complying with the disclosure requirements of the Equal Credit Opportunity Act and Fair Credit Reporting Act satisfy the notice and disclosure obligations under SB 189.

Going Forward

While narrower in scope than the Colorado AI Act, SB 189 still imposes meaningful obligations on companies that develop or deploy ADMTs to be used in consequential decisions affecting Colorado consumers. Organizations that develop or deploy AI systems used in covered domains should review their documentation and disclosure practices to ensure compliance with the new obligations. Further, deployers of ADMT subject to SB 189 should ensure that their human review processes satisfy the requirements of SB 189 and are adequately documented. Companies should also review their contractual arrangements with AI vendors in light of the law’s indemnification restrictions.

Although SB 189’s primary obligations take effect January 1, 2027, several rulemaking provisions took effect upon passage on May 14, 2026. The Attorney General is directed to adopt rules by January 1, 2027, to clarify the post-adverse outcome disclosure requirements, which may include sector-specific guidance and standards for describing the ADMT’s role in a decision. Separately, the Attorney General must adopt rules to clarify the consumer rights provisions, including the correction and human review processes.

The Bass, Berry & Sims AI team is closely monitoring these developments. Please contact one of the authors if you have any questions regarding SB 189 or how it may impact your business.

In Case You Missed It: