Colorado SB 26-189 vs SB 24-205: Employer Guide

When an AI hiring tool produces a biased outcome, who is held accountable? Colorado’s new law, SB 26-189, provides a direct answer: responsibility is shared. The legislation creates a new framework of dual accountability, placing distinct obligations on both the developers who build AI systems and the employers who use them. This marks a significant change from the state’s previous approach. Examining the differences in Colorado SB 26-189 vs SB 24-205 reveals a clear shift toward shared liability, requiring new levels of documentation and collaboration between technology vendors and their enterprise clients to ensure fairness throughout the AI lifecycle.

Key Takeaways

• The Law Establishes Shared Responsibility: Colorado's framework creates a chain of accountability. Technology developers must provide clear documentation on their systems, while employers are responsible for assessing risk, notifying applicants, and managing appeals.
• New Consumer Rights Require Operational Changes: Individuals now have the right to access their data, request corrections, and appeal automated decisions to a person. This means businesses must create clear, accessible processes to handle these requests and explain adverse outcomes within 30 days.
• A Unified Compliance Strategy is Becoming Necessary: Although enforcement is paused, the law's principles align with a global trend toward AI regulation. This highlights the need for a comprehensive governance program that includes maintaining an inventory of AI tools, ensuring human oversight, and preparing for similar rules in other jurisdictions.

A Look Back at Colorado's Original AI Law

Before the latest legislative updates, Colorado had already established itself as a leader in AI governance with its landmark bill, SB 24-205, known as the Consumer Protections for Artificial Intelligence Act. This initial law was one of the first comprehensive attempts by a U.S. state to regulate the development and use of artificial intelligence. It laid a foundational framework that aimed to protect consumers from unfair outcomes driven by automated systems, particularly in critical life decisions. The law introduced new responsibilities for both the creators and the users of AI, setting a precedent for how businesses should approach AI risk management and transparency. Understanding this original framework is key to grasping the significance of the changes that followed.

The Initial Focus on High-Risk AI

The original Colorado AI law centered its rules on what it defined as "high-risk AI systems." These were not just any automated tools; they were specifically AI systems that either made or were a substantial factor in "consequential decisions." These decisions included matters with a material impact on a person's life, such as employment opportunities, housing, financial credit, and other essential services. The primary goal was to address the potential for algorithmic discrimination, where an AI system might produce biased or unfair outcomes for certain groups of people. By concentrating on these high-stakes applications, the law sought to place guardrails where they were needed most, ensuring that life-altering decisions were not made without oversight.

Original Duties for Developers and Deployers

SB 24-205 placed distinct obligations on both the developers who create high-risk AI and the deployers who use it. Both parties were required to conduct regular impact assessments to identify and mitigate potential risks of algorithmic discrimination. These assessments were mandated before the system was first used, on an annual basis, and after any significant modifications. Developers were also tasked with providing deployers with detailed documentation, including explanations of the AI's design and the data used to train it. This created a chain of responsibility, ensuring that companies using AI had the information needed to understand and manage the tools they were implementing in their hiring and other business processes.

Gaps in the First Framework for Businesses

While the original law was a significant step forward, its tight focus on "high-risk" systems created potential gaps. The definition of a "consequential decision" was specific, which meant that many other automated tools used in business operations fell outside the law's scope. For HR teams, this could mean that an AI tool used for initial resume screening might not have been classified as high-risk if it didn't make the final hiring decision, even if it significantly influenced the candidate pool. This left room for bias to enter the process at earlier stages. The framework was a comprehensive starting point for AI assurance, but it highlighted the need for broader definitions to cover the full spectrum of automated decision-making.

What Changed with the New Law, SB 26-189?

Colorado's approach to artificial intelligence regulation took a significant turn with the passage of SB 26-189. This new law replaces the state's original, broader AI legislation (SB 24-205), introducing a more focused framework that businesses, especially those in HR, must understand. The changes refine everything from the definition of the technology being regulated to who holds responsibility for its impact. For companies that develop or use automated tools in hiring and employment, these updates carry important implications for compliance, risk management, and daily operations.

A New Definition: Automated Decision-Making Technology (ADMT)

The new law narrows its focus from the broad concept of "AI" to a more specific term: Automated Decision-Making Technology, or ADMT. The Colorado General Assembly defines ADMT as any system that uses technology to make, or be a substantial factor in making, consequential decisions. For HR professionals, this is a critical distinction. It means the law applies directly to the software you use for hiring, performance evaluations, and promotions. By defining the technology this way, the legislation targets the specific applications of AI that have a tangible impact on people's livelihoods, moving beyond theoretical discussions to address practical, real-world use cases in the workplace.

What Stayed and What Was Scrapped from the Original Bill

While SB 26-189 replaces the earlier SB 24-205, it does not start from scratch. The fundamental goal of preventing algorithmic discrimination remains firmly in place. However, the new law is a complete rewrite, designed to be more practical and targeted after the original bill faced concerns about its broad scope and potential for delays. The updated legislation scraps the vague, all-encompassing approach of its predecessor. Instead, it provides clearer duties for both the companies that build ADMT and the organizations that use it. This revision offers a more direct path for businesses aiming to achieve compliance and responsible AI governance.

Who Falls Under the New Law's Expanded Scope

One of the most significant changes in SB 26-189 is its expanded reach. The original bill included several exemptions for businesses that were already subject to federal regulations, such as those in finance or healthcare. The new law removes many of these exceptions. This means more companies will now fall under its jurisdiction, even if they already comply with other data privacy and protection laws. If your organization uses automated systems for employment decisions, it is essential to re-evaluate whether this law now applies to you. The broader scope ensures that protections against algorithmic bias are applied more consistently across different industries operating within Colorado.

A Shift in Responsibility for Developers and Deployers

SB 26-189 introduces a system of shared responsibility between the developers who create ADMT and the deployers (employers) who use it. This is a pivotal shift from earlier legislative models. Developers are now required to provide extensive documentation to deployers, explaining how their tool works and its potential for bias. Deployers, in turn, are responsible for conducting impact assessments, notifying individuals when ADMT is used, and providing a way to appeal decisions. This dual-accountability framework ensures that responsibility for fairness is shared throughout the AI lifecycle, encouraging closer collaboration between HR tech vendors and the enterprises they serve.

How SB 26-189 Bolsters Consumer Rights

The most significant changes introduced by SB 26-189 center on creating new, enforceable rights for consumers. For businesses in the HR space, "consumers" often refers to job applicants and employees whose careers can be shaped by automated tools. The law establishes a new standard of transparency and accountability, moving beyond general principles and into specific, actionable requirements. If your organization uses automated systems for hiring, promotion, or other employment decisions, these new rights will directly impact your operational workflows and legal obligations.

Under this framework, individuals are no longer passive subjects of algorithmic decision-making. They are given clear avenues to understand, question, and challenge automated outcomes. The law grants them the power to look behind the curtain, demand explanations, and insist on human intervention when a decision feels wrong. This shift requires deployers of Automated Decision-Making Technology (ADMT) to build processes that are not only fair in their design but also transparent and defensible in their application. Preparing for these consumer rights is a critical step in achieving AI compliance and building trust with the people your technology affects.

New Rights to Access, Correct, and Appeal Decisions

The law empowers individuals with the right to know what personal data an ADMT used to make a consequential decision about them. If a candidate is rejected or an employee is denied a promotion by an automated system, they can request access to the specific information that fed into that outcome. Furthermore, if they find that information is inaccurate, they have the right to request a correction. This provision means businesses must maintain meticulous records of the data used by their AI tools for each decision. It also necessitates a clear and accessible process for individuals to submit these requests and for your team to respond to them promptly.

The 30-Day Mandate to Explain Adverse Decisions

When an ADMT is involved in a consequential decision that negatively affects a consumer, the deployer must provide a clear explanation within 30 days of the consumer's request. The law specifies this explanation must be in "simple words," meaning a highly technical or jargon-filled response will not suffice. Your company must be prepared to explain the principal reasons for the decision, the type and sources of data used, and the role the automated system played in the outcome. This requirement forces organizations to move beyond simply using AI and toward truly understanding and being able to articulate how it works in practice.

The Requirement for Human Review

Perhaps one of the most critical new rights is the ability to appeal an automated decision to a real person. If an individual believes an ADMT-driven outcome is incorrect or unfair, they can request a human review. The law requires that this review is conducted by someone with the authority and competence to potentially overturn the automated decision. This safeguard ensures that technology does not have the final say in matters of significant human impact. For employers, this means establishing a formal human oversight process and training staff to conduct meaningful reviews that are not just a rubber stamp of the AI's initial conclusion.

Comparing Consumer Protections: Old vs. New

Compared to its predecessor, SB 26-189 offers far more robust protections. The original bill, SB 24-205, had a narrower focus and included exemptions for certain businesses already subject to federal regulations. The new law significantly expands its reach by applying to any deployer of ADMT in Colorado making consequential decisions. By removing previous exceptions, the updated legislation ensures a more uniform standard of consumer protection across industries. This broader scope means many organizations that were not covered by the first bill must now comply with these new rules, which are designed to give individuals greater control and insight into how their data is used.

How to Prepare for SB 26-189 Compliance

With the law set to take effect, businesses that develop or use automated tools in Colorado should begin their compliance preparations. The act assigns clear responsibilities to both developers and deployers of Automated Decision-Making Technology (ADMT), especially for systems deemed high-risk. Taking proactive steps now can ensure a smooth transition and demonstrate a commitment to fair and transparent practices. Here are the key actions to prioritize.

Create an Inventory of Your AI and Automated Tools

The first step is to identify which of your systems fall under the new law. Conduct a thorough review of all automated tools used in your employment processes, from sourcing and screening candidates to performance management and termination. This inventory should document each system's purpose, how it works, and the data it uses. This process is essential for determining which tools are ADMT that materially influence consequential decisions — the systems that trigger the law's duties around consumer notice, human review, and recordkeeping. A centralized platform can help you manage this inventory and track compliance tasks for each system, creating a single source of truth for your AI governance program.

Keep Your Documentation Current

SB 26-189 doesn't require the formal impact assessments its predecessor did — that mandate, the duty of care, and the risk-management program were all repealed. What remains is documentation. Developers must give deployers technical documentation describing the tool's intended uses, training-data categories, known limitations, and human-review instructions. Deployers must keep the records needed to demonstrate compliance: the notices and adverse-decision explanations you issue, your appeal and human-review records, and version documentation from your vendors.Even though the law no longer mandates one, a regular AI bias audit remains a smart, defensible practice. SB 26-189 expressly leaves discrimination claims under other state and federal laws intact, so an audit that evaluates your ADMT for fairness gives you the evidence to rebut those claims, satisfy regulators, and make effective use of the law's 60-day cure period. It's no longer a statutory checkbox — but it's still your strongest proof of due diligence.

Fulfill Transparency and Consumer Notification Duties

Transparency is a cornerstone of the new law. Deployers must clearly notify consumers when an ADMT is used to make a consequential decision about them. If that decision is adverse, you are required to provide an explanation of the system's role within 30 days. This notice must include the type of data processed and the principal reasons for the outcome. You must also inform the consumer of their right to correct data inaccuracies and appeal the decision. Meeting these requirements helps build trust and is a key component of achieving a standard like Warden Assured, which signals your commitment to responsible AI.

Understand the 60-Day Cure Period and Penalties

The Colorado Attorney General has the exclusive authority to enforce SB 26-189. While the law does not create a private right of action, it does not protect companies from discrimination lawsuits filed under other existing statutes. Before initiating an enforcement action, the Attorney General must provide a notice of violation. A company then has 60 days to "cure" or fix the issue. This cure period is a critical window to address compliance gaps, but it is not a substitute for proactive governance. It is important to note that this provision is set to expire on January 1, 2028, after which penalties may be applied without a cure period.

Maintain Records for Three Years

Both developers and deployers must keep the records needed to demonstrate compliance with the law. For developers, that's the technical documentation they provide to deployers — intended uses, training-data categories, known limitations, and human-review instructions. For deployers, it's the records tied to each consequential decision: the notices and adverse-decision explanations you issue, your appeal and human-review records, and the ADMT version identifiers and change logs from your vendors. These records must be kept for at least three years — for deployers, measured from the date of the consequential decision. They're your primary evidence for responding to Attorney General inquiries and proving your organization met its obligations. This is a key function for any enterprise looking to operationalize AI compliance at scale.

What Are the Consequences of Non-Compliance?

Failing to adhere to the requirements of SB 26-189 introduces significant business risks that extend beyond financial penalties. The law establishes a clear framework for accountability, and understanding the potential consequences is the first step toward building a resilient compliance strategy. These consequences involve direct legal action, shared liability between technology creators and users, and long-term damage to a company's reputation and operational stability.

Enforcement Actions from the Attorney General

The Colorado Attorney General is tasked with ensuring businesses follow the new law. According to the bill's text, any violation is treated as a deceptive business practice under the Colorado Consumer Protection Act. This gives the state's top law enforcement office clear authority to investigate and penalize non-compliant companies. Before fines are issued, however, the law provides a 60-day period for a company to "cure" or fix the violation after being notified. This window offers a chance to correct course, but it depends on having the processes in place to respond quickly.

Employer Liability for Discriminatory AI

The law makes it clear that employers cannot shift responsibility for discriminatory outcomes. If an automated employment tool leads to bias, the employer using it is held liable. The bill explicitly states that any contract attempting to shield a developer or employer from responsibility for their own discriminatory actions is not valid. This provision underscores a core principle of the law: accountability is shared. Both the companies that develop AI tools and the employers who deploy them must ensure their systems are fair and equitable, as liability cannot be signed away.

Reputational and Operational Risks Beyond Fines

Beyond legal penalties, non-compliance can inflict serious reputational and operational harm. The law creates a system that shares responsibility between the companies that make AI tools and the employers who use them, increasing public and regulatory scrutiny on both. An enforcement action or news of a biased hiring tool can erode trust with candidates, customers, and partners, making it harder to attract top talent and retain business. For enterprises using AI, a violation could also trigger internal reviews and operational freezes, disrupting core HR functions and stalling innovation.

Where Does the Colorado AI Act Stand Now?

The Colorado AI Act has been a significant topic for any business using automated systems, especially in HR. While the state has passed a new version of the law, SB 26-189, its immediate future is not as straightforward as its text might suggest. A legal challenge has introduced uncertainty, and businesses are now watching closely to see how events unfold. Understanding the current status is critical for planning your compliance and risk management strategies, as the law’s framework provides a clear signal of what regulators expect from companies using AI.

The xAI Lawsuit and the Enforcement Pause

Although SB 26-189 is on the books, its enforcement is currently on hold. In April 2026, xAI — Elon Musk's AI company — sued in federal court to block Colorado's AI law on constitutional grounds, and a court order paused enforcement of both the original act and SB 26-189. The U.S. Department of Justice then moved to intervene on xAI's side — the first time the federal government has sought to strike down a state AI law, and part of a broader federal effort to preempt state AI regulation. Under the order, the state can't enforce the law until shortly after the court rules on xAI's forthcoming preliminary-injunction motion — a timeline that runs from the completion of rulemaking, not one that ends when rulemaking is done. This gives businesses breathing room, but it doesn't remove the need to prepare: the law's principles of fairness and transparency in automated decision-making remain the most likely template for whatever emerges, and employers stay exposed to discrimination claims under other laws in the meantime.

Key Dates for HR and Tech Businesses

SB 26-189 was signed on May 14, 2026, repealing and replacing the state's earlier, broader AI law, SB 24-205. Its substantive obligations take effect January 1, 2027 — though the court-ordered enforcement pause from the xAI litigation clouds that timeline. One detail employers should note: the act creates no private right of action and is enforced exclusively by the Colorado Attorney General, so individuals cannot sue companies directly under it. That is not a complete shield, however. Companies can still face discrimination claims under other state and federal laws if their AI systems produce biased outcomes — which is what makes proactive AI bias auditing a sensible step for managing legal risk.

How Colorado's Law Fits in the National Context

Colorado's approach is more than a simple disclosure requirement. It establishes a comprehensive framework for how companies must manage AI, from risk assessments and fairness evaluations to corporate accountability. This law is part of a growing trend across the United States and globally, where governments are moving to regulate the use of AI in high-stakes areas like employment. Similar to regulations in New York City and the European Union, the Colorado AI Act signals a shift toward requiring demonstrable proof of fairness. This makes it essential for businesses to adopt a unified compliance strategy that can adapt to various legal standards and operationalize AI governance across their entire technology stack.

Your Next Steps for AI Compliance

As AI regulations become more defined, businesses can take concrete steps to prepare. The core principles of Colorado’s law, such as transparency, documentation, and fairness, offer a clear roadmap for building a responsible AI governance program. Focusing on these foundational areas will not only prepare your organization for SB 26-189 but also create a framework that can adapt to future laws in other jurisdictions. By taking a proactive stance, you can build trust with customers and demonstrate a commitment to the ethical use of automated systems. The following actions provide a practical starting point for developers and deployers of AI in the HR space.

Establish an AI Inventory and Documentation Process

Your first step is to identify every automated system your organization uses for consequential decisions. Businesses should begin by figuring out which of their tools are covered by the new law. This inventory should include details on what each tool does, the data it uses, and where it is deployed in your workflow. Colorado’s law requires developers to maintain records for at least three years to show they are following the rules. This documentation is not a one-time task; it requires an ongoing process to keep records current as models are updated. An AI assurance platform can help manage this by creating a centralized system for tracking your tools and their compliance status.

Implement Human Oversight for Automated Decisions

The law gives consumers the right to request a real person to review an adverse automated decision. For HR, this means having a clear and accessible process for a candidate or employee to appeal a decision made by an AI tool. This creates a system of shared responsibility between the companies that create AI and the employers who use it. Deployers must ensure they have the internal capacity and procedures to conduct these reviews effectively. Establishing this human-in-the-loop system is critical for both compliance and for building trust with the people impacted by your technology. This is especially important for staffing and recruitment firms that rely heavily on automated tools for screening.

Unify Compliance Efforts Across State and Global Laws

Colorado’s law is part of a larger global movement toward AI regulation. Rather than addressing each law separately, a more effective approach is to build a unified compliance strategy. This involves creating a comprehensive risk management program that aligns with the principles of fairness, accountability, and transparency found in laws like NYC’s Local Law 144 and the EU AI Act. Remember that employers must still follow existing state and federal laws against discrimination. A holistic approach ensures your AI systems are not only compliant with specific statutes but are also fundamentally fair and defensible. Adopting a recognized standard, like Warden Assured, can provide a consistent trust layer across all your AI systems.

Related Articles

• AI Employment Discrimination: What Employers Must Know
• What Is Algorithmic Bias in Hiring? A Simple Guide
• The Workday Class Action Lawsuit
• Solutions: Be compliant with Colorado SB26-189