Trust is the foundation of the relationship between an employer and its candidates or employees. As artificial intelligence plays a larger role in career-defining decisions, maintaining that trust requires a new level of transparency. Colorado's SB26-189 directly addresses this by granting individuals significant new rights, including the right to know when AI is being used and the right to a human review of an adverse automated decision. For forward-thinking companies, these rules are not just a legal burden. Fulfilling the Colorado SB26-189 deployer obligations and compliance duties is a direct path to demonstrating that your organization values fairness and transparency in the age of AI.
Key Takeaways
- Prepare for Decision-Level Scrutiny: Colorado's law moves away from system-wide audits and impact assessments, focusing instead on your duties at each individual decision — notice before use, a plain-language explanation when AI contributes to an adverse outcome, and human review on request.
- Build Processes for Transparency and Consumer Rights: You are now required to clearly disclose AI use to individuals before it happens and create a reliable system for handling their requests for data access, corrections, and human review of automated decisions.
- A Unified Compliance Strategy Is Essential: Meeting the law's demands requires a multi-faceted approach: inventorying all AI tools, creating defensible records retained for three years, and collaborating with vendors to ensure you have the information needed to explain and defend outcomes.
What Is Colorado SB26-189 and Why Does It Matter?
Colorado's new law on automated decision-making, Senate Bill 26-189, establishes significant new rules for how companies can use artificial intelligence in decisions that affect consumers, including job applicants and employees. Signed in May 2026, SB26-189 repeals and replaces Colorado's earlier AI Act (SB 24-205) and resets the compliance framework around transparency and individual recourse rather than system-level risk classification. For any business operating in Colorado or using AI to make decisions about its residents, this legislation introduces a new set of compliance duties that cannot be ignored.
Effective January 1, 2027, the law requires companies that use these tools, known as "deployers," to be transparent about their use of AI and to provide clear explanations when a system makes a decision that negatively impacts someone. This is part of a growing regulatory landscape in the United States, following similar efforts in New York City and California to govern the use of AI in employment. Understanding these obligations is the first step toward building a compliant and trustworthy AI strategy. The law focuses on protecting consumers by giving them new rights and holding companies accountable for the outcomes of their automated systems.
Who Must Comply with the Law?
The law outlines distinct responsibilities for both the "developers" who create AI systems and the "deployers" who use them. Deployers are companies that use Automated Decision-Making Technology (ADMT) to make or materially influence important decisions about consumers. If your organization uses AI-powered software to screen resumes, score candidate interviews, or manage employee performance, you are considered a deployer under this law. The primary compliance burden falls on you to ensure the technology is used fairly and transparently. This includes new responsibilities for enterprises to inform individuals when ADMT is in use and to explain adverse outcomes, shifting much of the accountability from the software vendor to your organization.
What Is Automated Decision-Making Technology (ADMT)?
The law defines Automated Decision-Making Technology, or ADMT, broadly. It refers to any system or technology that uses computer algorithms and an individual's personal data to make predictions, recommendations, or scores that materially influence consequential decisions. This definition covers a wide range of HR tools that are common today. Examples include applicant tracking systems that automatically filter candidates, video analysis software that assesses a person's fit for a role, and even internal mobility platforms that recommend employees for promotions. Because the definition is not limited to a specific type of technology, many businesses may be using ADMT without realizing it. Understanding the inner workings of these AI systems is now a critical part of compliance.
A New Focus on Individual Decisions, Not Just Systems
A key aspect of Colorado's law is its focus on the accountability of individual decisions, not just the fairness of the overall AI system. While other regulations, like New York City's Local Law 144, require an audit of the AI tool before it is used, SB26-189 takes a different path. It requires employers to be able to explain each specific decision made with the help of AI after it occurs. For example, if a candidate is rejected, you must be able to explain the role the ADMT played in that specific outcome. This shifts the compliance challenge from a one-time system check to an ongoing operational responsibility, requiring a new approach to managing this layer of discrimination risk at the individual level.
What Are the Core Obligations for Deployers?
For companies that use AI tools in their operations, known as "deployers," Colorado's new law establishes several key responsibilities. These obligations are designed to create a more transparent and accountable environment for individuals whose lives are affected by automated systems, particularly in high-stakes areas like employment and housing. Meeting these requirements involves more than a simple software update; it demands a thoughtful approach to process, documentation, and communication.
The law centers on ensuring that individuals understand when and how AI is being used and gives them recourse if a decision seems unfair. For deployers, this translates into four main areas of responsibility: providing clear disclosures, explaining adverse outcomes, maintaining detailed records, and understanding the legal liability for non-compliance. Each of these duties requires careful planning and implementation to manage risk and build trust. An effective strategy often involves a combination of internal process controls and collaboration with AI assurance partners to validate that systems are operating as intended. Fulfilling these obligations is not just about avoiding penalties, it is about demonstrating a commitment to fairness and ethical AI use.
Fulfilling Disclosure and Transparency Duties
Under SB26-189, transparency is not optional. The law requires that deployers provide clear and conspicuous notice to individuals when they are interacting with an automated decision-making technology (ADMT). This notice must be provided before the tool is used to influence the decision, giving the person an opportunity to understand that an algorithm will be involved in the process. For example, a job applicant must be told that an AI tool will be used to screen their resume or analyze their video interview. The goal is to eliminate ambiguity and ensure people are aware that a machine, not a human, is making or influencing a consequential decision. This upfront disclosure is a foundational step in building a compliant and trustworthy AI governance framework.
How to Explain Adverse Decisions
If an ADMT is used to make a decision that negatively affects someone, such as denying a job application or a promotion, the company has a duty to explain why. The law requires deployers to provide a clear, plain-language description of the ADMT's role in the outcome, delivered no later than 30 days after the adverse decision. The statement should detail the principal factors the ADMT used to arrive at its conclusion. According to the Colorado General Assembly, this requirement ensures that individuals are not left in the dark about the logic behind an automated judgment, giving them the information needed to identify potential errors or bias and to exercise their rights to access, correct, and seek human review.
Maintaining Records for Three Years
Compliance with SB26-189 requires a clear and consistent paper trail. Both developers and deployers of ADMT must keep records sufficient to demonstrate compliance for at least three years. These records serve as the primary evidence that the company has fulfilled its legal duties — providing required notices, explaining adverse decisions, and handling consumer requests for data access, correction, and human review. This documentation should demonstrate a consistent and good-faith effort to comply with the law. For deployers, this means maintaining logs of which ADMT systems were used, for what purpose, the notices and explanations provided, and how consumer rights requests were resolved. These records are essential for responding to an Attorney General inquiry or legal challenge and proving that your AI practices are defensible and fair.
Understanding Liability and Deceptive Trade Practices
Colorado's law gives its requirements significant weight by classifying any violation as a "deceptive trade practice." This legal designation is important because it connects non-compliance to established consumer protection laws, which are enforced exclusively by the state Attorney General — the law does not create a private right of action for individuals. It exposes a company to investigations, fines, and other legal repercussions. This provision elevates AI governance from an IT issue to a C-suite concern, as the financial and reputational risks of non-compliance are substantial. For enterprise organizations, this means that ensuring ADMT compliance is a critical part of overall risk management, on par with data privacy and cybersecurity. It underscores the need for a proactive and well-documented compliance strategy.
What New Rights Do Consumers Have?
Colorado's new AI law creates several enforceable rights for consumers, which in the context of employment, includes job candidates and current employees. These rights are designed to give individuals more transparency and control when automated systems influence their careers. For companies deploying these tools, understanding these rights is the first step toward building a compliant process for managing consumer requests and appeals. The law shifts power toward the individual, requiring businesses to be more open about how their technology makes decisions that affect people's livelihoods.
The Right to Access and Correct Personal Data
The law gives individuals significant control over how their information is used in automated systems. Under the new rules, a person who received an adverse outcome can request access to the specific personal data that an Automated Decision-Making Technology (ADMT) used to make a decision about them. If they find any of that information is incorrect, they also have the right to ask for corrections, consistent with the Colorado Privacy Act. This provision is fundamental, as it ensures that decisions are not based on outdated or inaccurate data. It gives people a direct way to maintain the integrity of their personal information within these complex systems, which is a cornerstone of fair decision-making.
The Right to Request Human Review
One of the most critical protections for consumers is the right to request meaningful human review and reconsideration of an adverse decision made by an ADMT, to the extent commercially reasonable. If an automated system results in a negative outcome, such as denying a job application or a promotion, the individual can ask for a person to step in and re-evaluate the decision. The law sets a real bar for this review: the reviewer must be trained for the role, have the authority to approve, modify, or override the outcome, consider relevant evidence, and not simply defer to the system's output. This acts as an essential safeguard against algorithmic errors or biases that an automated system might overlook.
How to Handle Consumer Requests and Appeals
When a consumer exercises these rights, the company deploying the ADMT has specific obligations. The law requires a response to a qualifying request within 30 days. This response cannot be a simple confirmation; it must include a clear explanation of the decision, details on the personal data the AI system used, instructions for accessing and correcting that data, and an opportunity for human review. This requirement for a detailed response reinforces the law's focus on transparency and accountability, forcing companies to be prepared to explain how their automated tools work and justify their results.
What Are the Biggest Compliance Challenges?
Navigating Colorado's SB26-189 presents several distinct hurdles for employers. The law introduces specific requirements that demand a proactive and detailed approach to compliance, moving beyond general principles of fairness to concrete, auditable actions. From identifying which technologies are in scope to managing a new level of individual accountability, organizations face a complex new landscape. Success depends on understanding these challenges and implementing robust processes to address them head-on.
Identifying Which AI Tools Qualify as ADMT
One of the first challenges is determining which of your HR tools fall under the law's definition of Automated Decision-Making Technology (ADMT). The law applies to technology that uses personal data to make or materially influence important decisions about people. This broad definition means you must carefully inventory every system used in hiring, performance management, and promotion. It's not always obvious which tools qualify, especially when AI is embedded within larger software suites. A thorough AI inventory is essential to map your risk and avoid overlooking a consequential system. Without a clear picture of your ADMT landscape, you cannot begin to build a compliant program.
Keeping Defensible Records Across HR Workflows
The law requires you to maintain compliance records for three years, proving you are following the rules. This documentation should capture which ADMT tools were used and the notices, explanations, and consumer-rights responses tied to them. For many HR teams, this is a significant operational lift. You need a system to preserve evidence of the disclosures you provided, the plain-language explanations you issued for adverse decisions, and how you handled data-access, correction, and human-review requests. Creating these defensible records is not a one-time task; it requires a continuous process that tracks how each ADMT is used across the hiring lifecycle. This ensures you have legal-grade evidence ready if your practices are ever questioned.
Aligning Accountability with AI Vendors
SB26-189 creates a system of shared responsibility between the companies that develop AI and the employers who deploy it. This means you cannot simply trust your vendor's claims of fairness; you must obtain specific information from them to meet your own compliance duties. Getting the necessary technical documentation, intended-use information, and explanation support from vendors can be difficult, as they may consider this information proprietary. Building a partnership with your vendors is key. You must establish clear expectations and contractual obligations to ensure they provide the access and information needed for your AI bias auditing and reporting.
Managing Discrimination Risk at the Individual Level
Perhaps the most significant shift introduced by SB26-189 is its focus on individual outcomes. Unlike laws that center on system-wide bias audits, the Colorado law requires employers to explain each individual decision made with AI assistance after the fact. This means if a candidate is rejected, you must be able to account for the role the ADMT played. This moves accountability from a periodic system check to a constant state of readiness. It requires a deep understanding of how your AI models influence every single consequential decision, making continuous monitoring and granular analysis essential.
Meeting the 60-Day Cure Period
If the Colorado Attorney General identifies a violation, the law currently requires the AG to give the developer or deployer 60 days' notice and an opportunity to cure before bringing an enforcement action — a safeguard available for actions initiated before January 1, 2030. Sixty days is a short window to diagnose a complex issue within an AI system, implement a fix, and document the change. A reactive approach will not work, and because the cure opportunity is time-limited, it should not be treated as a permanent backstop. Organizations that continuously monitor their systems and maintain a state of compliance are far better positioned to resolve concerns within the window — and to keep operating once the cure period sunsets, as noted in analysis of the law's enforcement structure.
How SB26-189 Compares to Other AI Laws
For companies operating in multiple states, understanding how Colorado's new law fits into the broader regulatory landscape is key. SB26-189 shares goals with other significant AI regulations but carves out its own unique requirements, particularly for the deployers of AI systems. Navigating this patchwork of rules requires a clear view of the similarities and differences between them. By comparing SB26-189 to laws in New York City, California, and the European Union, organizations can build a more resilient and adaptable compliance strategy that addresses legal obligations across the board.
SB26-189 vs. NYC Local Law 144
Colorado's law takes a much broader approach than New York City's Local Law 144. While both aim to prevent algorithmic discrimination, NYC's rule specifically targets automated employment decision tools (AEDTs) used in hiring and promotion. It requires employers to conduct annual bias audits and publicly disclose the results. In contrast, SB26-189 applies to any deployer that uses ADMT to materially influence a consequential decision about a consumer, a scope that extends well beyond employment into areas like housing, lending, education, and healthcare. The transparency duties also differ. Colorado requires deployers to give notice, explain adverse outcomes, and honor individual data and human-review rights, whereas NYC focuses on the disclosure of audit outcomes to candidates and employees.
Alignment with California and EU AI Regulations
SB26-189 shares common ground with other frameworks on consumer protection, even though it took a different structural path. Unlike the EU AI Act — and unlike Colorado's own repealed AI Act (SB 24-205) — SB26-189 does not classify systems into risk tiers or require impact assessments. It focuses instead on operational duties: notice, explanation, and human review at the point a consequential decision is made. Its consumer-rights core, such as the right to access and correct personal data, closely mirrors protections found in the California Consumer Privacy Act (CCPA) and the Colorado Privacy Act. These overlapping principles suggest a growing consensus on transparency and individual recourse as core tenets of responsible AI governance, even where the regulatory mechanics differ.
Practical Steps for Multi-Jurisdictional Compliance
For companies facing a variety of AI laws, a unified strategy is essential. A practical first step is to maintain a current inventory and mapping of your automated systems to identify which fall under which regulations. Structured risk reviews align with guidance from the NIST AI Risk Management Framework and remain a foundational practice under the EU AI Act — though note that SB26-189, unlike its repealed predecessor, does not itself mandate impact assessments. It is also wise to establish standardized transparency protocols that can be adapted to meet the specific disclosure rules in each jurisdiction. Developing a central, defensible record-keeping system for all AI-driven decisions will help your organization respond efficiently to inquiries or consumer requests, regardless of where they originate.
How to Prepare for SB26-189 Compliance
With the law's effective date approaching, preparing for compliance requires a structured and proactive approach. Breaking down the requirements into manageable steps can help your organization build a defensible and transparent process for using Automated Decision-Making Technology (ADMT) in employment. The following actions provide a clear roadmap for HR leaders, technology vendors, and legal teams to align their practices with the new standards.
Conduct an AI Inventory
The first step is to understand where and how your organization uses AI. You should find out exactly where AI tools are used in your decisions about employees, such as hiring, performance reviews, or promotions. This inventory will help you identify which systems qualify as ADMT under the law and pinpoint potential compliance risks. A comprehensive review allows you to map your HR workflows to specific technologies, creating a foundation for your entire compliance strategy. This process is essential for understanding your risk exposure and prioritizing your efforts.
Establish Clear Disclosure Processes
Transparency is a cornerstone of SB26-189. It is essential for employers to clearly inform individuals before using an AI tool that will materially influence important decisions about them. This means creating clear, easy-to-understand notices that explain what the ADMT does and how it influences the outcome. These disclosures are not just a legal formality; they are key to maintaining trust with candidates and employees. An effective disclosure process demonstrates your commitment to fairness and gives individuals the information they need to understand how decisions are made.
Build a Consumer Rights Response Process
Under the new law, consumers have specific rights, and your organization must be ready to fulfill them. You need a reliable system for handling requests from individuals who want to access and correct the personal information an ADMT used about them. If an ADMT makes a decision that adversely affects a consumer, they can also request meaningful human review. Establishing a clear, documented process for receiving, verifying, and responding to these requests within the legal timeframes is critical for compliance and for showing that your organization respects consumer rights.
Implement Ongoing Monitoring and Documentation
Compliance is not a one-time event. Employers are required to maintain records for three years that demonstrate they are following the law. This includes documentation of which ADMT tools you used, the notices and adverse-decision explanations you provided, and how you resolved consumer requests for data access, correction, and human review. Continuous AI bias auditing and monitoring help ensure your systems remain fair and defensible over time, and give you the evidence to back up each explanation you owe an individual.
Engage AI Vendors to Close Accountability Gaps
SB26-189 establishes a framework for shared responsibility between the companies that develop AI and the employers that use it. Simply purchasing a tool that claims compliance is not enough; you must also use it correctly and obtain what you need to meet your own duties. Engaging with your AI vendors is crucial to ensure you have the technical documentation, intended-use information, and explanation support needed to meet your obligations. This collaboration helps close accountability gaps and ensures that both parties understand their roles in maintaining a fair and transparent process from development through deployment.
Consult Your Legal and Compliance Teams
The complexities of SB26-189 mean that legal and compliance expertise is indispensable. Employers cannot evade responsibility if they misuse AI tools or if their application leads to discriminatory outcomes. Your legal and compliance teams are vital partners in interpreting the law's requirements, assessing your organization's specific risks, and developing a defensible compliance strategy. Consulting with them ensures that your approach is not only practical but also legally sound, protecting your organization from potential penalties and litigation.
Related Articles
Colorado SB26-189 Deployer Obligations FAQs
Does this law apply to my company if we're not based in Colorado?
Yes, it very well could. The law applies to any company that uses automated decision-making technology to materially influence consequential decisions about Colorado residents. This means if you are recruiting for remote roles and a candidate from Colorado applies, or if you have employees residing in the state, your use of AI in hiring or performance management for those individuals likely falls under the law's jurisdiction, regardless of your company's physical location.
My AI vendor claims their tool is compliant. Is that enough for me?
No, relying solely on a vendor's claim is not sufficient under this law. SB26-189 places direct responsibility on you, the "deployer," to ensure the technology is used fairly and transparently. While your vendor must provide you with certain documentation, you are ultimately accountable for providing disclosures to individuals, explaining specific outcomes, and honoring consumer rights. You must be able to independently account for how the tool operates within your specific workflows.
What kind of explanation do I owe a candidate if they are rejected by our AI screening tool?
If a candidate is subject to an adverse decision, you must provide a clear, plain-language statement that details the principal factors the AI system used to reach its conclusion, no later than 30 days after the decision. This isn't a technical report; it should be in language that the average person can understand. You also need to inform them of their right to access and correct the personal data used in the decision and their right to request meaningful human review of the outcome.
How is this different from other AI laws, like the one in New York City?
The biggest difference is the focus on individual decisions. New York City's Local Law 144 requires an annual bias audit of the AI system as a whole. Colorado's law instead makes you accountable for each specific decision made with AI assistance after it happens — through notice, explanation, and human review. This shifts the compliance burden from a periodic, system-level check to an ongoing operational responsibility to account for individual outcomes, such as why one specific candidate was rejected. Notably, SB26-189 dropped the impact-assessment and risk-classification model that its repealed predecessor (SB 24-205) had contained.
The law takes effect in 2027. What should I be doing now to prepare?
The most important first step is to create an inventory of all the AI and automated systems you use in your HR processes. You cannot comply with the law if you do not know which of your tools qualify as ADMT. From there, you can begin developing the required internal processes for providing disclosures, handling consumer rights requests, and maintaining detailed records for three years. Waiting until the deadline will make it very difficult to build the robust, defensible compliance program this law requires.
.webp)


