The Colorado AI Act goes into effect today: first statewide AI law in the United States, rewritten at the last minute
🔎 From European clone to surgically targeted text
June 30, 2026, marks a turning point in American AI regulation. The Colorado AI Act (CAIA) officially becomes the first statewide AI law to go into effect in the United States. Except that between the text voted on in May 2024 and the one being applied today, something unprecedented happened: the legislature completely rewrote its own law.
The initial bill, modeled on the European AI Act, targeted "high-risk AI systems" in employment, housing, and healthcare. Faced with a backlash from businesses and pressure from the industry, the Colorado AI Policy Working Group proposed a complete replacement. The result: a much narrower law, focused on automated decision-making technologies (ADMT) in "consequential decisions." A true strategic pivot.
Why this turnaround? Because the European model, designed for a market of 450 million consumers with a century-old regulatory culture, does not translate well to an American state of 5.8 million inhabitants. Colorado learned this the hard way, and the entire American tech industry should take heed.
The essentials
- The original Colorado AI Act (SB 24-205) was fundamentally replaced by SB 26-189 in May 2026, radically changing the scope of the law.
- The new text no longer regulates "high-risk AI systems" but automated decision-making technologies (ADMT) used in consequential decisions.
- The heaviest obligations have been removed: public disclosure on websites, deployment notifications, annual impact assessments.
- Retained obligations: pre-use notice to consumers, response within 30 days to requests regarding adverse outcomes, targeted obligations for developers and deployers.
- The law comes into effect on June 30, 2026 for the base text, with full effective application on January 1, 2027 according to Seyfarth.
- This is the first statewide test in the United States — all other US AI laws remain at the municipal or sectoral level, in a context where the Great American AI Act : le projet de loi de 269 pages qui pourrait figer la régulation IA aux États-Unis pendant 3 ans is struggling to advance at the federal level.
Recommended tools
| Tool | Main use | Price (June 2026, check on site) | Ideal for |
|---|---|---|---|
| VerifyWise | CAIA / ADMT compliance | Quote-based | Companies needing to demonstrate compliance with SB 26-189 |
| TrustArc | Private AI obligations management | Quote-based | Organizations with existing compliance programs |
| Hostinger | Compliant website hosting | Starting at $2.99/month | SMBs needing to publish their compliance notices |
What really changed between SB 24-205 and SB 26-189
The difference between the two texts is not a marginal adjustment. It is a complete regulatory paradigm shift. SB 24-205, voted in May 2024, was directly inspired by the European AI Act. It defined "high-risk AI systems" and imposed a battery of obligations on deployers: public declaration on their website, prior notification to consumers, annual impact assessments, and 90-day reviews after modification.
According to Littler, this initial text triggered immediate reactions. More than 70 companies and industry associations petitioned Governor Jared Polis for a veto. The main argument: preemptive statewide regulation would create an unmanageable legal patchwork for companies operating on a national scale.
SB 26-189, signed in May 2026, responds to these criticisms by drastically reducing the scope. The very term "high-risk AI system" disappears. It is replaced by "automated decision-making technology" (ADMT), defined as any system that generates a decision, prediction, or recommendation having a significant impact on a consumer. This is a much more surgical targeting.
Major removals
Three obligations were simply and completely removed from the text, according to analyses by TrustArc and the Colorado Consumer Financial Services Law Monitor.
First, the obligation for deployers to publish a public statement on their website indicating that they use AI in consequential decisions. This highly visible measure had become the symbol of the excesses of the original text. Its removal sends a clear signal: Colorado does not want to stigmatize the use of AI, but to frame its concrete effects.
Second, the prior-to-deployment notification requirements. The initial text required consumers to be informed before an automated decision was made about them. The new text only retains a pre-use notice obligation, which is more flexible in its format.
Third, the annual impact assessments and the 90-day post-modification reviews. These obligations represented a considerable documentary burden, especially for SMEs. Their removal was the most celebrated victory by the private sector.
What remains: the hard core
Despite this lightening, the law retains a foundation of real obligations. According to VerifyWise, deployers must still provide a pre-use notice to consumers when an ADMT is used in a consequential decision. Developers must document the capabilities, limitations, and objectives of their ADMT systems.
The most significant obligation that remains: the right for a consumer to request a response from the deployer after an unfavorable outcome resulting from an ADMT. The deployer has 30 days to respond. This is an individual right of appeal, not a systemic audit mechanism. Much more practical, much less costly to implement.
"Consequential decisions" : the key concept of the new law
The notion of a "consequential decision" is the pivot around which the entire SB 26-189 revolves. According to Seyfarth, a consequential decision is understood as a decision that has a legal or similarly significant effect on a consumer.
This concretely covers three areas: employment (hiring, promotion, termination, working conditions), housing (granting a mortgage, renting), and financial services (granting credit, insurance pricing). The healthcare sector, which was included in the original text, was handled separately through other legislative mechanisms.
The difference from the initial text is significant. SB 24-205 targeted the systems themselves — an AI system classified as "high risk" was regulated regardless of how it was used. SB 26-189 targets the decisions — regardless of the sophistication of the underlying system, it is the impact on the consumer that triggers the legal framework.
This semantic shift has major practical implications. A model like GPT-5.5 d'OpenAI, which dominates agentic rankings with a score of 98.2, is not intrinsically targeted by the law. On the other hand, an automated recruiting tool that uses this model to filter resumes and rejects a candidate falls within the scope — not because of the model used, but because of the decision produced.
The ADMT / generative AI boundary
A crucial question for the industry: are common generative AI tools (chatbots, writing assistants, image generators) concerned? The answer is no, unless they are integrated into a consequential decision-making process. A customer service chatbot that helps a user navigate a site is not an ADMT. A chatbot that decides to approve or deny an insurance claim is one.
This distinction protects the majority of current uses of generative AI. Claude Opus 4.7 d'Anthropic (agentic score 94.3), Gemini 3 Pro Deep Think de Google (95.4), or even Grok 4.1 de xAI (79 in agentic) are not concerned as models. It is their integration into decision-making workflows that can trigger the law.
Developer vs deployer obligations: who does what
SB 26-189 clearly distinguishes between two categories of actors, each with its own obligations. This separation is one of the clearest contributions of the rewrite compared to the original text, which sometimes mixed responsibilities.
Developers
ADMT developers must provide deployers and other downstream developers with documentation on the capabilities, limitations, intended use, and training data of their system. They must also take reasonable measures to protect against known and unforeseeable discrimination.
This is an upstream transparency obligation, not a guarantee of results. A developer who provides a credit scoring model based on DeepSeek V4 Pro (general score 88) does not have to prove that their model never discriminates. They must document what they know about its potential biases and the model's inherent limitations.
Deployers
Deployers — those who actually implement the ADMT in consequential decisions — bear the heaviest burden. They must provide a pre-use notice to consumers, respond to requests within 30 days, and take reasonable measures to minimize the risks of discrimination.
The deployer is the consumer's point of contact. This makes sense: they are the one making the decision, not the developer of the underlying model. This liability architecture reflects a pragmatic understanding of the AI value chain.
The chaotic calendar: two years of delays and rewrites
The legislative history of the Colorado AI Act is a textbook case of regulation by trial and error. Let's trace this timeline, as it explains why today's text looks so different from the 2024 version.
May 2024: the initial vote
SB 24-205 is passed by the Colorado legislature and signed by Governor Jared Polis. Polis signs it while publishing a statement expressing serious reservations about the scope of the text. He explicitly calls on the legislature to revise it before its scheduled effective date of February 1, 2026.
February 2025: first delay
Faced with continued pressure from the private sector and the practical impossibility of complying in time, the legislature passes a first delay. The effective date is pushed back to June 30, 2026. A working group, the Colorado AI Policy Working Group, is created to propose a redesign.
March 2026: the replacement proposal
According to Mayer Brown, the Working Group publishes its proposal: not to amend the existing text, but to fundamentally replace it with a much narrower ADMT framework. This is an implicit admission that the European model was not working in the Colorado context.
May 2026: SB 26-189 is signed
The new text is passed and signed in May 2026, barely five weeks before the delayed effective date. According to Law and the Workplace, this extremely tight timeline created considerable uncertainty for businesses that had begun preparing for the original text.
June 2026 - January 2027: transitional phase
June 30, 2026, marks the formal effective date of the new framework. But according to Seyfarth, the majority of practical obligations only take effect on January 1, 2027, leaving a six-month window for adjustment. At the same time, HB 26-1263, signed on July 1, 2026, complements the system with AI-specific anti-discrimination rules, according to the official resources of the Colorado Attorney General.
Why Colorado abandoned the European model
The pivot from SB 24-205 to SB 26-189 is not just a matter of technical details. It is an ideological rejection of the European regulatory model in the American context. According to the University of Denver, Colorado "pumped the brakes" on its pioneering regulation to find "a more workable path."
The European AI Act relies on a logic of a priori classification of systems. Each AI system is classified according to its risk level (unacceptable, high, limited, minimal) as soon as it is placed on the market. This approach requires massive regulatory resources — the European Commission itself is struggling to recruit the necessary experts to evaluate conformity notifications.
Colorado, with the resources of a US state, does not have this capacity. SB 26-189 chooses a logic of a posteriori reaction: the system is not regulated upstream, the decision is framed downstream. It is administratively lighter, but it is also less preventative.
This debate reflects a broader tension in global AI governance. At the G7 Évian: Altman, Amodei and Hassabis gathered for the first time at the summit — and the United States blocks any binding governance, the United States has systematically resisted any binding framework at the international level, favoring voluntary and sectoral approaches. Colorado's reversal fits into this logic.
Pressure from the White House
According to Carpe Datum Law, a phone call from the White House to Governor Polis, two weeks before the replacement vote, reportedly played a role in accelerating the pivot. The federal administration feared that overly aggressive statewide regulation would fracture the US domestic AI market, exactly as the European AI Act fragments the European market according to its detractors.
This federal lobbying raises an interesting constitutional question: to what extent can the federal government influence a state's legislation on a subject that is not explicitly preempted by federal law? The answer is unclear, and Colorado could serve as case law if a preemption conflict breaks out.
Implications for the AI industry: beyond Colorado
Colorado accounts for 1.7% of US GDP and 1.6% of its population. Why is the industry so concerned about it? Because Colorado is a real-world test for a model that could spread.
The state domino effect
Historically, consumer protection laws adopted by a pioneer state (often California) quickly spread to other states, and then to the federal level. California's CCPA worked exactly like this before inspiring similar laws in a dozen states.
If SB 26-189 proves that statewide AI regulation is feasible without killing innovation, other states will follow. If, on the contrary, it creates unbearable legal friction, it could discredit any similar initiative for years to come. The stakes extend far beyond Colorado's borders.
The cost of compliance
Even in its scaled-down version, SB 26-189 imposes costs. Companies must identify which of their decisions are "consequential," which involve ADMT, document their processes, train their teams, and set up consumer response channels within 30 days.
For a startup using Claude Sonnet 4.6 (score 83) to automate lending decisions, this means a significant initial legal investment. For a large banking group, it is a marginal cost compared to existing compliance requirements (Fair Lending, ECOA). The law therefore disproportionately impacts smaller players — a perverse effect that the original text attempted to mitigate with size-based exemptions, but which remains partially present.
The signal to model developers
Foundation model developers are relatively spared by SB 26-189. Their obligations are limited to the documentation provided to deployers. But the political signal is clear: in the US too, liability can travel down the value chain.
This signal is all the more relevant in a context where OpenAI sous subpoena de 42 États : sycophancy, données publicitaires et risques pour les enfants faces coordinated investigations into its data collection practices and the behavior of its models. Regulatory pressure is no longer coming solely from Europe — it is also taking shape in the US, state by state.
ADMT and discrimination: the real legal risk
Beyond procedural obligations, the real legal risk of SB 26-189 lies in the anti-discrimination dimension. HB 26-1263, signed on July 1, 2026, strengthens this aspect by creating a specific AI anti-discrimination framework (ADAI), according to the Colorado Attorney General.
An ADMT that produces discriminatory results based on race, sex, age, or other protected characteristics exposes the deployer to legal action. The difficulty: proving that the discrimination comes from the ADMT and not from a pre-existing bias in the historical data.
Let's take a concrete example. A recruiting tool trained on 10 years of human recruiting decisions reproduces the unconscious biases of those decisions. The ADMT did not "invent" the discrimination — it automated and amplified it. Nevertheless, SB 26-189 and HB 26-1263 consider the deployer responsible, even if the bias originates from the data, not the algorithm.
This is a strict approach, close to that of the federal ECOA regulation on fair credit. But it now explicitly applies to decisions automated by AI, in a context where models like DeepSeek V4 Pro or Z.AI's GLM-5.1 are increasingly used in HR and financial workflows.
Criminal risk: the precedent of AI forgery
The punitive dimension of AI regulation in the United States is not limited to civil law. The First indictment for AI forgery in the United States: a New York congressional candidate arrested for campaign deepfakes shows that American prosecutors are ready to use existing criminal tools against AI abuses. Colorado could follow this path for the most blatant cases of ADMT discrimination.
Security and offensive uses: what the law does not cover
SB 26-189 is silent on many AI risks that other legal frameworks are beginning to address. Offensive uses of AI — automated hacking, disinformation, autonomous weapons — are completely out of scope. For these issues, one must turn to other initiatives.
The alliance Five Eyes : l'alliance de renseignement rappelle que le hacking IA offensif est à découvert recently highlighted the risks associated with using agentic AI models like GPT-5.5 (98.2 in agentic) or Kimi K2.6 in self-host (88.1) for offensive cyber operations. Colorado does not address any of these topics — its ambition is strictly consumer-focused.
This focus is both a strength and a weakness. A strength because it makes the law more targeted and therefore more enforceable. A weakness because it leaves a regulatory gap regarding the most dangerous uses of AI, exactly at a time when agentic models are becoming capable of complex autonomous actions in digital environments.
❌ Common mistakes
Mistake 1: Confusing SB 24-205 and SB 26-189
This is the most frequent error in media coverage. Articles published after May 2026 still cite the obligations of the original text (impact assessments, public declaration). SB 24-205 no longer exists in practice — it has been replaced. Any analysis based on the 2024 text is obsolete.
The solution: systematically check that the cited source refers to SB 26-189 and not SB 24-205. Analyses from ByteBack Law and Seyfarth are reliable because they explicitly clarify the replacement.
Mistake 2: Thinking that all AI systems are affected
The law only targets ADMTs used in "consequential decisions." A chatbot, an image generator, a code-writing tool — all of these are out of scope unless the output is used to make a decision that has a significant legal effect on a consumer.
The solution: conduct a usage audit, not a model audit. The question is not "do you use AI?" but "does your use of AI produce consequential decisions?"
Mistake 3: Ignoring HB 26-1263
SB 26-189 is the main text, but HB 26-1263 (Anti-Discrimination in AI) significantly complements the framework. Ignoring this second text, signed on July 1, 2026, means seeing only half of the regulatory landscape.
The solution: treat SB 26-189 and HB 26-1263 as a package. The anti-discrimination obligations of HB 26-1263 are potentially more stringent than the procedural obligations of SB 26-189.
Mistake 4: Believing that compliance with the GDPR or the European AI Act is enough
SB 26-189 has its own logic, its own definitions, its own thresholds. A company compliant with the European AI Act is not automatically compliant with Colorado law. The concepts do not map neatly onto one another.
The solution: treat Colorado compliance as a distinct effort, even if certain elements (documentation, auditing) overlap with European requirements.
❓ Frequently Asked Questions
Does the Colorado AI Act apply to companies based outside of Colorado?
Yes. Like California's CCPA, the law applies to any entity that "conducts business" in Colorado or that produces consequential decisions concerning Colorado residents, regardless of the company's headquarters.
Are open source models affected?
Open source developers who make a model available without deploying it in consequential decisions are not "deployers" under the meaning of SB 26-189. On the other hand, the company that integrates this model into an automated hiring tool is one. Liability shifts to the end user.
What are the penalties for non-compliance?
The Colorado Attorney General has enforcement power. Violations can result in injunctions and financial penalties. HB 26-1263 adds private causes of action for discrimination cases, paving the way for class actions.
Could the text be further amended?
Nothing is ruled out. The extremely tight schedule between the passage of SB 26-189 (May 2026) and its entry into force (June 2026) leaves little room for technical adjustments. Targeted amendments are likely by January 1, 2027, the date of full effectiveness.
How do you distinguish an ADMT from a simple decision-support tool?
The dividing line relies on the degree of automation. If a human makes the final decision based on an AI recommendation, the system is a support tool. If the system directly produces the decision (credit denial, candidate rejection), it is an ADMT. In practice, this distinction will be a source of litigation.
✅ Conclusion
The Colorado AI Act taking effect today is no longer the one lawmakers passed in 2024. Two years of pressure, delays, and rewrites have transformed a text modeled on Europe into a pragmatic framework focused on automated decisions that concretely affect consumers. It is an imperfect but functional compromise — and that is exactly what makes it the most important test of US AI regulation to date. If the model holds, other states will follow. If it breaks, the statewide initiative will be dead for a decade. The industry has every interest in watching Colorado very closely.
```