One of the nation’s toughest AI laws has undergone an almost total transformation. Colorado Governor Jared Polis signed SB 26-189 on May 14, replacing the Colorado AI Act with an entirely new regime that will govern automated decision-making technology (ADMT) being deployed in the state.

What Changed

The Colorado AI Act (CAIA), enacted in 2024, was widely regarded as one of the most ambitious state AI statutes in the country, and required developers and deployers of “high-risk AI systems” to adopt broad-based risk management programs, conduct algorithmic impact assessments, and provide layered notices to consumers and the Colorado Attorney General. In the months following passage, CAIA drew significant industry opposition, as AI companies argued that the law would hinder growth and development of the new technology.

SB 189 entirely abandons CAIA’s duty-of-care and risk-management framework. Instead, the new law establishes obligations around the use of ADMT, defined as technology that generates predictions, recommendations, rankings, or other outputs used to guide or make decisions about individuals. The law would apply when ADMT technology “materially influences” a “consequential decision.” Consequential decisions covered by the law include determinations relating to education enrollment, employment, financial and lending services, insurance, health care services, and essential government services. Consumers will be given rights under the new law when the consequential decision results in an “adverse outcome,” defined to mean “a decision that denies, terminates, revokes, or materially reduces a consumer’s” ability to receive an opportunity or service, as well as a decision that would make opportunities or services materially less favorable (e.g. more expensive) for the consumer.

What the New Law Requires

For “deployers” (defined as entities using ADMT to make consequential decisions about CO consumers), SB 189 will impose the following requirements:

Pre-Use Notice

Clear and conspicuous notice, before or at the time of interaction, that ADMT is being used to materially influence a consequential decision about the consumer. Deployers have flexibility in how they provide this notice, including through publicly available disclosures linked from consumer interaction points.

Adverse-Outcome Notice

If a consequential decision results in an adverse outcome, deployers must provide a written notice within 30 days explaining the decision, the role of the ADMT, and how the consumer can request additional information or exercise rights.

Meaningful human review

Consumers who experience an adverse outcome may request human review and reconsideration. That review must be conducted by a person with actual decision-making authority, who considers relevant primary evidence and does not simply defer to the automated output. This requirement applies “to the extent commercially reasonable.”

Consumer rights

Following an adverse outcome, consumers may request access to and correction of factually inaccurate personal data used in the decision.

SB 189 requires developers of ADMT systems to provide technical documentation to deployers describing intended and known inappropriate uses, categories of training data, known limitations and risks, and instructions for appropriate use and monitoring. Developers must also notify deployers of material updates or modifications that could affect system performance.

Impacts on Liability and Indemnification

SB 189 also contains provisions that will significantly impact businesses’ ability to shift liability via their contracts with AI developers and deployers.

First, SB 189 delineates how liability should be apportioned between developers and deployers for algorithmic discrimination claims. Developers would be liable for such claims if the ADMT system being deployed and used for a consequential decision is “used by a deployer in a manner that was intended, documented, marketed, advertised, configured, or contracted for by the developer” but nonetheless gives rise to a discrimination claim. The ADMT system must also “materially influence” the consequential decision for liability to attach. Conversely, developers would not be liable for algorithmic discrimination claims where the alleged violation of an antidiscrimination law arises from the deployer’s use of the deployed system “in a manner that was not intended, documented, marketed, advertised, configured, or contracted for by the developer.” (emphasis added). Based on these statutory delineations of liability, it will be critical for developers to clearly articulate the intended use cases for their AI systems in the products’ documentation. 

Another especially notable provision of SB 189 nullifies contractual indemnification provisions relating to a party’s violation of Colorado’s antidiscrimination laws arising from the party’s use of ADMT to make a consequential decision. The law provides that “if a provision of a contract for the use of [ADMT] in making a consequential decision or any other contract between a developer and deployer purports to indemnify, defend, or hold harmless or has the effect of indemnifying, defending, or holding harmless the indemnitee from or against any liability for damages pursuant to this [law] resulting from the developer's or deployer's own acts or omissions related to the use of ADMT in making consequential decisions in violation of the [CO antidiscrimination laws], the provision is contrary to public policy and void.” (emphasis added). Businesses should evaluate their AI vendor agreements for provisions that could conflict with this restriction.

What Should Businesses Do Now

Businesses that develop or deploy AI systems used in employment, lending, insurance, health care, or other “consequential decision” domains in Colorado should:

• Assess whether their AI systems qualify as ADMT under SB 189’s definitions, and whether those systems “materially influence” consequential decisions;
• Review existing AI vendor contracts for liability allocation provisions and evaluate indemnification terms against SB 189’s restriction; and
• Develop meaningful human review procedures for adverse-outcome scenarios.

Compliance planning should account for the possibility that final Attorney General rules may not be available until close to the January 1, 2027 effective date.

For assistance navigating SB 189 and its implications for AI product development, deployment agreements, and compliance programs, please contact Benjamin Mishkin in Cozen O’Connor’s Technology, Privacy & Data Security practice.