Colorado Revises Its AI Act: What Changed and Why
On May 15, Governor Polis signed SB 189, revising the Colorado AI Act (CAIA) after two years of intense negotiations and national debate over the original 2024 law’s approach to AI regulation. The revised law, the Colorado ADM Act (CADMA), reflects a fundamental shift in approach: shifting from an algorithmic discrimination framework to a transparency-focused one, as well as narrowing the scope of covered AI systems, streamlining disclosures and consumer rights, and replacing governance requirements with liability allocation under existing anti-discrimination laws.
This post examines the key changes between CAIA and CADMA, explores the context that drove these revisions, and analyzes their practical implications. Side-by-side legislative comparison chart below.
Quick Overview of the Revised Law:
- Regulates developers and deployers of covered automated decision-making technologies (ADMT) used for making consequential decisions regarding covered domains (e.g., education, employment, financial or lending)
- Requires developers to provide deployers a general statement that includes information regarding the covered ADMT.
- Requires deployers to disclose to consumers use of covered ADMT for consequential decisions prior to use.
- Requires deployers to notify consumers whether and to what extent a covered ADMT contributed to a consequential decision if an adverse decision is reached.
- Provides consumers certain rights if an adverse decision is reached pursuant to deployers’ use of a covered ADMT, including rights of explanation, correction, and appeal.
- Clarifies that developers and deployers are subject to existing anti-discrimination law, while developers’ liability is limited to intended use of covered ADMT.
- The law will be enforced by the Colorado Attorney General (AG), with no private right of action, and go into effect January 1, 2027.
From Anti-Discrimination Governance to Transparency
Enacted in 2024, Colorado SB 205 (Colorado AI Act) (CAIA) aimed to mitigate risks of discriminatory outcomes from AI-driven decisions in consequential domains by regulating how such systems are developed and deployed. The law subjected developers and deployers to a duty of care to protect consumers from algorithmic discrimination, with such duty presumptively fulfilled if the developer or deployer complied with the Act’s requirements. For developers, those requirements included: disclosing information to deployers regarding known limitations, possible biases, and risk mitigation measures; making publicly available information regarding high-risk AI systems and known or foreseeable risks of algorithmic discrimination; and notifying the state AG upon discovery that a high-risk AI system caused algorithmic discrimination. For deployers, those requirements included: maintaining a risk management policy and program to identify and mitigate the risk of algorithmic discrimination; annually conducting impact assessments on high-risk AI systems; publicly disclosing information regarding high-risk AI use and how known or foreseeable risks of algorithmic discrimination were managed; and also notifying the state AG upon discovery of algorithmic discrimination. See full overview of requirements in FPF’s Colorado AI Act Policy Brief (2024).
CADMA eliminates CAIA’s governance requirements and references to algorithmic discrimination, focusing instead on transparency. Where risk is mentioned, it refers only to undefined “known risks” or “known limitations” rather than discrimination-specific concerns. Key areas of this shift include:
- Removal of the duty of care to mitigate algorithmic discrimination;
- Removal of algorithmic discrimination incident reporting;
- Removal of risk management and impact assessments regarding algorithmic discrimination; and
- Narrowing of transparency requirements and removal of disclosing bias-related information, now only “known limitations”;
Why the Change: Upon signature of the original CAIA, Governor Polis expressed reservations about its potential to “tamper innovation and deter competition.” The law faced criticism from some industry groups who argued that compliance costs would disproportionately burden small businesses lacking resources for comprehensive governance programs, while other commentators contended the law reflected ideological priorities, which was later reflected in a constitutional challenge against the law by xAI. Meanwhile, a deregulatory shift in the 2025 legislative landscape, and other states failing to enact comparable AI laws, left Colorado as an outlier.
Nonetheless, a coalition of labor, consumer, civil rights, privacy, and public interest groups continued to support the law, emphasizing the need to protect consumers when AI systems shape critical life and career decisions. After failed negotiations in 2025, Polis convened a working group to develop revisions balancing consumer protection with reduced compliance burdens.
Changes in Scope
CADMA regulates “covered automated decision-making technology” (ADMT), defined as technology that processes personal data and is used to materially influence consequential decisions. In contrast, CAIA regulated “high-risk AI systems” that were a substantial factor in, or are capable of altering, consequential decisions. Although this change was likely intended to streamline coverage, CADMA’s scope is not easily characterized as simply narrower or broader than CAIA’s. It may apply to a narrower set of technologies, but its definition of “consequential decision” may be broader and its exceptions differ from CAIA’s.
- Covered Technologies: CADMA narrows the scope of covered technologies through two requirements: systems must process personal data and actually be used to “materially influence” decisions—contrasting with CAIA’s lower bar of being a “substantial factor” or merely capable of altering outcomes.
- Covered Decisions / Domains: Both versions address the same domains (employment, housing, education, etc.), but CADMA may broaden coverage by: (1) lowering the impact threshold—decisions need only “relate to” a covered domain, rather than have a “material, legal, or similarly significant effect” as under CAIA; and (2) expanding decision types beyond CAIA’s “provision or denial of, or cost or terms of” to include “delay” and “alteration.” However, CADMA narrows employment coverage to hiring decisions only, whereas CAIA applied to a broader set of employment decisions.
- Exemptions: CADMA does not include CAIA’s small deployer exemption. It retains most other CAIA exemptions but removes AI-enabled video games, public interest research, and entities subject to federal standards or contracts. It also narrows CAIA’s broad exemption for legal compliance and investigations to cover only anti-terrorism and money laundering activities. Notably, CADMA adds a new exemption for advertising, which CAIA would have covered under decisions regarding “access to” consequential domains.
Why the Change: The scope changes appear to reflect competing pressures. The higher technology threshold aligns with Governor Polis’s stated streamlining goals, while the broader decision definitions and fewer exemptions may reflect consumer advocates’ push to maintain protective scope. The language shifts may also reflect a change in authorship. Senator Rodriguez’s CAIA borrowed heavily from data privacy law—using “material, legal, or similarly significant effect” from the Colorado Privacy Act and including standard privacy law exemptions. CADMA’s drafting by the Governor’s office moved away from this privacy framework terminology and approach.
Narrowing employment coverage to hiring decisions also likely represents a compromise between industry and advocates–preserving protections for one of the highest-stakes employment decisions while substantially reducing the compliance footprint for ongoing employee management systems.
Streamlining Disclosures and Consumer Rights
CADMA maintains three of CAIA’s transparency requirements regarding covered systems, though in narrower form. However, it removes CAIA’s general disclosure requirement regarding any consumer-facing AI system.
- Developers to Deployers: Developers must still provide information to deployers regarding the covered ADMT, though narrowed from CAIA’s “disclosures and documentation” to a general statement regarding the ADMT’s use, limitations, and monitoring.
- Deployers to Consumers (Pre-Use): Deployers must still provide information to consumers prior to ADMT use, but CADMA narrows the upfront disclosure to only a statement that ADMT is being used and instructions for obtaining additional information. Details about the system’s purpose and the nature of the decision are required only when the ADMT produces an adverse outcome.
- Deployers to Consumers (Post-Adverse Decision): If an adverse decision is reached pursuant to covered ADMT use, deployers must provide consumers a plain language description of the consequential decision and the role the covered ADMT played, instructions on how to request additional information, and an explanation of their rights.
Similarly, CADMA largely maintains the CAIA’s consumer rights (e.g., right to explanation, correction, and appeal) but limits them to instances of adverse decisions. Consumers must be able to request the name of the covered ADMT, the inputs used, and the categories and sources of personal information used; they must be provided the opportunity to correct any inaccurate personal data used by the covered ADMT pursuant to the Colorado Privacy Act (CPA); and they must be provided an opportunity for meaningful human review and reconsideration, to the extent commercially reasonable. Notably, deployers would only need to inform consumers of their existing rights under the CPA when an adverse decision is reached (despite the CPA not containing such limitation). Unlike the CAIA, it does not appear that deployers must respond to consumer requests in a specific time period.
Additionally, while not detailed here, CADMA includes sections regarding when notices under other laws, such as FERPA, satisfy these requirements. Developers and deployers must maintain necessary recordkeeping to demonstrate compliance for at least three years. The state AG may conduct rulemaking on the post-adverse disclosures and consumer rights.
Why the Change: The streamlined transparency requirements and consumer rights reflect Governor Polis’s goals for reduced compliance burdens for small businesses. Nonetheless, retaining these provisions, even in streamlined form, preserves two features: disclosure that enables anti-discrimination claims (discussed below) and universal application to entities of all sizes and sectors, unlike privacy laws that exempt smaller companies and government agencies through threshold requirements.
CADMA explicitly permits compliance with consent requirements through other regulatory frameworks like FERPA and FCRA, likely responding to regulated entities’ desire to integrate AI obligations into existing processes.
From Prescriptive Compliance to Discrimination Liability
The liability framework represents one of CADMA’s most fundamental departures from CAIA. CAIA established a statutory duty of care: compliance with the Act’s breadth of governance, transparency, and consumer rights requirements created a rebuttable presumption that developers and deployers had fulfilled their obligations. Noncompliance exposed entities to AG enforcement, though defendants could assert an affirmative defense by demonstrating they had cured the violation and adopted a recognized risk management framework, such as NIST’s AI RMF. Courts would ultimately assess whether an entity’s conduct was “reasonable” under the duty of care—functionally applying a negligence standard. Importantly, CAIA did not displace liability under existing anti-discrimination statutes, though compliance documentation likely would have served as evidence in both CAIA enforcement actions and parallel discrimination claims.
In contrast, CADMA eliminates the duty of care framework and most governance requirements, making entities primarily liable for transparency and consumer rights violations. Noncompliance triggers AG enforcement, though entities receive a 60-day cure period before penalties attach. CADMA replaces CAIA’s algorithmic discrimination controls by clarifying that existing anti-discrimination law applies to developers and deployers of covered ADMT. However, developers may not be liable if a deployer uses their ADMT in a manner unintended by the developer. CADMA also restricts indemnification, where deployers cannot contractually shift liability to developers.
In practice, this means entities face narrower compliance obligations under CADMA with a 60-day cure opportunity before penalties. However, navigating the courts may become less predictable without prescribed controls to establish “reasonableness” or safe harbors. Additionally, the “intended use” standard for discrimination liability, alongside the indemnification prohibition, makes documentation critical: developers need clear specifications about proper deployment, while deployers must demonstrate they followed those specifications or accept liability for misuse.
Why the Change: The shift from prescriptive controls to liability allocation reflects different regulatory philosophies: whether the state should mandate specific compliance measures or allow market-driven risk management with ex post liability. Organizations with low risk tolerance and substantial resources may prefer detailed upfront requirements that clearly define regulatory expectations and enable comprehensive compliance mapping. But resource-constrained entities with higher risk tolerance, such as startups, may prefer ambiguity: they may rather risk case-by-case adjudication than invest scarce resources in compliance with prescriptive frameworks that may not materialize into actual liability.
This tension manifests as a choice between legislative prescription and judicial development. CAIA’s approach—detailed governance requirements that created a presumption of compliance—favored entities seeking regulatory certainty. CADMA’s approach—limited transparency and general applicability of existing law with liability determined through enforcement or litigation—favors entities preferring to allocate resources to growth rather than preemptive compliance. Given Governor Polis’s emphasis on reducing burdens for startups and innovation-focused businesses, CADMA adopted the latter approach.
Conclusion
After two years of contentious debate and revision, Colorado’s AI regulation has finally reached legislative resolution. With the law scheduled to take effect before the next legislative session, entities can begin compliance planning after prolonged uncertainty. Senator Rodriguez’s retirement further marks the close of this legislative chapter. While others, such as CAIA co-sponsor Representative Brianna Titone (D), may pursue future revisions, Rodriguez’s position as both primary sponsor and Senate Majority Leader was critical to advancing the bill through contentious negotiations. Further statutory changes seem unlikely without similarly positioned leadership, though the AG’s rulemaking process may determine implementation details and enforcement approaches that could significantly affect CADMA’s real-world impact.
Colorado’s journey from comprehensive governance to an approach centered on transparency will continue to offer critical data for the debate on whether consequential algorithmic systems require specialized governance frameworks or can be adequately governed through transparency and existing law.
