Colorado’s AI Law Died Before It Lived. Here’s What’s Next
If you built a compliance program for Colorado’s AI Act this year, you built it for a law that no longer exists. Senate Bill 24-205, the first comprehensive AI statute in the country, was sued by Elon Musk’s xAI, joined by the Trump administration’s Justice Department, frozen by a federal judge, and then scrapped entirely by the Colorado legislature, all in the span of about five weeks this spring.
What replaced it, Senate Bill 26-189, is narrower, later, and quieter than the law it replaced. It takes effect January 1, 2027, not June 30, 2026. If you’re running HR, legal, or procurement for a company with employees or applicants in Colorado, this is the version of the story you actually need.
The short version: Colorado’s original AI Act (SB 24-205) never took effect. It was repealed and replaced by SB 26-189, signed May 14, 2026. The new law swaps risk-management mandates for a notice-and-disclosure model, takes effect January 1, 2027, and caps penalties at $20,000 per violation under the Colorado Consumer Protection Act.
How Colorado’s AI Act Collapsed in Six Weeks
Governor Jared Polis signed SB 24-205 in May 2024, and for a while, it looked like the template every other state would copy. It required companies deploying “high-risk” AI systems in hiring, lending, housing, and healthcare to run impact assessments, maintain risk-management programs, and meet an affirmative duty of care to avoid algorithmic discrimination. Illinois passed its own AI employment-notice law weeks later. Law firms called Colorado’s approach the national test case.
It never got the chance to prove that out. Lawmakers tried to amend the bill in 2025 and failed. A special session in August 2025 pushed the effective date from February 1 to June 30, 2026. Then, in April 2026, everything moved at once.
On April 9, 2026, xAI sued Colorado Attorney General Phil Weiser, arguing SB 24-205 violated the First Amendment, the Commerce Clause, and Equal Protection principles by carving out exceptions for algorithms designed to “redress historic discrimination.” Fifteen days later, the Justice Department’s Civil Rights Division moved to intervene, the first time the federal government had directly challenged a state AI law.
“Laws that require AI companies to infect their products with woke DEI ideology are illegal.” Harmeet K. Dhillon, Assistant Attorney General, Civil Rights Division, U.S. Department of Justice, via DOJ press release, April 24, 2026
Three days after that, a federal court paused enforcement of the law entirely. Colorado’s legislature didn’t wait to see how the lawsuit played out. On May 14, 2026, Polis signed SB 26-189, repealing SB 24-205 in its entirety and reenacting a narrower framework in its place, according to Norton Rose Fulbright’s analysis of the bill.
Here’s the arc, laid out plainly:
| Date | Event |
|---|---|
| May 17, 2024 | Polis signs SB 24-205, the original Colorado AI Act |
| Aug 2025 | Effective date delayed from Feb 1 to June 30, 2026 |
| Apr 9, 2026 | xAI sues AG Phil Weiser over SB 24-205 |
| Apr 24, 2026 | DOJ intervenes in support of xAI |
| Apr 27, 2026 | Federal court pauses enforcement of SB 24-205 |
| May 14, 2026 | Polis signs SB 26-189, repealing and replacing the law |
| Jan 1, 2027 | SB 26-189 takes effect |
Not everyone in Colorado was mourning the original law, either. Rep. Brianna Titone, one of its original sponsors, pushed back hard on the DOJ’s framing of what it actually did.
“The whole point of the law that we put in place was to prevent discrimination.” State Rep. Brianna Titone, via Govtech, April 29, 2026
What SB 26-189 Actually Requires
Forget everything you read about risk-management programs and annual impact assessments. Those are gone. SB 26-189 drops the “high-risk artificial intelligence system” classification entirely and replaces it with a new term: automated decision-making technology, or ADMT.
The test for coverage isn’t what the system is. It’s whether the system’s output “materially influences” a consequential decision, meaning it’s a meaningful factor in the outcome, not a clerical or trivial one. Employment, lending, housing, education, insurance, and healthcare all count as consequential domains.
For employers, the obligations that matter come down to five things:
- Pre-use notice. Tell applicants or employees before ADMT is used in a decision that affects them.
- 30-day adverse-outcome explanation. If ADMT materially contributed to a rejection, non-promotion, or termination, the affected person gets a plain-language explanation within 30 days.
- Human review rights. People can request meaningful human reconsideration of an adverse, ADMT-influenced decision.
- Data access and correction. People can request the data the system used about them and correct what’s factually wrong.
- Vendor documentation flows downstream. Developers of covered ADMT (think applicant-tracking or screening software) must hand deployers documentation on intended use, training-data categories, known limitations, and update notices.
That last point is the one procurement and legal teams tend to miss. If your hiring stack includes third-party screening tools, expect updated vendor contracts before the end of the year, and don’t wait for the vendor to bring it up.
What this really means: The compliance burden shifted from proving your system is safe in advance to being able to explain a specific decision after the fact. Building a general AI-ethics policy no longer covers you. You need a workflow that can produce a real explanation for a real rejected candidate inside 30 days.
Penalties, Enforcement, and the Cure Period
Only the Colorado Attorney General can enforce SB 26-189. There’s no private right of action for the ADMT provisions specifically, which is a meaningful difference from what business groups feared under the original bill.
Violations are treated as deceptive trade practices under the Colorado Consumer Protection Act, which caps civil penalties at $20,000 per violation. Before the AG can pursue penalties, the office generally has to give written notice and a 60-day window to fix the problem, unless the violation was knowing or repeated. That cure right sunsets on January 1, 2030.
One more wrinkle worth flagging for anyone assuming “no private right of action” means low risk: the law preserves how liability gets split between developers and deployers in existing discrimination lawsuits under other statutes. The mandatory 30-day adverse-outcome explanation you now have to produce could become exactly the kind of documentation a plaintiff’s attorney requests in a Title VII or ADEA claim. Disclosure cuts both ways.
The AG also has to finish implementing rules by January 1, 2027, and has said publicly that enforcement won’t start until that rulemaking wraps. Translation: the compliance target employers are building toward right now isn’t fully drawn yet.
What the People Fighting Over This Law Are Saying
The federal side of this story isn’t as unified as the DOJ’s lawsuit might suggest. Rep. Jay Obernolte, the California Republican who chairs the House Science Subcommittee on Research and Technology, has a very different read on why Congress rejected a federal AI moratorium twice in 2025.
“It was never intended to be a long-term solution.” Rep. Jay Obernolte (R-CA), via Route Fifty, February 2026
Travis Hall of the Center for Democracy and Technology takes it further, criticizing the White House’s later attempt to override state authority by executive order after Congress twice declined to act legislatively.
“Misguided.” Travis Hall, State Engagement Director, Center for Democracy and Technology, via StateScoop, December 2025, on the push to use Executive Order 14365 to override state AI authority
Even Colorado’s own governor and attorney general weren’t full-throated defenders of the original bill while it was still on the books. Both publicly warned that a state-by-state regulatory patchwork creates real problems for building a healthy tech sector, an odd thing to hear from the two officials who signed and were charged with enforcing the law.
The Case Against Treating This as Settled
Here’s the uncomfortable part most coverage skips: SB 24-205 never regulated a single real-world employment decision. It was signed, delayed twice, frozen by a court, and repealed before its effective date ever arrived. Anything written about it in the past tense, as a law that “required” something of employers, is describing a law that was never operative.
And there’s real reason for measured skepticism about whether January 1, 2027 sticks. Its predecessor got delayed twice and then killed outright before reaching its own start date. The AG rulemaking SB 26-189 depends on has to finish by the same January deadline it’s supposed to govern. That’s a tight, and not entirely reassuring, timeline.
The federal preemption fight isn’t over either. Executive Order 14365 is still in effect, the DOJ’s AI Litigation Task Force has already intervened once, and nothing stops a similar challenge to SB 26-189 once it’s live. The extraterritorial reach that drew xAI’s constitutional challenge to the original law didn’t disappear with the rewrite.
Business groups largely got what they wanted here. No risk-management program requirement. No annual impact assessments. No duty-of-care standard. No private right of action. If you’re an employer, that’s good news in the short term. But it’s worth asking whether a narrower state law, sitting alongside an unresolved federal preemption fight, is really the stable ground it looks like from a distance.
Frequently Asked Questions
Is the Colorado AI Act still in effect?
No. The original Colorado AI Act, SB 24-205, was repealed before its June 30, 2026 effective date ever arrived. SB 26-189, signed May 14, 2026, replaced it with a narrower notice-and-disclosure framework that takes effect January 1, 2027.
What is SB 26-189 in Colorado?
SB 26-189 is Colorado’s revised AI law. It regulates automated decision-making technology used in consequential decisions like employment, lending, and housing, requiring pre-use notice, a 30-day adverse-outcome explanation, and human-review rights, effective January 1, 2027.
When does the Colorado AI law take effect for employers?
January 1, 2027. The earlier June 30, 2026 date under SB 24-205 became moot once that law was repealed and replaced by SB 26-189 in May 2026.
Why did Colorado repeal its original AI law?
Stakeholder criticism that SB 24-205 was overly complex, a federal lawsuit from xAI, a Justice Department intervention, and a court order pausing enforcement pushed Colorado’s legislature to replace the risk-management framework with a lighter disclosure model.
What penalties does Colorado’s AI law impose?
Violations of SB 26-189 count as deceptive trade practices under the Colorado Consumer Protection Act, carrying civil penalties up to $20,000 per violation. The Attorney General must generally offer a 60-day cure period before pursuing penalties.
Can employees sue under Colorado’s AI law?
Not under SB 26-189’s ADMT provisions directly. Enforcement authority rests solely with the Colorado Attorney General. The law does, separately, address how liability is allocated between developers and deployers in existing discrimination lawsuits under other statutes.
Where This Goes Next
What you now understand that most coverage still gets wrong: Colorado’s AI Act isn’t a law that employers have been complying with since June. It’s a law that collapsed before it started, replaced by something narrower, later, and still not fully written.
Three things worth watching over the next six to eighteen months. First, whether the Attorney General finishes rulemaking on schedule, or whether SB 26-189 follows its predecessor into another delay. Second, whether the DOJ’s Litigation Task Force turns its attention to SB 26-189 once it takes effect, using the same extraterritorial and Commerce Clause arguments that worked against SB 24-205. Third, whether other states drafting their own AI employment laws treat Colorado’s retreat as a template to follow or a warning to avoid.
If you’re building compliance workflows now, build for decision-level explainability, not system-level governance documents. And build them so they can survive one more rewrite, because this law has already been rewritten twice.
Subscribe to The Neural Loop for the next update on this story, and every other AI regulation fight that actually affects how you build and hire.
