Colorado Spent Two Years Building the First Comprehensive State AI Law—Then Gutted It 57-6 on May 12 and Pushed Everything to January 2027

The Law That Was Supposed to Start in June

When Governor Jared Polis signed Senate Bill 205 in May 2024, Colorado became the first U.S. state to enact a comprehensive regulatory framework for high risk artificial intelligence systems. Companies deploying AI for "consequential decisions"—hiring, housing, lending, insurance, education, healthcare—would owe consumers a duty of care, run formal risk assessments, document algorithmic discrimination tests, file notifications with the Attorney General, and publish public statements about every covered system on their websites. Enforcement was set to begin June 30, 2026.

Within hours of signing the original bill, Polis and the bill's own Senate sponsor, Robert Rodriguez, publicly pledged to revisit and water it down. Two years of negotiation, four special-session attempts, and one delayed implementation date later, the legislature did exactly that. At 1 AM on May 12, the Colorado House passed Senate Bill 26-189 by a vote of 57 to 6. The Senate had already cleared it 34 to 1. The 2024 framework is being replaced in its entirety before a single consumer ever got to invoke it.

What Got Cut

The list of provisions that did not survive the rewrite is the part legal teams have been forwarding around since dawn:

• Duty of care to protect consumers from algorithmic discrimination
• Annual risk management programs
• Mandatory algorithmic impact assessments before deployment
• Bias testing documentation requirements
• Attorney General notifications when discrimination is discovered
• The website published public statement listing every covered AI system
• Most of the prohibitions on substantial factor determinations

What replaced them is a transparency regime. Before a covered automated decision making technology touches a Coloradan, the deployer must give a "clear and conspicuous notice" that the system is in use. The notice can be satisfied by a single public posting reasonably accessible at the point of consumer interaction. The deployer must publish the intended uses, the potential harmful uses, the categories of training data, and operator oversight instructions. Consumers keep two rights: access and correction of their own data, and a path to meaningful human review when an adverse decision is made.

Senator Rodriguez, who authored the original bill and led the rewrite, put it plainly to the Colorado Sun: "I've whittled this bill down to more of a discrimination decision bill." His other quote of the night, "Everybody lost and everybody won," is the kind of statement that only makes sense in a chamber that has stopped pretending compromise is possible.

The Definition That Was Not Settled

The remaining transparency obligations apply only to ADMT that "materially influences" a consequential decision. That phrase is not defined in the statute. SB 26-189 hands the question to Attorney General Phil Weiser's office through rulemaking, which is the same office that was supposed to receive discrimination filings under the old law.

The boundary matters more than any of the surviving disclosure requirements. A retailer using a recommendation engine that surfaces job openings is either covered or not depending on how broadly Weiser writes "materially influences." A lender using a credit decision model that takes one signal out of forty from an automated system faces the same uncertainty. Rulemaking will not start until after the bill is signed, and the new effective date of January 1, 2027 gives the AG's office roughly twenty months to define the entire scope.

Who Pushed and Who Lost

The Colorado Technology Association, which spent most of 2024 and 2025 lobbying for the rewrite, called the new bill "meaningful progress" and "a more balanced path." The PART coalition of labor and consumer groups described it as "a good first step." State Representative Javier Mabrey voted yes and then went on record calling the result insufficient, pointing out that automated systems still "determine hiring and housing outcomes" with effectively no enforcement teeth left in the law.

Compliance officers who spent eighteen months building risk assessment programs are now staring at a calendar with a new deadline and a much shorter checklist. The work is not wasted. Companies that operate in California, the EU, or other jurisdictions with risk based AI obligations will still need everything that just got cut from Colorado. But for anyone whose AI footprint was specifically scoped to Colorado, the budget conversation for 2026 just changed.

What Colorado's Reversal Signals

Colorado was the test case. Eight other states had introduced similar comprehensive AI frameworks during the 2025 session, and most of them were waiting to see whether the Colorado implementation deadline of June 30 would actually be enforced. The legislative answer arrived on May 12: no. The transparency framework that emerged is closer to what Texas adopted last year than to what the EU AI Act will require beginning in August.

For privacy researchers tracking the policy trajectory, the shift is more interesting than the bill itself. The original SB 205 borrowed structurally from the EU AI Act—risk tiers, impact assessments, and a substantive duty of care anchored in algorithmic discrimination. The replacement borrows from CCPA—notice, access, and correction, with enforcement deferred to AG rulemaking. That is the same trajectory that almost every U.S. comprehensive privacy law has followed since 2018. Whatever Colorado does in 2027 will likely be copied by the next eight states. The four Canadian privacy regulators who ruled last week that OpenAI violated five privacy laws to train ChatGPT are pulling the opposite direction—toward more enforceable substantive obligations, not fewer.

The Federal Trade Commission's recent enforcement against location data brokers and the GM OnStar $12.75 million CCPA settlement in California both depended on the kinds of substantive obligations Colorado just took out of its own statute. State-level AI regulation is now formally a disclosure regime, and the burden of stopping algorithmic discrimination has shifted decisively to federal agencies, plaintiffs' bar litigation, and class-action settlements. Whether that is "meaningful progress" or "everybody lost" depends on who you ask.