On March 17, 2026, the Colorado Artificial Intelligence Policy Work Group, with strong support from Governor Jared Polis, proposed a new legal framework to replace the Colorado Concerning Consumer Protections in Interactions with Artificial Intelligence Systems. The current Colorado law is described as the most comprehensive and robust Artificial Intelligence law in the United States and, like the EU Artificial Intelligence Act, imposes obligations on developers and deployers of high-risk systems. The law was originally set to go into effect on February 1, 2026, but was amended late last year to postpone the effective date to June 30, 2026.
The proposed replacement, titled Concerning the Use of Automated Decision Making Technology in Consequential Decisions, shifts the state’s approach away from broad Artificial Intelligence governance and toward a structure more commonly seen in comprehensive privacy laws. The framework focuses on transparency, recordkeeping, and consumer rights rather than requirements such as reporting algorithmic discrimination, maintaining a risk management policy, and conducting Artificial Intelligence impact assessments. If passed, the Proposed ADMT Framework will go into effect January 1, 2027, giving covered ADMT developers and deployers until the end of 2026 to modify their compliance program.
The proposal also narrows and refines the technologies and decisions that fall within scope. Instead of the broader system definition used in the current statute, it applies to automated decision making technology that processes personal information and generates outputs used to make, guide, or assist decisions about an individual. Obligations attach only when a Covered ADMT is used to materially influence a consequential decision, a higher threshold than the existing substantial factor standard. The framework excludes incidental, trivial, or clerical uses and removes legal services decisions from the list of covered consequential decisions, while clarifying how housing, insurance, and essential government services should be interpreted.
Developers would have to provide technical documentation about intended uses, harmful or inappropriate uses, training data, limitations, risks, and instructions for use, along with notices of material updates. Deployers would have to give pre-use notice to consumers and explain how they can obtain more information. They also would have to provide within 30 calendar days a notice to consumers if the Covered ADMT rendered a consequential decision that was an adverse outcome. That notice must describe the decision, the system’s role, and the process for obtaining additional information, including how to request meaningful human review or reconsideration. Both developers and deployers must maintain records demonstrating compliance for not less than three years.
Enforcement would remain with the Colorado Attorney General, and the framework would not create a private right of action. Before bringing an enforcement action, however, the Colorado Attorney General must provide written notice of the alleged violation, and allow the developer or deployer 90 days after receipt of the notice to cure the alleged violation and provide a written statement describing the cure. If the alleged violation is cured within that time period, the Colorado Attorney General may not seek civil penalties for that specific violation, but may seek injunctive relief or other equitable relief as necessary to prevent future violations.
