Companies operating in Colorado face a hard deadline: by June 30, 2026, any business that deploys automated systems to make consequential decisions about consumers in areas like employment, housing, insurance, and credit must comply with the nation’s first statewide AI consumer-protection law. Governor Jared Polis signed SB24-205 on May 17, 2024, giving organizations a two-year runway to prepare. That window is now weeks from closing, and a late-session legislative rewrite has changed the scope of what the law actually covers.
Why the June 30 deadline carries new weight after SB26-189
The original statute, formally titled the Consumer Protections for Artificial Intelligence Act, was designed as an anti-discrimination measure. It required “developers” and “deployers” of high-risk AI systems to perform impact assessments, disclose when AI played a role in adverse decisions, and give consumers a path to appeal. The Colorado Attorney General frames the law as a consumer-protection statute aimed at preventing algorithmic discrimination, and its enforcement page confirms the June 30, 2026 effective date.
Before that date arrived, however, the General Assembly passed SB26-189 in May 2026. That bill repeals and reenacts the AI provisions of SB24-205, replacing the earlier “high-risk artificial intelligence system” framework with a broader category labeled “automated decision-making technology.” The shift is not cosmetic. By moving away from a term that implied a narrow set of machine-learning models, the new language pulls in rule-based algorithms, scoring engines, and other software tools that produce or substantially inform decisions affecting consumers. The practical effect is that businesses previously confident they fell outside the law’s reach now need to reassess whether their systems qualify.
A reasonable reading of the statutory change suggests the number of covered use cases will grow substantially in the first year of enforcement, though no official estimate has been published. The attorney general’s office has signaled a public rulemaking process to define key terms, and until those definitions are final, the outer boundary of “automated decision-making technology” stays uncertain. That ambiguity itself is a compliance burden: legal teams cannot size the problem until the rules are written.
What the legislative record and AG enforcement page confirm
Two primary documents anchor the timeline. The legislative history for SB24-205 shows the bill moved through committees with amendments before the governor signed it on May 17, 2024. The effective-date list maintained by the General Assembly places the law’s provisions at June 30, 2026, consistent with the two-year implementation period written into the statute.
SB26-189, enacted this month, layers on top of that timeline rather than extending it. The bill’s overview page in the General Assembly’s system, accessible via the session tracker, shows that it preserves the June 30 enforcement date while swapping in the new terminology. Enforcement authority remains with the attorney general, not a new agency or board. That means the same office that handles consumer-protection complaints about deceptive trade practices will also field allegations of algorithmic discrimination, using existing investigative tools and staff.
For affected businesses, the law creates several concrete obligations. Deployers must conduct risk assessments before putting covered systems into production. They must notify consumers when an automated tool contributes to an adverse decision in areas such as lending, hiring, or insurance underwriting. And they must provide a mechanism for consumers to challenge those decisions and request human review. Developers who build or sell these tools carry their own duties, including documentation of training data, known limitations, and intended use cases.
The attorney general’s rulemaking page also references a state transparency dashboard, hosted by the Governor’s Office of Information Technology, that could eventually serve as a public window into how agencies and private-sector deployers report their use of automated tools. No enforcement statistics, complaint counts, or compliance guidance documents have been published on the AG’s site as of mid-May 2026, leaving businesses to interpret the statutory text with limited official commentary.
Open questions six weeks before enforcement begins
The biggest unresolved issue is definitional. The bill text of SB26-189, available as a downloadable PDF through the legislature’s document system, introduces “automated decision-making technology” without the granular regulatory definitions that companies need to build compliance programs. The attorney general has committed to a public comment process, but final rules have not been issued. Until they are, businesses face a choice between over-complying, which is expensive, or under-complying, which carries enforcement risk.
A second gap involves the absence of published guidance on what a sufficient risk assessment looks like. The statute requires one, but neither the AG’s office nor the legislature has released a template, checklist, or safe-harbor framework. Companies in regulated industries like banking and insurance already perform model-risk management under federal rules, and whether those existing processes satisfy Colorado’s requirements is an open question that the rulemaking should address.
Third, no public data exists on how many businesses operating in Colorado currently use systems that would fall under either the old or new statutory language. Without a baseline count, the claim that SB26-189 expands coverage by a specific percentage cannot be tested. The forthcoming transparency dashboard could eventually provide that data, but its launch timeline has not been announced.
Consumer advocates and industry groups have not issued public statements through the legislative record or the AG’s landing page about projected compliance costs or implementation challenges. In the absence of that detail, policymakers, companies, and affected consumers are left to infer likely impacts from the statutory language and the enforcement tools already available to the attorney general. As the June 30, 2026 deadline approaches, the combination of firm obligations, evolving terminology, and incomplete guidance means that organizations using automated decision-making in Colorado must move quickly to inventory their systems, document their processes, and prepare for a regulatory regime that is still taking final shape.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
