Colorado State Capitol
Listen to this post

Key point: Colorado has repealed and replaced the Colorado AI Act, amid years of skepticism from industry critics.

On May 14, Colorado Governor Jared Polis signed SB 26-189 into law, repealing and replacing the landmark Colorado Artificial Intelligence Act (CAIA), just under two months before it was set to take effect. CAIA was enacted in 2024 with an amended effective date of June 30, 2026.

CAIA had drawn immediate criticism due to its broad scope, potential burdens on Colorado businesses adopting artificial intelligence (AI), and compliance uncertainty. Its replacement, the Colorado Automated Decision-Making Technology Act (CADMA), takes effect on January 1, 2027, and adopts a far narrower approach to AI regulation that seeks to address those criticisms.

Key Changes

In short, CADMA narrows and changes the scope of Colorado’s AI law by:

  • replacing CAIA’s broad “high-risk AI system” framework with a “covered Automated Decision-Making Technology (ADMT)” standard that is limited to technologies that process personal data and materially influence consequential decisions
  • eliminating the concept of “algorithmic discrimination” and its associated risk management, risk and impact assessment, and disclosure obligations
  • restructuring the Developer and Deployer definitions with new exceptions for Developers using ADMT for research or internal use, designing components of an ADMT, or creating ADMT that is subsequently modified by third parties to change its intended use
  • streamlining consumer notice requirements and
  • replacing CAIA’s affirmative defense framework with a 60-day notice-and-cure period administered by the Colorado Attorney General.

“Covered ADMT” – A Narrower Regulatory Scope

Under CAIA, an “AI System” was broadly defined to encompass most machine-based systems that take inputs and generate outputs influencing physical or virtual environments, covering those that make or serve as a substantial factor in making a consequential decision (High-Risk AI Systems). CADMA replaces the high-risk system with ADMT that either processes personal data as defined by the Colorado Privacy Act, uses computation and generates outputs used to make, guide, or assist a decision about an individual. Systems that process only de-identified data or publicly available information are excluded.

Further, CADMA’s framework only applies to Covered ADMT – those technologies that “materially influence a consequential decision.” The Covered ADMT definition is narrower than CAIA’s substantial factor test in two key respects: (1) the Covered ADMT output must be a non-de minimis factor in the decision, and (2) it must affect the outcome, not merely have the potential to do so.

Likewise, CADMA also tightens the “consequential decision” definition in three notable ways: (1) it replaces CAIA’s broad “material legal or similarly significant effect” standard with a concrete test tied to access, eligibility, selection, or compensation within Covered Domains (education, employment, financial services, essential government services, healthcare, housing, and insurance – but notably not legal services); (2) it adds a standalone prong for algorithmic pricing and differential terms; and (3) it expressly excludes routine activities such as scheduling, customer service triage, workflow management, advertising, and content moderation.

What CADMA Means for Developers and Deployers

CADMA, like CAIA, still defines “Developers” and “Deployers” of Covered ADMT; requires them to comply with certain documentation and notice requirements; and prohibits them from engaging in consequential decisions using Covered ADMT that violate anti-discrimination laws.

While CADMA alters the scope and effect of these requirements, including the definitions of Developer, it retains CAIA’s definition of Deployer.

Under CAIA, “Developer” was broadly defined as any person doing business in Colorado that develops or intentionally and substantially modifies an AI System. CADMA restructures “Developer” to cover persons that:

  • develop, offer, sell, lease, license, or otherwise make commercially available a Covered ADMT
  • develop a component designed or intended to be part of a Covered ADMT or
  • intentionally and substantially modify an ADMT such that it becomes Covered ADMT.

Importantly, CADMA carves out from the Developer definition: (1) persons developing ADMT solely for research or internal use; (2) “Preceding Developers” where an unaffiliated party later modified the system; and (3) “Component Developers” whose component was integrated without their knowledge.

Reduced Obligations for Developers and Deployers, but a Larger Consumer Population

CADMA removes the concept of “algorithmic discrimination” and its associated obligations on Developers and Deployers, including the risk management, risk and impact assessment, documentation, and broad disclosure requirements. However, Developers who intend their ADMT to be used as Covered ADMT must still make certain technical documentation available to Deployers. And both Developers and Deployers must retain compliance records, including version identifiers, changelogs, and documentation of material mitigation changes, for at least three years from the date of each consequential decision.

On consumer notices, CADMA streamlines CAIA’s requirements. Before a consequential decision is made, a Deployer need only provide a clear and conspicuous notice that Covered ADMT was or will be used, with instructions for requesting additional information. Post-decision, for adverse consequential decisions, the Deployer has 30 days to provide a plain-language description of the decision and the ADMT’s role, information about how to request further details, and an explanation of consumer rights. CADMA retains consumers’ rights to correct inaccurate personal data and to request a meaningful human review by a trained individual with authority to approve, modify, or override the decision.

Critically for employers, CADMA adopts the Colorado Privacy Act’s definition of consumer, but CADMA expands that definition to include employees, job applicants who are Colorado residents, and any individual—regardless of residency—whose access to, eligibility for, or opportunity in Colorado is evaluated through a consequential decision made by a Colorado business using Covered ADMT.

Enforcement and a New 60-Day Right to Cure

Changes in Enforcement

Like CAIA, CADMA treats a violation as a deceptive trade practice under the Colorado Consumer Protection Act, exclusively enforceable by the Colorado Attorney General, with no private right of action for consumers. However, CADMA replaces CAIA’s affirmative defense framework with a requirement that the Colorado Attorney General must notify the Developer or Deployer of an alleged violation, where a cure is possible, and afford 60 days to cure, except where the Developer or Deployer knowingly or repeatedly violates CADMA, or where the AG determines a cure is not possible.

Developers and Deployers remain liable for unlawful discrimination arising from consequential decisions materially influenced by Covered ADMT. CADMA allocates fault based on relative responsibility, shields Developers from liability where the Deployer used Covered ADMT outside its intended or contracted use and prohibits indemnification provisions that shift liability for discriminatory acts.

What Should Colorado Businesses Do Now?

With CADMA set to take effect on January 1, 2027, Colorado businesses should begin preparing now by (1) assessing whether existing AI tools and automated systems qualify as Covered ADMT, (2) creating or updating their AI governance programs, risk assessments, consumer-facing notices and processes, and (3) reviewing Developer-Deployer contracts to ensure alignment with CADMA.

We will continue to monitor developments related to CADMA, including any rulemaking by the Colorado Attorney General.