On May 14, 2026, Colorado Governor Jared Polis signed a new Colorado AI Act, S.B. 26-189 (the “2026 Act”),1 which repeals and replaces the prior Colorado AI Act, S.B. 24-205, which had passed in 2024 (the “2024 Act”) and was originally scheduled to take effect on June 30, 2026.2 As a result, the 2024 Act will not take effect, and the 2026 Act goes into effect January 1, 2027. This enactment reflects both scrutiny from the federal government3 and Colorado’s governor4 for the 2024 Act’s broad, sweeping AI regulatory framework.
Compared with the 2024 Act, the 2026 Act narrows Colorado’s AI governance framework by removing several broad developer and deployer obligations, including imposing a duty of care on both developers and deployers to avoid algorithmic discrimination, and requiring deployers to implement risk management programs, conduct impact assessments and affirmatively report algorithmic discrimination information to the Colorado Attorney General. In its place, the 2026 Act imposes more tailored obligations, with key exceptions for HIPAA covered entities and business associates, as well as medical devices subject to FDA oversight.
Key Changes in the 2026 Act
The 2026 Act applies to developers and deployers of “Covered ADMT,” or automated decision-making technologies, that may be used to materially influence a consequential decision5 for certain covered domains such as health care services, insurance, education, employment, and housing.6 The 2026 Act imposes the following more tailored obligations:
- Developer Documentation: Covered ADMT developers must provide deployers with reasonably understandable documentation relating to intended uses for a given technology, known harmful or inappropriate uses, training-data categories, known limitations, appropriate use and monitoring instructions, and information needed for deployer compliance with the 2026 Act (described below), and must notify deployers of material updates and relevant changes.7 Developers must retain records of compliance with such documentation requirements for at least three years. In contrast to the 2024 Act, the 2026 Act does not require developers to provide detailed information for deployers to complete impact assessments.
- Deployer Notices and Records: Deployers must provide clear and conspicuous notice to consumers prior to using Covered ADMT to materially influence a consequential decision, including instructions on how the consumer may obtain additional information about the Covered ADMT. If using Covered ADMT to materially influence a consequential decision results in an adverse outcome for the consumer, the deployer must provide a disclosure8 to the consumer within 30 days, including a plain-language description of the consequential decision and the role of the Covered ADMT, as well as instructions and a simple process to request additional information and an explanation of their consumer rights, described below.9 Deployers must also retain records of compliance with such notice obligations for at least three years. In contrast to the 2024 Act, the 2026 Act does not require deployers to complete annual impact assessments or maintain risk management programs.
Retained Concepts from the 2024 Act
The 2026 Act carries forward the same general provisions relating to consumer rights as the 2024 Act, providing consumers who experience an adverse outcome as a result of Covered ADMT the right to request correction instructions for inaccurate personal data and, if commercially reasonable, meaningful human review and reconsideration.10
With respect to enforcement, like the 2024 Act, the 2026 Act does not create a new private right of action, instead treating violations as deceptive trade practices under the Colorado Consumer Protection Act,11 and vests exclusive enforcement authority in the Colorado Attorney General.
Key Exceptions for Health Care and Life Sciences
- HIPAA Covered Entities and Business Associates: HIPAA covered entities doing business in Colorado13 and their business associates are exempted from many of the developer and deployer obligations of the 2026 Act, unless they are using Covered ADMT to make employment-related consequential decisions.14 Instead, such entities must provide patients with (i) a general notice regarding how the entity is using advanced technologies, including Covered ADMT,15 and (ii) specified disclosures when covered ADMT are used to determine patient eligibility for financial assistance.16 This is in contrast to the 2024 Act, which only exempted HIPAA covered entities in limited circumstances, e.g., where a health care provider was implementing any AI-generated recommendations.
- FDA-Regulated Products and R&D: Similar to the 2024 Act, the developer and deployer obligations of the 2026 Act do not apply to medical devices and certain pharmaceutical or medical-device research and development activities subject to FDA oversight, including clinical investigations.17
Key Takeaways
The 2026 Act provides health care entities more targeted obligations than the broad obligations initially imposed by the 2024 Act, but it does not eliminate the need for health care entities to carefully review their relevant AI tools and related use cases to ensure compliance ahead of the January 1, 2027 effective date. Ropes & Gray continues to monitor developments related to state and federal AI regulations, including through its Health AI Atlas and Standing Orders, Local Rules, and Decisions on the Use of AI tracker.
