Quick Buzz Feed
Colorado’s governor has signed an amendment (S.B. 26-189) to Colorado’s artificial intelligence law, substantially reducing the compliance burden on employers. The new law, effective January 1, 2027, focuses on pre-use notice, adverse action processes, and record retention for automated decision-making technology in employment.
The Colorado AI Act (CO AI Act) regulates the use of automated decision-making technology (ADMT) that "materially influences" a "consequential decision" in employment. This includes decisions related to access, eligibility, selection, or compensation. The Act applies to employers doing business in Colorado and only to residents of Colorado, explicitly excluding independent contractors. It carves out identity verification, cybersecurity activities, sanctions compliance, and low-stakes or routine administrative tasks like scheduling and workflow management. While ADMT is broadly defined as any technology processing personal data to generate output, the law specifically excludes clerical tools such as calculators, databases, spreadsheets requiring human analysis, and tools used solely to summarize, organize, translate, or present information for human review. Natural language processing and similar AI tools are also excluded if not intended for consequential decisions and subject to an acceptable use policy prohibiting such use.
The CO AI Act establishes three primary obligations for employers utilizing Covered ADMT: providing prior notice before its use, implementing a comprehensive adverse action process, and maintaining records related to the use of such technology for a specified period. These requirements aim to ensure transparency and accountability in the application of AI in employment decisions.
Before deploying Covered ADMT, employers are mandated to furnish a "clear and conspicuous" notice to individuals. This notice must explicitly state that the employer uses automated decision-making technology to materially influence a consequential decision. It should also include instructions on how the individual can obtain additional information about the technology. The Act suggests that a prominent public notice, reasonably accessible at points of consumer interaction, such as a link or post near the interaction where a consequential decision might occur, can satisfy this standard. For employment-related consequential decisions, this could involve providing notice during the online job application process or when employees submit self-evaluations for performance reviews.
Within 30 days of making an adverse decision that was materially influenced by the output of a Covered ADMT, the employer must issue a notice to the affected individual. This notice needs to provide a clear, plain language description of the consequential decision and detail the specific role the Covered ADMT played in that decision. Additionally, it must include instructions and a straightforward process for the individual to request further information about the Covered ADMT, including its name, version number (if applicable), developer, and the types, categories, and sources of personal data utilized. The notice must also explain the individual's right to correct factually incorrect or materially inaccurate personal data and the right to meaningful human review and reconsideration of the decision, along with instructions on how to exercise these rights. This human review, however, is required only to the extent it is "commercially reasonable."
The CO AI Act mandates that employers retain records deemed "reasonably necessary to demonstrate compliance" with the Act for a minimum of three years following a consequential decision, or longer if required by other state or federal laws. Examples of such records cited in the Act include Covered ADMT version identifiers, changelogs, and documentation of any material mitigation changes. Other essential records would likely encompass the specific version of the pre-use notice provided, documentation of how that notice was communicated prior to the adverse decision, the adverse action notice issued to the individual, and any records pertaining to the decision-making process itself.
The CO AI Act delineates the division of liability for algorithmic discrimination between developers and deployers of ADMT. Both parties may be held liable, but only to the extent of their respective fault. If an employer (deployer) uses a Covered ADMT as it was intended, documented, marketed, advertised, configured, or contracted by the developer, and the results are discriminatory, the developer would be held liable. Conversely, if a deployer uses the ADMT in a manner inconsistent with these terms, the deployer would be liable, absolving the developer. Crucially, the Act voids contractual indemnification provisions that attempt to shift liability for a party's own acts or omissions in violating Colorado's discrimination laws related to ADMT use, making such clauses unenforceable as against public policy. This invalidation does not apply if the Covered ADMT was used improperly by the deployer and the developer met its documentation duties.
A significant aspect of the CO AI Act is that it does not create a new private right of action, meaning individuals cannot directly sue for violations. Enforcement is exclusively reserved for the Colorado attorney general. Violations of the Act are categorized as unfair and deceptive trade practices, which can incur civil penalties of up to $20,000 for each instance. Before initiating any enforcement action, the attorney general is required to issue a 60-day notice of violation, providing the offending party with an opportunity to cure the violation, provided the attorney general determines that a cure is feasible. Furthermore, the Act mandates that the Colorado attorney general promulgate implementing regulations by January 1, 2027, indicating further refinement of the statutory framework.
The new CO AI Act substantially reduces the compliance obligations for employers compared to Colorado’s previous artificial intelligence law. Key mandates that have been eliminated include reporting discriminatory outcomes to the Colorado attorney general, conducting impact assessments, implementing a risk management policy and program, performing annual reviews of AI tools, updating privacy policies to detail AI tool usage, providing notice when interacting with an AI system, and an affirmative duty to avoid algorithmic discrimination. Instead, the CO AI Act relies on the prohibition against violating existing state and federal anti-discrimination laws. This amended law positions Colorado alongside California and New York City as the third U.S. jurisdiction with comprehensive AI legislation applicable to employers, combining provisions for notice, individual rights, and anti-discrimination. This contrasts with other state laws, like Illinois's, which primarily focus on notice, or simply affirm that existing anti-discrimination laws apply to AI tool use in employment.