Introduction
Who's in scope​
How Colorado differs
Implement
AI Regulation 

Colorado AI Act

Colorado AI Act (SB 24-205)

What You Actually Need To Do

  • Law signed: May 17, 2024
  • Current start date: June 30, 2026 (moved from Feb 1, 2026 by SB25B-004 during the Aug 2025 special session). 
  • Rulemaking: Colorado AG has exclusive enforcement & rulemaking authority; watch AG materials for updates. 

BOOK A FREE AI ADVISORY CALL

CALL US

Who's in scope

Developers (build or substantially modify) and Deployers (use) of High-Risk AI Systems—AI that makes, or is a substantial factor in making, consequential decisions (education, employment, lending/financial, essential government services, health care, housing, insurance, legal services). There are explicit carve-outs (e.g., cybersecurity, spam filtering, “chat” that only provides info/referrals under an acceptable-use policy, etc.).

Concrete obligations you can’t skip 

For Developers (from Jun 30, 2026):

  • Use reasonable care to avoid algorithmic discrimination.
  • Provide technical documentation to deployers + public statement summarizing high-risk systems & risk management.
  • Notify the Colorado AG (and known deployers) of any known or reasonably foreseeable algorithmic-discrimination risks within 90 days of discovery.

For Deployers (from Jun 30, 2026):

  • Stand up an AI risk-management program.
  • Conduct impact assessments for each high-risk system (initial + annual, and within ~90 days after substantial modification).
  • Website notice: list deployed high-risk systems, how you manage risks, and the nature/source/extent of data used.
  • Consumer notices:
  • Before using AI to make (or substantially influence) a consequential decision.
  • After adverse decisions: include principal reasons, AI’s role, and data types/sources; provide a chance to correct data & appeal.
  • Notify the AG within 90 days if your system caused algorithmic discrimination.

Notable exemptions / safe harbors:

  • Small deployers (<50 FTE) get limited relief if they didn’t train the model, use it as intended, and have an impact assessment from the provider.
  • Insurers and banks/credit unions meeting sectoral supervisory guidance can be deemed in compliance.

Transparency for any consumer-facing AI (not just high-risk):  Disclose that users are interacting with AI (unless obvious)

How Colorado differs from other headline rules

Versus the EU AI Act

Focus:
Colorado is a consumer-protection/anti-discrimination statute enforced by the state AG; the EU Act is a product-safety regime with conformity assessment/CE marking for high-risk uses and separate GPAI (foundation-model) duties. 

Timing:
EU prohibitions and literacy duties start earlier; GPAI/model obligations ~Aug 2025; high-risk provider duties ~Aug 2026 (EU has stated no pause). Colorado compliance starts D.

Artifacts:
EU requires technical documentation, risk management, post-market monitoring, and, for many use cases, notified-body assessment; Colorado centers on impact assessments, website/consumer notices, and 90-day AG reporting.

Versus NYC Local Law 144 (AEDT for hiring)

Scope:
NYC LL144 covers only employment tools used in NYC and requires an annual independent bias audit + public posting and 10-business-day notice to candidates. Colorado spans eight consequential domains and mandates impact assessments (not third-party bias audits), consumer notices, and AG reporting

Penalties/ Enforcement:
Penalties/Enforcement: NYC is enforced by DCWP with per-violation fines; Colorado treats violations as deceptive trade practices under the Colorado Consumer Protection Act with AG enforcement.

Versus Utah’s AI Policy Act (SB 149, 2024)

Scope:
Utah is mostly a disclosure law (say it’s AI when asked; disclose at the outset for licensed services; election-content labels). Colorado is a risk-based framework with risk programs, impact assessments, and AG reporting.

Versus Tennessee’s ELVIS Act (2024)

Scope:
Tennessee targets voice/likeness deepfakes and creates private rights of actionit’s not an AI system governance law. Colorado governs systems making consequential decisions.

What we’ll implement for you (T3)

System inventory & risk tiering 

 (map consequential-decision uses; identify carve-outs/safe harbors).

Policy stack & controls 

risk-management program aligned to Colorado + harmonized with NIST AI RMF/ISO 42001 to reuse for EU).

Impact assessment kit

(initial/annual templates; adverse-decision & appeal workflows; 90-day AG notification playbook).

Public/consumer notices 

 (website disclosures, pre-decision and adverse-decision notice language, record-keeping).

Training

 for HR, Risk, Legal, Eng, and Support on Colorado-specific duties vs EU/NYC/Utah/TN so teams know exactly what to do.

Global AI Regulation

Switzerland AI
Regulation

United Kingdom AI Regulation

Canada AI Regulation

EU AI Regulation

Japan AI Regulation

Australia AI
Regulation

United States AI Federal
Regulation

United Sates AI States
Regulation

Read MoreRead More
our articles

Discover Our Services

Contact Now

STOP INVENTING
START IMROVING

If you want truly to understand something, try to change it.

Kurt Levin

Post Merger Integration
& Re-orgs

Digital Transformation

Want to hire
AI Regulations Expert?

Book a call with our experts

Book Now

Contact

Contact Us