Key Takeaways
- Colorado’s 2024 Artificial Intelligence Act (AI Act) is the nation’s most comprehensive AI‑focused statute, set to take effect June 30, 2026.
- On March 17, 2026 the Colorado AI Policy Work Group, backed by Governor Jared Polis, released a proposal that would replace much of the AI Act with a narrower regime focused on transparency and notice, and would push the effective date to January 1, 2027.
- The proposal eliminates many onerous obligations—risk‑management programs, impact assessments, annual reviews, and algorithmic‑discrimination reporting—while retaining notice, adverse‑outcome disclosures, optional human review, and record‑keeping requirements enforced by the Colorado Attorney General (no private right of action).
- Because the proposal is still only a draft, employers must continue to prepare for compliance with the original AI Act on its current effective date unless and until the amendments are enacted.
Overview of the AI Act and the Proposed Framework
In 2024 Colorado enacted the Colorado Artificial Intelligence Act (the “AI Act”), described as “the most comprehensive measure regulating the use of AI in the nation.” The law’s original effective date is June 30, 2026. Amid significant stakeholder concerns, the Colorado AI Policy Work Group (the “Work Group”), with Governor Jared Polis’s backing, issued a proposed framework (the “Proposal”) on March 17, 2026. If adopted, the Proposal would “replace much of the original AI Act with a more streamlined regime” and would also “delay the law’s effective date from June 30, 2026 to January 1, 2027.”
Shifting the Regulatory Focus: From High‑Risk AI to Automated Decision‑Making Tools
The AI Act currently governs “high‑risk artificial intelligence systems.” The Proposal, by contrast, would regulate “certain uses of ‘automated decision‑making tools’ (‘ADMT’) in ‘consequential decisions.’” This shift narrows the scope from a broad risk‑based categorization to a more specific focus on tools that directly influence decisions affecting individuals.
Definitions of ADMT and Consequential Decisions
The Proposal defines ADMT as “any technology that processes personal information and uses computation to generate output including predictions, recommendations, classifications, rankings, scores, or other information that is used to make, guide, or assist a decision, judgment, or determination concerning an individual.” A “consequential” decision is described as “a decision, determination, or action for a consumer, employee or applicant relating to one or more” of several domains—including “employment or an employment opportunity”—and which is “reasonably likely” to “materially limit, delay, effectively deny, or otherwise fundamentally alter the individual’s access, eligibility or opportunity.”
What Constitutes “Covered” ADMT and What Is Excluded
Not every use of ADMT triggers the Proposal’s requirements; it applies only to “covered ADMT” that “materially influences” a consequential decision. This means an ADMT output that “is a non‑de minimis factor that is used in making a consequential decision” and “affects the outcome of the decision, including by constraining, ranking, scoring, recommending, classifying, or otherwise meaningfully altering how the decision is made.” The Proposal explicitly clarifies that the term does not include “incidental, trivial, or clerical uses” of ADMT. Additionally, certain technologies are carved out, such as “spellcheckers, calculators, and spreadsheets that require human analysis and do not use machine learning.”
Pre‑Use Notice Obligations
Before covered ADMT is employed in connection with a consequential decision, a deployer must provide notice. The Proposal states that “a deployer would be required to provide notice that covered ADMT is being used and explain how an individual can obtain additional information.” This notice may be delivered through a public notice that is “reasonably accessible at points of interaction” and could be given “through a link or posting reasonably proximate to the interaction.”
Adverse‑Outcome Disclosures and Human Review Options
When covered ADMT contributes to an adverse consequential decision, the Proposal mandates detailed disclosures within 30 calendar days. The required notice must include:
- “A plain‑language description of the consequential decision and the role the covered ADMT played in the decision;”
- “Instructions and a simple to follow process to request additional information about the ADMT and the inputs including the name of the ADMT, the ADMT version number if applicable, the ADMT developer and the types, categories, and sources of personal data used, to the extent reasonably known to the deployer and/or provided by the developer;”
- “Information on how to request personal data under the Colorado Privacy Laws and how to correct materially inaccurate personal data consistent with section 6‑1‑1306;” and
- “Information on how to request meaningful human review or reconsideration, if available.”
The Proposal notes that “the specific elements of such disclosures be further clarified through rulemaking” and affirms that an affected individual may request “meaningful human review and reconsideration.”
Elimination of Bulky Compliance Obligations
One of the most notable changes in the Proposal is the removal of several heavyweight requirements present in the original AI Act. As the text explains, “under the Proposal, employers would no longer be required to implement risk management policies, conduct impact assessments and annual reviews, or report algorithmic discrimination.” By stripping out these provisions, the Proposal aims to reduce administrative burden while retaining core transparency safeguards.
Enforcement Mechanism and Cure Period
Enforcement under the Proposal would remain the responsibility of the Colorado Attorney General; the proposal does not create a private right of action. Before pursuing civil penalties, the Attorney General must “provide written notice of the alleged violation and an opportunity to cure within 90 days.” If the violation is cured within that window and a written statement “describing the cure” is submitted, “civil penalties would not be available for that specific violation.” This notice‑and‑cure approach is designed to encourage compliance without immediate punitive exposure.
Current Status and Practical Guidance for Employers
At present, the Proposal remains just that—a proposal. The AI Act continues to be the governing law and is still slated to take effect on June 30, 2026. Employers should therefore treat the AI Act as the baseline for compliance planning, while monitoring legislative developments for any adoption of the Work Group’s streamlined framework. As the analysis concludes, “even so, the Proposal is a significant step toward amending the AI Act and, if enacted, would remove significant obligations on employers. We will continue to monitor developments in this area of the law.” Preparing for the original requirements—such as drafting notice policies, establishing adverse‑outcome disclosure procedures, and ensuring record‑keeping readiness—remains prudent unless and until the amendments are formally enacted.
Colorado Takes a Major Step Towards Rewriting Its AI Law As Its Effective Date Approaches