Colorado AI Act FAQ — Everything Colorado Businesses Need to Know About SB 24-205
The Colorado Artificial Intelligence Act takes effect June 30, 2026. These are the questions Colorado business owners, HR professionals, landlords, and attorneys ask most often about what SB 24-205 requires, who it covers, and what compliance looks like in practice. Every answer is written in plain English with no attorney jargon.
What is the Colorado AI Act?
The Colorado AI Act, formally known as Senate Bill 24-205 and titled Consumer Protections for Artificial Intelligence, is a Colorado state law signed by Governor Jared Polis on May 17, 2024. It is the first comprehensive state AI law in the United States. The law takes effect June 30, 2026 and requires businesses that deploy high-risk AI systems in consequential decisions affecting Colorado residents to implement documented risk management programs, conduct impact assessments, provide consumer disclosures, and offer appeal rights.
What is SB 24-205?
SB 24-205 is the bill number for the Colorado Artificial Intelligence Act. It stands for Senate Bill 205, 2024 Colorado Legislative Session. The law is formally titled Consumer Protections for Artificial Intelligence and is often referred to as the Colorado AI Act, CAIA, or SB 24-205. It takes effect June 30, 2026.
When does the Colorado AI Act take effect?
The Colorado AI Act takes effect June 30, 2026. The original effective date was February 1, 2026, but a special legislative session in August 2025 delayed it to June 30, 2026. This delay was intended to give businesses more time to prepare and the legislature more time to consider potential amendments. The core compliance obligations remain unchanged from the original law.
Who does the Colorado AI Act apply to?
The Colorado AI Act applies to developers and deployers of high-risk AI systems that make or substantially influence consequential decisions affecting Colorado residents. Developers are companies that build or substantially modify AI systems. Deployers are businesses that use those systems to make decisions. The law applies to businesses of all sizes, though there is a limited exemption for deployers with fewer than 50 full-time employees who do not train the AI system on their own data.
Does the Colorado AI Act apply to small businesses?
Yes, with a limited exception. The Colorado AI Act applies to deployers of all sizes. There is a narrow exemption for deployers with fewer than 50 full-time employees who do not train the AI system using their own data. Most small businesses using third-party AI platforms like Indeed, Checkr, or scheduling software do not train those systems with their own data and are therefore covered by the law regardless of their size.
What is a high-risk AI system under the Colorado AI Act?
A high-risk AI system under the Colorado AI Act is any AI system that, when deployed, makes or is a substantial factor in making a consequential decision. If the AI system substantially influences decisions about employment, housing, credit, education, healthcare, insurance, or legal services affecting Colorado residents, it is a high-risk system. The definition is deliberately broad and captures most AI-assisted decision-making in these categories.
What is a consequential decision under SB 24-205?
A consequential decision under the Colorado AI Act is one that has a material legal or similarly significant effect on a Colorado resident's access to or cost of education, employment, housing, credit, healthcare, insurance, or legal services. If an AI-assisted process significantly affects a Colorado resident's ability to get a job, rent an apartment, obtain a loan, receive healthcare, or access other essential services, it involves consequential decisions.
What is a deployer under the Colorado AI Act?
A deployer under the Colorado AI Act is any business or person doing business in Colorado that deploys a high-risk AI system to make or substantially influence consequential decisions affecting Colorado residents. You do not need to build AI to be a deployer. If you use a platform like Indeed, TransUnion SmartMove, Workday, or Checkr in ways that influence consequential decisions, you are a deployer.
Does SB 24-205 apply if I use third-party software?
Yes. The Colorado AI Act's deployer obligations apply to businesses that use AI systems, not just those that build them. If you use third-party AI-powered platforms in consequential decisions affecting Colorado residents, you have SB 24-205 compliance obligations as a deployer. This includes using Indeed for hiring, TransUnion SmartMove for tenant screening, Checkr for background checks, and similar services.
Does the Colorado AI Act apply to landlords?
Yes. Colorado landlords using AI-assisted tenant screening platforms are among the most clearly covered deployers under SB 24-205. Housing is explicitly listed as a consequential decision category. Landlords using TransUnion SmartMove, RentSpree, Experian's tenant screening products, or similar AI-assisted tools must implement a risk management policy, conduct an impact assessment, provide disclosure to applicants, and offer an appeal process.
Does the Colorado AI Act apply to restaurants?
Yes. Colorado restaurants using AI-assisted scheduling platforms like 7shifts, HotSchedules, Deputy, or When I Work are deployers under SB 24-205. AI-assisted scheduling decisions that affect employee hours and income are consequential employment decisions. Additionally, any Colorado restaurant that has posted jobs on AI-powered hiring platforms like Indeed or ZipRecruiter is a deployer for those hiring decisions.
Does the Colorado AI Act apply to lenders?
Yes, with an important exception for federally regulated financial institutions. Colorado banks and credit unions that are subject to examination by a state or federal prudential regulator under published AI guidance or regulations that meet the law's criteria are in full compliance with SB 24-205 through their existing regulatory oversight. Other lenders using AI in credit decisions must comply with the full requirements of the Colorado AI Act.
Is there a small business exemption in the Colorado AI Act?
There is a limited exemption for deployers with fewer than 50 full-time employees who do not train the AI system using their own data. However, most small businesses using third-party AI platforms — hiring sites, background check services, scheduling software — do not train those systems with their own data. These small businesses are still covered by the law as deployers, even though they have fewer than 50 employees.
What does the Colorado AI Act require deployers to do?
The Colorado AI Act requires deployers to: implement a written risk management policy and program for each high-risk AI system; complete impact assessments for each system documenting its purpose, data inputs, discrimination risks, and mitigation measures; update those assessments annually; notify consumers when AI is used in consequential decisions about them; provide consumers with an opportunity to correct incorrect data; offer consumers the right to appeal adverse AI-assisted decisions and request human review; and maintain documentation of all of the above.
What is an impact assessment under SB 24-205?
An impact assessment under the Colorado AI Act is a documented analysis of a high-risk AI system that covers the system's purpose and intended uses, the data it processes, known and reasonably foreseeable risks of algorithmic discrimination, the deployer's mitigation measures for those risks, and how the system's performance is monitored. Impact assessments must be completed before deploying a high-risk system and updated annually and whenever the system changes significantly.
How often do impact assessments need to be updated?
Impact assessments under the Colorado AI Act must be reviewed and updated at least annually. They must also be updated whenever a deployer makes a significant change to how they use a high-risk AI system — for example, switching platforms, changing screening criteria, or adopting new AI features within an existing platform. Annual updates should be scheduled on the calendar and documented as part of the ongoing compliance record.
What goes in a Colorado AI Act impact assessment?
A Colorado AI Act impact assessment must include: a description of the AI system's purpose and intended use; the categories of data the system processes; known and reasonably foreseeable risks of algorithmic discrimination; the steps being taken to mitigate those risks; performance metrics being used to monitor the system; and documentation of human oversight protocols. The assessment should be specific to each AI system — a business using five AI-powered platforms needs five separate assessments.
What is a risk management policy under SB 24-205?
A risk management policy under the Colorado AI Act is a written governance document that identifies the AI systems a deployer uses, the risks those systems create, and how the deployer manages those risks. The policy must address algorithmic discrimination risks specifically. It should name responsible personnel, define review and approval processes, and integrate AI oversight into existing compliance programs. The policy must be documented and maintained as part of the deployer's compliance record.
What consumer disclosures does the Colorado AI Act require?
The Colorado AI Act requires deployers to notify consumers before or at the time of a consequential decision that a high-risk AI system was used or will be used in that decision. The disclosure must describe the nature of the consequential decision, the role AI played in it, and the consumer's right to appeal. Additionally, if the AI system processes personal data, consumers must be informed of their right under the Colorado Privacy Act to opt out of having their data processed by the AI system.
What is the appeal requirement under the Colorado AI Act?
The Colorado AI Act requires deployers to provide consumers with a meaningful opportunity to appeal adverse consequential decisions made by or substantially influenced by a high-risk AI system. The appeal process must allow the consumer to request human review of the decision if human review is technically feasible. Deployers must communicate the appeal process to consumers at the time of the adverse decision and must maintain a log of appeals received and their outcomes.
What does meaningful human review mean under SB 24-205?
Meaningful human review under the Colorado AI Act means a genuine review of the AI-assisted decision by a human being who has the authority and information needed to reach a different outcome. It is not satisfied by a token review process that is so difficult to access or superficial in practice that no applicant would exercise it or no reviewer would change a decision. The person conducting the review must actually examine the specific circumstances of the individual's situation, not just confirm the AI's output.
What are the penalties for violating the Colorado AI Act?
Violations of the Colorado AI Act constitute unfair trade practices under the Colorado Consumer Protection Act. The Colorado AG has exclusive enforcement authority and can seek civil penalties, injunctive relief, and attorney's fees. The law does not specify a per-violation dollar amount in the same way TRAIGA does, but unfair trade practice violations in Colorado can result in significant financial penalties. Violations identified through AG investigation are subject to the 60-day cure period before penalties accrue.
Does SB 24-205 have a private right of action?
No. The Colorado AI Act grants the Colorado Attorney General exclusive enforcement authority. There is no private right of action — individuals cannot sue businesses directly under SB 24-205. However, violations of the Colorado AI Act may support claims under the Colorado Consumer Protection Act or other state and federal civil rights laws that do allow private lawsuits.
What is the cure period under the Colorado AI Act?
The Colorado AI Act provides a 60-day cure period after the AG notifies a business of a violation. During this period, the business must cure the violation, document how it was cured, and explain what changes were made to prevent recurrence. If the violation is cured within 60 days, the AG may decline to pursue further enforcement. Violations that cannot be cured within 60 days may result in enforcement action regardless of remediation efforts.
How does the Colorado AG enforce SB 24-205?
The Colorado Attorney General enforces SB 24-205 by investigating complaints from consumers and by initiating its own investigations. The AG can issue civil investigative demands requesting extensive documentation — including impact assessments, vendor contracts, appeal process records, and evidence of human oversight. After investigation, if a violation is found, the AG issues written notice and allows 60 days to cure before pursuing enforcement action and civil penalties.
What is an unfair trade practice under the Colorado AI Act?
Under the Colorado AI Act, violations of the law's requirements constitute unfair trade practices under the Colorado Consumer Protection Act. This is the enforcement mechanism the law uses to create penalties. The Colorado Consumer Protection Act allows the AG to seek substantial civil penalties for unfair trade practices, and the classification of AI Act violations as unfair trade practices signals that the legislature intended meaningful financial consequences for non-compliance.
What is the safe harbor under the Colorado AI Act?
The Colorado AI Act provides a rebuttable presumption of reasonable care for deployers that: implement a written risk management policy and program, complete impact assessments on the required timeline, conduct annual reviews of each high-risk AI system, provide required consumer disclosures, offer correction and appeal rights, and make a publicly available statement about their AI governance practices. Additionally, compliance with a nationally or internationally recognized risk management framework such as NIST AI RMF creates an affirmative defense.
Does NIST AI RMF compliance protect me under SB 24-205?
Yes. The Colorado AI Act explicitly references the NIST AI Risk Management Framework as a recognized standard. Compliance with NIST AI RMF, combined with the measures required to discover and correct violations, provides an affirmative defense under SB 24-205. While Colorado does not have the same explicit safe harbor as TRAIGA, documented NIST AI RMF alignment is the strongest available compliance posture under the Colorado AI Act.
What is the rebuttable presumption of reasonable care?
The rebuttable presumption of reasonable care under the Colorado AI Act means that if a deployer complies with specified requirements — implementing a risk management policy, completing impact assessments, conducting annual reviews, providing consumer disclosures, and offering appeal rights — there is a legal presumption that the deployer acted with reasonable care. The AG must overcome this presumption to establish a violation. It is one of the strongest legal protections available to Colorado businesses that build complete compliance records.
Will the Colorado AI Act be repealed before June 30?
Full repeal of the Colorado AI Act before June 30, 2026 is unlikely. The legislature has debated modifications and delayed the effective date once, but has not repealed the law. The working group continues to meet and may recommend modifications, but the core compliance obligations are stable across all versions of the debate. Businesses should build compliance programs based on the law as written and be prepared to adjust if specific provisions change.
What amendments are being proposed to SB 24-205?
As of April 2026, proposed amendments to the Colorado AI Act include narrowing the definition of high-risk AI systems, creating more explicit safe harbors aligned with recognized frameworks, modifying the impact assessment requirements to reduce burden on small businesses, and potentially shifting more responsibility to developers rather than deployers. None of the active proposals involve full repeal. The core obligations around risk management, documentation, disclosure, and appeal rights are unlikely to be eliminated.
What did the special session do to the Colorado AI Act?
The August 2025 Colorado special legislative session produced four competing amendment bills but ultimately did not pass substantive changes to SB 24-205. The session's primary outcome was the passage of SB 25B-004, which delayed the effective date from February 1, 2026 to June 30, 2026. The additional time was intended to allow the regular 2026 legislative session to consider substantive amendments without the pressure of an imminent effective date.
Will federal law override the Colorado AI Act?
As of April 2026, the Colorado AI Act is scheduled to take effect June 30, 2026 and no federal law has preempted it. Congress has twice rejected federal AI preemption proposals. A December 2025 executive order directing the DOJ to challenge state AI laws faces significant legal hurdles and cannot override state law by itself. The Colorado AI Act is expected to take effect as scheduled unless a court or Congress acts before June 30, 2026.
How is the Colorado AI Act different from Texas TRAIGA?
Colorado's AI Act is impact-based — it focuses on preventing algorithmic discrimination regardless of intent. TRAIGA is intent-based — it focuses on whether AI was deliberately deployed to harm or discriminate. Colorado requires annual impact assessments and a specific consumer appeal process that TRAIGA does not mandate. TRAIGA has an explicit NIST AI RMF safe harbor; Colorado's safe harbor is less explicit. Colorado's requirements are more procedurally detailed and more demanding for deployers.
Is the Colorado AI Act based on the EU AI Act?
The Colorado AI Act is partly inspired by the EU AI Act's risk-based approach to AI governance, but it is significantly narrower in scope. The EU AI Act creates a four-tier risk classification system covering a wide range of AI applications. The Colorado AI Act focuses specifically on high-risk AI systems that influence consequential decisions in categories like employment, housing, credit, healthcare, and education. Colorado's law is also enforced exclusively by the AG, unlike the EU's multi-agency approach.
Does using Indeed trigger Colorado AI Act compliance?
Yes. Indeed uses AI to rank and recommend job applicants. Every Colorado employer that uses Indeed in its hiring process is a deployer under SB 24-205. Colorado employers using Indeed must implement a risk management policy covering Indeed's use, complete an impact assessment for Indeed's AI system, provide disclosure to applicants that AI was used in the hiring process, and offer applicants an appeal process for AI-assisted hiring decisions.
Does using TransUnion SmartMove trigger Colorado AI Act compliance?
Yes. TransUnion SmartMove uses AI to generate tenant risk scores used in housing decisions. Colorado landlords using SmartMove are deployers under SB 24-205. They must implement a risk management policy, complete an impact assessment for SmartMove, provide disclosure to rental applicants that AI-assisted screening was used, and offer applicants a meaningful appeal process including the opportunity to request human review of adverse tenancy decisions.
Does using Checkr trigger Colorado AI Act compliance?
Yes. Checkr uses AI in its background screening workflow. Colorado employers using Checkr to screen job applicants or employees are SB 24-205 deployers. They must implement a risk management policy covering Checkr's use, complete an impact assessment for Checkr's AI systems, implement human review of Checkr reports before taking adverse employment action, and provide applicants with disclosure and appeal rights.
What is the difference between a developer and a deployer under SB 24-205?
A developer under the Colorado AI Act is a business doing business in Colorado that develops or intentionally and substantially modifies a high-risk AI system. A deployer is a business doing business in Colorado that deploys a high-risk AI system to make or substantially influence consequential decisions. Most Colorado small businesses using existing software platforms are deployers, not developers. Developers have obligations to provide documentation to deployers and to disclose known discrimination risks.
Which state has the strictest AI law?
Colorado's AI Act is generally considered more demanding for deployers than Texas TRAIGA because of its impact-based standard, annual impact assessment requirement, and specific consumer appeal and human review requirements. Colorado was the first state to pass comprehensive AI governance legislation. The EU AI Act remains the most comprehensive AI governance framework globally, but it applies to European Union member states rather than US businesses directly.
This FAQ is for informational purposes and does not constitute legal advice. For legal advice specific to your situation, consult a licensed Colorado attorney. Last updated April 2026.