Colorado SB 26-189: What Law Firm Analysis Confirms You Must Do Before January 1, 2027

SB 24-205 is gone. That’s worth saying plainly before explaining what replaced it, because the policy debate around Colorado’s AI law generated so much heat that compliance teams sometimes lose track of the practical question: what does your legal department need to build by January 1, 2027?

When TJS reported the signing on May 16, the structural headline was clear, Colorado repealed and replaced its original AI law, becoming the first state to reverse a comprehensive AI statute. What T1 law firm analysis published in the days following the signing has now clarified is the specific compliance architecture that replaced it: what’s required, who’s in scope, and what the enforcement timeline actually looks like.

What’s Gone

SB 24-205 imposed three obligations that are no longer law. It required developers of high-risk AI systems to exercise an affirmative duty of reasonable care to prevent algorithmic discrimination. It required annual impact assessments. It imposed a June 30, 2026 compliance deadline that would have applied to systems already in commercial deployment.

All three are gone. Per Seyfarth Shaw’s client alert and corroborating analysis from Buchalter, the repeal removes the most burdensome obligations the original law created: the duty of care standard, the annual assessment cycle, and the near-term deadline that had prompted the original industry pushback.

That rollback didn’t happen in a vacuum. Corporate lobbying, governor-led working groups, and a federal lawsuit filed by xAI, *xAI LLC v. Weiser*, were among the factors cited in legal analysis as contributing to the reversal. Colorado AG Philip J. Weiser stipulated to a stay of enforcement on April 27, 2026, before the replacement bill was enacted. The trajectory from enforcement stay to legislative repeal moved in under 30 days.

What Replaced It

SB 26-189 adopts an Automated Decision-Making Technology (ADMT) disclosure model. Three requirements now govern.

First, notification. Deployers, the companies that use ADMT systems to make decisions affecting Colorado residents, must notify users when an ADMT system materially influences a “consequential decision.” That standard comes directly from the statutory text, per DLA Piper’s analysis (source hint, URL pending resolution). “Consequential decision” covers employment, housing, credit, and similar high-stakes contexts. The notification obligation applies at the point of decision, not at the point of system deployment.

Second, record retention. Employers must retain records related to ADMT-driven decisions for at least three years, per Seyfarth Shaw’s analysis. That’s a compliance infrastructure requirement: your document retention policy, your logging architecture, and your audit trail design all need to support a three-year lookback window tied to individual decision events.

Third, human review pathway. The law preserves a mechanism for individuals to request human review of consequential decisions influenced by ADMT. Deployers need a documented process for receiving, routing, and responding to those requests, not just a technical capability, but an operational workflow.

These three requirements are lighter than what SB 24-205 proposed. They’re not light. A notification obligation tied to individual decision events, a three-year retention program, and an operational human review pathway each require legal, technical, and operational investment. The January 1, 2027 effective date gives compliance teams roughly seven months.

Who’s Now in Scope

This is where the “lighter framework” framing becomes complicated. According to law firm analysis, SB 26-189 reportedly modifies the scope of exemptions for smaller businesses. The original SB 24-205 exempted businesses with fewer than 50 full-time employees from its obligations. Compliance teams should verify the specific revised threshold against the enrolled bill text directly, the DLA Piper alert that addressed this point most directly had a broken URL at time of Filter processing, and that specific scope change couldn’t be independently confirmed from available sources.

What’s clear from multiple law firm analyses: the deployer category is broad. Any company using an automated system to make or substantially influence a consequential decision affecting a Colorado resident is likely a deployer under the statute. That includes companies headquartered outside Colorado. It includes companies using third-party AI tools for hiring screening, credit evaluation, or similar applications. The developer-versus-deployer distinction matters: developers must provide standard system documentation; deployers carry the notification and retention obligations.

The xAI litigation context is worth noting for a separate reason. *xAI LLC v. Weiser* remains technically active. Colorado AG Weiser stipulated to the enforcement stay but has not withdrawn from the underlying litigation. The rulemaking process that will flesh out the statute’s implementing rules hasn’t started. The practical compliance posture through January 1, 2027 involves building to the statute’s text while tracking what rulemaking produces.

The Three January 1, 2027 Compliance Requirements

Law firm analysis converges on three specific readiness requirements.

One: Build the disclosure framework. Map every ADMT system your organization uses that could materially influence a consequential decision affecting a Colorado resident. For each, design the notification mechanism, when it triggers, what it says, and how it’s delivered. This is a legal and UX requirement simultaneously.

Two: Build the record retention infrastructure. Three years of decision-level records is the floor. That means logging decisions at the individual level, not just at the system level. If your current data architecture aggregates ADMT outputs without preserving individual decision records, you have a gap to close before January 1.

Three: Build the human review pathway. This doesn’t require a dedicated review team, but it requires a documented process. Who receives a human review request? What’s the response timeline? How is the outcome communicated? This operational workflow needs to exist and be tested before the effective date.

What Compliance Teams Should Track Between Now and January 2027

Rulemaking is the open variable. The statute sets the framework; implementing rules will define the details. The AG’s office hasn’t published a rulemaking timeline. TJS has covered the multi-state compliance landscape that Colorado sits inside, compliance teams should be building modular frameworks that can absorb Colorado’s rulemaking without a complete rebuild.

Watch also for the federal preemption question. The White House has actively pushed for federal preemption of state AI laws, and Colorado’s repeal-and-replace sequence happened partly in that political context. Whether SB 26-189’s ADMT framework survives a federal preemption effort is unresolved. Building compliance infrastructure now is the right call regardless – but the framework should be designed for portability.

TJS Synthesis

Colorado’s AI law didn’t get weaker. It got narrower and later. The January 2027 date replaced a June 2026 deadline that the original law’s architects almost certainly knew was unworkable. The duty of care is gone, but the disclosure and retention obligations that replaced it are real, operational requirements, not symbolic ones. The seven months between now and the effective date is enough time to build a compliant program if you start in June. It’s not enough time if you wait for rulemaking to finalize. The catch is that rulemaking will clarify the rules you’re building to, which means the right strategy is to build to the statutory floor now and plan for a documented update cycle when implementing rules publish.