Ropes & Gray Logo
Page Translations
  • Home
  • Insights
  • Colorado Scales Back AI Law, with Targeted Implications for Health Care

Colorado Scales Back AI Law, with Targeted Implications for Health Care

Alert
May 19, 2026
4 minutes
Printer-friendly Version
Authors:
Jamie E. Darch , Peyton Brooks , Shanzeh Daudi , Daniel Hinckley , Alexandra Kaye

On May 14, 2026, Colorado Governor Jared Polis signed a new Colorado AI Act, S.B. 26-189 (the “2026 Act”),1 which repeals and replaces the prior Colorado AI Act, S.B. 24-205, which had passed in 2024 (the “2024 Act”) and was originally scheduled to take effect on June 30, 2026.2 As a result, the 2024 Act will not take effect, and the 2026 Act goes into effect January 1, 2027. This enactment reflects both scrutiny from the federal government3 and Colorado’s governor4 for the 2024 Act’s broad, sweeping AI regulatory framework.

Compared with the 2024 Act, the 2026 Act narrows Colorado’s AI governance framework by removing several broad developer and deployer obligations, including imposing a duty of care on both developers and deployers to avoid algorithmic discrimination, and requiring deployers to implement risk management programs, conduct impact assessments and affirmatively report algorithmic discrimination information to the Colorado Attorney General. In its place, the 2026 Act imposes more tailored obligations, with key exceptions for HIPAA covered entities and business associates, as well as medical devices subject to FDA oversight.

Key Changes in the 2026 Act

The 2026 Act applies to developers and deployers of “Covered ADMT,” or automated decision-making technologies, that may be used to materially influence a consequential decision5 for certain covered domains such as health care services, insurance, education, employment, and housing.6 The 2026 Act imposes the following more tailored obligations:

  • Developer Documentation: Covered ADMT developers must provide deployers with reasonably understandable documentation relating to intended uses for a given technology, known harmful or inappropriate uses, training-data categories, known limitations, appropriate use and monitoring instructions, and information needed for deployer compliance with the 2026 Act (described below), and must notify deployers of material updates and relevant changes.7 Developers must retain records of compliance with such documentation requirements for at least three years. In contrast to the 2024 Act, the 2026 Act does not require developers to provide detailed information for deployers to complete impact assessments.
  • Deployer Notices and Records: Deployers must provide clear and conspicuous notice to consumers prior to using Covered ADMT to materially influence a consequential decision, including instructions on how the consumer may obtain additional information about the Covered ADMT. If using Covered ADMT to materially influence a consequential decision results in an adverse outcome for the consumer, the deployer must provide a disclosure8 to the consumer within 30 days, including a plain-language description of the consequential decision and the role of the Covered ADMT, as well as instructions and a simple process to request additional information and an explanation of their consumer rights, described below.9 Deployers must also retain records of compliance with such notice obligations for at least three years. In contrast to the 2024 Act, the 2026 Act does not require deployers to complete annual impact assessments or maintain risk management programs.

Retained Concepts from the 2024 Act

The 2026 Act carries forward the same general provisions relating to consumer rights as the 2024 Act, providing consumers who experience an adverse outcome as a result of Covered ADMT the right to request correction instructions for inaccurate personal data and, if commercially reasonable, meaningful human review and reconsideration.10

With respect to enforcement, like the 2024 Act, the 2026 Act does not create a new private right of action, instead treating violations as deceptive trade practices under the Colorado Consumer Protection Act,11 and vests exclusive enforcement authority in the Colorado Attorney General.

Key Exceptions for Health Care and Life Sciences

  • HIPAA Covered Entities and Business Associates: HIPAA covered entities doing business in Colorado13 and their business associates are exempted from many of the developer and deployer obligations of the 2026 Act, unless they are using Covered ADMT to make employment-related consequential decisions.14 Instead, such entities must provide patients with (i) a general notice regarding how the entity is using advanced technologies, including Covered ADMT,15 and (ii) specified disclosures when covered ADMT are used to determine patient eligibility for financial assistance.16 This is in contrast to the 2024 Act, which only exempted HIPAA covered entities in limited circumstances, e.g., where a health care provider was implementing any AI-generated recommendations.
  • FDA-Regulated Products and R&D: Similar to the 2024 Act, the developer and deployer obligations of the 2026 Act do not apply to medical devices and certain pharmaceutical or medical-device research and development activities subject to FDA oversight, including clinical investigations.17

Key Takeaways

The 2026 Act provides health care entities more targeted obligations than the broad obligations initially imposed by the 2024 Act, but it does not eliminate the need for health care entities to carefully review their relevant AI tools and related use cases to ensure compliance ahead of the January 1, 2027 effective date. Ropes & Gray continues to monitor developments related to state and federal AI regulations, including through its Health AI Atlas and Standing Orders, Local Rules, and Decisions on the Use of AI tracker. For more information or assistance in navigating these developments, please contact your regular Ropes & Gray advisor.

  1. S.B. 26-189, Concerning the Use of Automated Decision-Making Technology in Consequential Decisions, and, in Connection Therewith, Making an Appropriation (Colo. 2026) (to be codified at Colo. Rev. Stat. §§ 6-1-1701 to 1709) (effective Jan. 1, 2027), https://leg.colorado.gov/bill_files/116489/download
  2. S.B. 24-205, Consumer Protections for Artificial Intelligence, 74th Gen. Assemb., Reg. Sess. (Colo. 2024), https://leg.colorado.gov/bill_files/47770/download.
  3. President Trump’s December 2025 Executive Order criticized state AI laws as a “patchwork of 50 different regulatory regimes” and cited Colorado’s algorithmic-discrimination law as an example. Exec. Order No. 14,365, Ensuring a National Policy Framework for Artificial Intelligence, 90 Fed. Reg. 58,499 (Dec. 16, 2025), https://www.federalregister.gov/documents/2025/12/16/2025-23092/ensuring-a-national-policy-framework-for-artificial-intelligence; Fact Sheet: President Donald J. Trump Ensures a National Policy Framework for Artificial Intelligence, White House (Dec. 11, 2025), https://www.whitehouse.gov/fact-sheets/2025/12/fact-sheet-president-donald-j-trump-ensures-a-national-policy-framework-for-artificial-intelligence/.
  4. In the signing statement for the 2024 AI Act, Governor Polis expressed that he signed SB 24-205 “with reservations,” warning that it imposed a complex compliance regime, risked a state law patchwork that could hamper innovation and competition, and needed refinement before taking effect. Letter from Jared S. Polis, Governor of Colo., to Members of the Colo. Gen. Assemb. (May 17, 2024). https://drive.google.com/file/d/1i2cA3IG93VViNbzXu9LPgbTrZGqhyRgM/view.  Governor Polis convened a Colorado AI Policy Work Group to develop a revised policy framework, producing the 2026 Act.  See Press Release, Office of Governor Jared Polis, Colorado Artificial Intelligence Policy Workgroup Delivers Unanimous Support for Revised Policy Framework (Mar. 17, 2026), http://governorsoffice.colorado.gov/governor/news/colorado-artificial-intelligence-policy-workgroup-delivers-unanimous-support-revised-policy; see also S.B. 26-189, 75th Gen. Assemb., Reg. Sess. (Colo. 2026), https://leg.colorado.gov/bills/sb26-189.
  5. A consequential decision may include a decision, determination or action made about a consumer that relates to the provision of, or a consumer’s access to, eligibility for, selection for, or compensation for a covered domain. Consequential decisions do not include narrow procedural tasks or data-processing functions that do not materially influence decisions. See Id. at § 6-1-1701(3).
  6. Id. at § 6-1-1701(1). Covered domains include education, employment, residential real estate, financial/lending service, insurance (e.g., underwriting, pricing, coverage, claims adjudication or other determinations that materially affect access to benefits), health care services or essential government services and public benefits (e.g., eligibility and renewal determinations). See id. at § 6-1-1701(3, 5 – 6).
  7. Id. at § 6-1-1702(1 – 2).
  8. The Colorado General Assembly intends that the specific elements of a post-adverse outcome disclosure be further clarified through Attorney General rule-making, on or before January 1, 2027, that accounts for sector and domain-specific practices. See § 6-1-1704(4).
  9. Id. at §§ 6-1-1703 to 1704.
  10. See id. at § 6-1-1705.
  11. Id. at § 6-1-1705.
  12. Unlike the 2024 Act, the 2026 Act requires that, before bringing an enforcement action, the Colorado Attorney General must provide notice of an alleged violation and a 60-day cure period, if the Attorney General determines that cure is possible.  If the Attorney General can demonstrate that a developer or deployer knowingly or repeatedly violated respective obligations, then the Attorney General is not required to provide a cure period.
  13. With respect to covered entity health care providers, providers must be operating from a Colorado location in order to meet the requirements of this exemption.
  14. Id. at § 6-1-1708(3)(a).
  15. Such notice may be incorporated with other notices describing patient rights and how the covered entity provides care.
  16. If a covered entity uses Covered ADMT to determine patient eligibility for financial assistance, including discounted care, the covered entity must provide a plain-language description of the consequential decision and the role of the Covered ADMT, the types of information relied upon in making the eligibility determination, information on how to request correction of materially inaccurate personal data consistent with HIPAA, and information on how to request meaningful human review or reconsideration, where applicable. Such disclosure may be provided in advance or within 30 calendar days following an adverse outcome. Id. at § 6-1-1708(3)(c – e).
  17. Id. at § 6-1-1708(4).

Related Services

    Authors

    Jamie E. Darch
    Jamie E. Darch
    Partner
    Chicago+1 312 845 1338
    [email protected]
    See Bio
    Peyton Brooks
    Peyton Brooks
    Associate
    New York+1 212 596 9208
    [email protected]
    See Bio
    Shanzeh Daudi
    Shanzeh Daudi
    Associate
    Chicago+1 312 845 1266
    [email protected]
    See Bio
    Daniel Hinckley
    Daniel Hinckley
    Associate
    Los Angeles+1 310 975 3285
    [email protected]
    See Bio
    Alexandra Kaye
    Alexandra Kaye
    Associate
    New York+1 212 596 9115
    [email protected]
    See Bio

    Stay Up To Date with Ropes & Gray

    Subscribe to Our Podcast

    Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.

    Subscribe on AppleSubscribe on Spotify
    Follow Us on Social

    Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.

    Follow Us on LinkedInFollow Us on Instagram
    Join Our Mailing List

    We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.

    Join Our Mailing List