Colorado AI Act: What SB 24-205 Means for Your Business
Colorado's AI law goes into effect June 30, 2026 — making Colorado the first US state to pass a comprehensive AI consumer protection law. Here is everything you need to know: who it applies to, what “high-risk” means, and what you must do before the deadline.
Deadline: June 30, 2026 — 76 days away
Colorado SB 24-205 takes effect June 30, 2026. If your AI system makes consequential decisions affecting Colorado residents, you need to complete a risk assessment before then.
What Is the Colorado AI Act?
Colorado Senate Bill 24-205 — also called the Colorado AI Act — is the first US state law to create comprehensive consumer protections for artificial intelligence decisions. It was signed into law in May 2024 and takes effect June 30, 2026.
The law is modeled on the EU AI Act's risk-based approach: it focuses on “high-risk AI systems” — AI that makes consequential decisions about people's lives. If your AI makes decisions in certain high-stakes domains, you have obligations.
Who Must Comply?
The Colorado AI Act applies to two types of entities:
Developers
Companies that create and sell/license high-risk AI systems to other businesses.
Examples: AI hiring software companies, AI credit scoring vendors, AI healthcare diagnostic tool providers.
Deployers
Companies that use high-risk AI systems to make decisions about Colorado consumers — even if they didn't build the AI.
Examples: HR software users making hiring decisions in Colorado, lenders using AI credit scoring, healthcare providers using AI diagnostics.
Important: Location of the consumer matters, not the company
The Colorado AI Act protects Colorado consumers and residents. If your AI makes decisions about someone in Colorado — regardless of where your company is headquartered — the law may apply to you. A New York-based company hiring remote workers in Denver must comply.
What Is a “High-Risk AI System” Under Colorado Law?
The Colorado AI Act defines “high-risk” based on the type of decision the AI makes and the significance of its role in that decision. An AI system is high-risk if it is a substantial factor in decisions involving:
Hiring, firing, promotion, compensation, scheduling
Rental applications, mortgage approvals, real estate
Credit, insurance, financial products
Diagnoses, treatment recommendations, clinical decisions
Admissions, enrollment, academic assessment
Benefits eligibility, legal determinations
What is NOT high-risk?
- AI used purely for back-office processes that don't affect consumer-facing decisions
- Spam filters, antivirus, fraud detection that blocks fraudulent (not legitimate) transactions
- AI that supports human decisions where the human makes the final call and reviews all data
- AI used for administrative scheduling that doesn't determine employment outcomes
What Must Deployers Do?
If you deploy a high-risk AI system affecting Colorado consumers, here are your obligations:
Document: the purpose of the AI, intended use cases, known limitations, the data used, how it was tested, potential for discriminatory impact, mitigation measures. Colorado provides no official template — you document what's reasonable for your use case.
Tell consumers: that an AI system was used in a decision about them, the type of AI system used, how to contact the deployer with questions. Must be clear, plain English.
Consumers must be able to: (a) correct personal data used in the AI decision, (b) appeal the AI decision to a human, (c) understand why the decision was made. You must have a process for this.
Maintain policies and programs to manage unreasonable risk of algorithmic discrimination. This doesn't mean zero discrimination risk — it means reasonable, documented steps to identify and mitigate it.
Keep records of impact assessments, consumer notices, and appeals. The Colorado AG can request these during an investigation.
What Do Developers Need to Do?
If you sell or license high-risk AI to other businesses, you have developer obligations:
- Provide documentation to deployers about how the AI works, its limitations, and how to use it appropriately
- Disclose the types of data used to train the AI
- Publish a summary of the AI system on your website
- Conduct your own impact assessments on the AI systems you develop
- Inform deployers of known limitations and known risks of algorithmic discrimination
What Are the Penalties?
The Colorado AI Act is enforced by the Colorado Attorney General — not by private lawsuits (unlike Illinois AAIA). Penalties:
| Violation type | Penalty |
|---|---|
| Failure to provide consumer notice | $2,000 per consumer affected |
| Failure to conduct impact assessment | $2,000 per violation |
| Willful violation after notice | $20,000 per violation |
| Good-faith violation (2-year cure period) | Reduced/waived if corrected within 2 years |
The 2-year cure period: what it means
If you violate the Colorado AI Act in good faith — meaning you made a genuine attempt to comply but got something wrong — you have 2 years to correct the violation before the AG can impose the full penalty. This is significantly more lenient than GDPR. However: “good faith” means you must have documentation showing you tried to comply. “We didn't know about the law” does not qualify.
Colorado AI Act vs. EU AI Act: Key Differences
| Aspect | Colorado AI Act | EU AI Act |
|---|---|---|
| Risk tiers | Binary: high-risk vs. not | 4 tiers: Prohibited, High, Limited, Minimal |
| Who it covers | Deployers + developers | Providers, deployers, importers, distributors |
| High-risk scope | 6 domains (employment, housing, credit, healthcare, education, legal) | Annex III: 8 detailed categories + Annex I AI types |
| Consumer rights | Correct data, appeal decision, understand reason | Broader: transparency, human oversight, explainability |
| Enforcement | Colorado AG (civil penalty) | National supervisory authorities (fine up to €30M) |
| Cure period | 2 years for good-faith violations | No cure period — immediate enforcement |
| Private lawsuits | No private right of action | No private right of action (except AI Liability Directive, proposed) |
| Effective date | June 30, 2026 | Phased: Feb 2025 to 2027 |
Your 5-Step Colorado AI Act Action Checklist
Inventory your AI
List every AI system you use that makes or assists in decisions about Colorado residents. Use ComplianceIQ Chrome scanner to find all AI tools your team uses.
Classify each AI system
For each AI tool: does it make decisions in employment, housing, credit, healthcare, education, or legal status? If yes — it may be high-risk.
Conduct impact assessments
Document the purpose, training data, limitations, discrimination risk, and mitigation measures for each high-risk AI. ComplianceIQ generates this template automatically.
Set up consumer notice
Create the process to notify Colorado consumers when AI was used in a decision affecting them. Add it to your decision communication workflow.
Build the appeal process
Colorado consumers have the right to appeal AI decisions to a human. Decide who handles appeals, what the timeline is, and how you document corrections.
Complete your Colorado AI Act compliance in 30 minutes
ComplianceIQ generates your impact assessment, consumer notice templates, and appeal process documentation — all pre-filled for Colorado SB 24-205 requirements.