Last reviewed
May 18, 2026
Sources
No citations yet
Review status
Needs citations
Revision
v1 · 6,450 words
Add missing citations, update stale details, or suggest a clearer explanation.
The Colorado Artificial Intelligence Act (commonly abbreviated CAIA and codified as Senate Bill 24-205, "Consumer Protections for Artificial Intelligence") is a state statute enacted in 2024 that imposed wide-ranging duties on the developers and deployers of "high-risk artificial intelligence systems" used in "consequential decisions" affecting Colorado residents. Signed into law by Governor Jared Polis on May 17, 2024, the act was widely described as the first comprehensive, generally applicable AI regulation enacted by any U.S. state and as the closest analogue in the United States to the EU AI Act.[^1][^2][^3]
The statute's centerpiece was a "reasonable care" duty requiring covered developers and deployers to protect consumers from "algorithmic discrimination," supplemented by detailed documentation, impact-assessment, risk-management, consumer-notice, and Attorney General reporting obligations. Enforcement was vested exclusively in the Colorado Attorney General, with no private right of action; violations were classified as deceptive trade practices subject to civil penalties of up to $20,000 per violation under the Colorado Consumer Protection Act.[^4][^5]
The act was originally scheduled to take effect February 1, 2026.[^1] After a 2025 special session, the General Assembly extended that date to June 30, 2026 via SB 25B-004.[^6][^7] Before the law could ever be enforced, it was first stayed by a federal court in xAI LLC v. Weiser in April 2026 after the company xAI (joined as intervenor by the U.S. Department of Justice) challenged it on First Amendment, Commerce Clause, Due Process, and Equal Protection grounds.[^8][^9][^10] On May 14, 2026, Polis signed SB 26-189, a comprehensive rewrite that repealed and replaced SB 24-205 with a narrower "automated decision-making technology" (ADMT) framework taking effect January 1, 2027.[^11][^12][^13]
The Colorado AI Act is therefore notable both as a regulatory milestone, the first general-purpose state AI statute to be enacted in the United States, and as a cautionary example of state-level technology regulation that was reshaped by industry pressure, gubernatorial reservations, federal litigation, and a partial federal intervention before it could be applied to a single consumer interaction.
At the time of the bill's enactment, the United States had no general-purpose federal statute regulating AI. The principal federal instruments were President Joe Biden's Executive Order on AI of October 30, 2023 (Executive Order 14110), which imposed obligations primarily on federal agencies and contractors rather than the private sector, and existing civil rights, consumer protection, and sectoral statutes administered by the Equal Employment Opportunity Commission, the Federal Trade Commission, the Consumer Financial Protection Bureau, and the Department of Housing and Urban Development.[^2][^3] Several federal AI bills had been introduced in Congress but none had been enacted.[^14]
Sponsors and supporters of SB 24-205 explicitly framed the bill as a response to this gap. Senate Majority Leader Robert Rodriguez, the prime Senate sponsor, argued that the absence of federal action left states with both the authority and the practical responsibility to protect their residents from algorithmic harms in employment, housing, lending, insurance, education, healthcare, and government services.[^15][^16]
The Colorado measure was drafted and debated in parallel with the European Union's EU AI Act, which received final European Parliament approval in March 2024 and was published in the Official Journal in July 2024. Both instruments adopted a risk-based architecture, distinguished obligations on "providers" or "developers" from those on "deployers," and required transparency, documentation, and ongoing risk management for high-risk uses.[^2][^17]
The two regimes nevertheless diverged in several respects. The EU AI Act contains a list of categorically prohibited uses (such as social scoring by public authorities, real-time remote biometric identification in public spaces with narrow exceptions, and certain emotion-recognition systems in employment and education contexts), a tiered classification covering minimal-, limited-, high-, and unacceptable-risk systems, and a separate regime for general-purpose AI models. The Colorado act contained no outright prohibitions and did not impose obligations on general-purpose model providers as such; rather, it focused narrowly on systems making or substantially influencing "consequential decisions" and on the prevention of "algorithmic discrimination."[^3][^17]
Several commentators described the Colorado statute as in some respects more demanding than the EU AI Act in its specific anti-discrimination duty of care, but more narrowly drawn in its scope and remedies.[^2][^4]
Colorado was not the very first U.S. state to enact AI legislation in 2024. Utah's Artificial Intelligence Policy Act (HB 149) was signed by Governor Spencer Cox on March 13, 2024, and took effect May 1, 2024.[^18] The Utah law was substantially narrower, however, focusing on disclosure obligations for generative AI in regulated professions and consumer interactions, and imposing no impact-assessment, risk-management, or anti-discrimination requirements. Tennessee enacted the ELVIS Act in March 2024, addressing AI-generated audio likenesses in the music industry. Colorado SB 24-205 was therefore widely characterized as the first state law to impose comprehensive horizontal obligations on AI developers and deployers across multiple sectors.[^15][^18][^19]
SB 24-205 was introduced in the Colorado Senate on April 10, 2024, near the end of the 2024 regular session. Senate Majority Leader Robert Rodriguez (D-Denver) served as the prime Senate sponsor; Representatives Brianna Titone (D-Arvada) and Manny Rutinel (D-Commerce City) were the prime House sponsors. Co-sponsors included Senators Lisa Cutter, Steve Fenberg, Dafna Michaelson Jenet, Kevin Priola, and Faith Winter, along with Representative Monica Duran.[^1][^15]
Rodriguez had served as a participant in the multistate "Future of Privacy Forum" working group of state legislators that had been examining model AI legislation; observers noted substantial textual overlap between SB 24-205 and proposals circulated in that group.[^20]
The bill passed the Senate by a 26-8 margin and the House of Representatives by 41-21, with majority Democratic support and partial Republican opposition. The bill was substantially amended during its short three-week journey through the General Assembly, including the addition of an extended February 1, 2026 effective date intended to permit a long rulemaking and stakeholder-engagement period before the obligations attached.[^1][^16]
The legislature transmitted the enrolled bill to Governor Polis on May 8, 2024. Polis was widely expected to veto, but instead signed it on May 17, 2024, accompanied by an unusual signing letter that signaled both his reservations and his expectation that the law would be revised before it took effect.[^21][^22]
The Colorado Artificial Intelligence Act, as enacted, added a new Part 17 to Article 1 of Title 6 of the Colorado Revised Statutes (the state's consumer protection chapter). Its operative provisions can be grouped into definitions, developer duties, deployer duties, consumer rights, enforcement, and exclusions.[^1][^4]
The statute used several novel statutory terms whose drafting drew immediate critical attention from both industry and academic commentators.[^23]
"Artificial intelligence system" was defined as any "machine-based system that, for any explicit or implicit objective, infers from the inputs the system receives how to generate outputs, including content, decisions, predictions, or recommendations, that can influence physical or virtual environments." The definition drew directly from the OECD's widely adopted definition of AI as updated in 2023.[^4][^16]
"High-risk artificial intelligence system" meant any AI system that, when deployed, "makes, or is a substantial factor in making, a consequential decision." A non-exhaustive list of exclusions removed from this category several specific technologies (anti-fraud, antivirus, cybersecurity, calculators, databases, spreadsheets, spell-checking, and similar low-risk tools), as well as generative AI systems whose outputs were governed by acceptable-use policies prohibiting discriminatory uses.[^4][^15]
"Consequential decision" was defined as a decision that "has a material legal or similarly significant effect" on a consumer's access to, cost of, or terms of: education enrollment or opportunity; employment or employment opportunity; a financial or lending service; an essential government service; healthcare services; housing; insurance; or a legal service.[^4][^17]
"Algorithmic discrimination" was defined as any use of an AI system that results in unlawful differential treatment or impact disfavoring an individual or group of individuals on the basis of actual or perceived age, color, disability, ethnicity, genetic information, limited proficiency in the English language, national origin, race, religion, reproductive health, sex, veteran status, or other classification protected under state or federal law. The act expressly carved out, from this definition, certain self-testing for discrimination, expansion of an applicant pool to increase diversity, and acts done to comply with other state or federal law.[^4][^15][^17] This last carve-out, sometimes labeled the "diversity carve-out," later became one of the principal targets of the xAI constitutional challenge.[^8][^10]
"Substantial factor" was defined to mean a factor that assists or generates a content, decision, prediction, or recommendation that is used as a basis to make a consequential decision and is capable of altering the outcome of a consequential decision. "Developer" meant a person doing business in Colorado that develops or intentionally and substantially modifies an AI system. "Deployer" meant a person doing business in Colorado that uses a high-risk AI system. "Consumer" meant an individual who is a Colorado resident.[^4][^17]
The act's foundational obligation was a duty on both developers and deployers of high-risk AI systems to "use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination." Compliance with the act's enumerated developer or deployer duties created a rebuttable presumption that reasonable care had been exercised; compliance with a recognized AI risk management framework, including the NIST AI Risk Management Framework (NIST AI RMF 1.0) or another framework designated by the Attorney General, gave rise to an affirmative defense.[^1][^24]
Developers were required to:
Provide deployers with documentation describing reasonably foreseeable uses and harmful or inappropriate uses; a high-level summary of training data; known limitations including algorithmic discrimination risks; the purpose and intended benefits of the system; how the system was evaluated for performance and discrimination mitigation; data governance measures including measures to ensure suitability of training data; intended outputs; and instructions on appropriate use and human oversight.[^1][^4]
Make publicly available, on the developer's website, a statement summarizing the types of high-risk AI systems the developer has developed or intentionally and substantially modified and currently makes available to deployers, and a description of how the developer manages known or reasonably foreseeable risks of algorithmic discrimination.[^1][^4]
Disclose to the Attorney General and to known deployers, within 90 days of discovery, any known or reasonably foreseeable risk of algorithmic discrimination arising from the intended uses of the high-risk AI system.[^4][^17]
Deployers of high-risk AI systems were required to:
Implement and maintain a risk management policy and program "reasonable in light of generally accepted risk management framework principles," with the NIST AI Risk Management Framework and ISO/IEC 42001 expressly cited as benchmarks.[^1][^24]
Complete an impact assessment for each high-risk AI system prior to deployment, annually thereafter, and within 90 days of any intentional and substantial modification. Each assessment was required to cover the system's purpose; foreseeable algorithmic discrimination risks and mitigations; categories of data inputs and outputs; performance metrics; transparency measures; and post-deployment monitoring.[^4][^17][^25]
Provide pre-decision notice to each consumer concerning whom the system would make or be a substantial factor in making a consequential decision, including a statement of the system's purpose, the nature of the consequential decision, contact information for the deployer, and a description of how the system makes the decision.[^1][^4]
Where a consequential decision was adverse to the consumer, provide an explanation of the principal reasons for the decision, including the degree to which the AI system contributed, the types of data processed, and the source of that data; provide an opportunity for the consumer to correct any incorrect personal data the system processed; and provide an opportunity for the consumer to appeal for human review unless such an appeal was not in the consumer's best interests (for example, where delay would jeopardize life or safety).[^4][^17][^25]
Publish on the deployer's website a statement summarizing the high-risk AI systems the deployer uses, the deployer's discrimination risk management approach, and the nature and source of information processed by those systems.[^1][^4]
Disclose to the Attorney General, within 90 days of discovery, any algorithmic discrimination the deployer learns of, whether through internal review, consumer feedback, or otherwise.[^4][^17]
Ensure that, where any AI system (high-risk or not) was intended to interact with consumers, the consumer was informed that they were interacting with an AI system, unless that fact would be obvious to a reasonable person.[^1][^4]
A limited carve-out provided that a deployer with fewer than 50 full-time equivalent employees that did not use its own data to train the high-risk AI system, used the system for purposes consistent with the developer's published documentation, and made the developer's impact assessment available to consumers, was exempted from the risk-management-program, impact-assessment, and public-website-disclosure obligations. The carve-out did not relieve such a deployer of the duty of reasonable care, the pre-decision notice, the adverse-action notice and appeal rights, or the Attorney General reporting obligation.[^25][^26]
The act included narrow exclusions for AI systems used in cybersecurity, anti-fraud detection, antivirus and other malicious-code detection (except where they incorporated facial recognition), and certain noncritical procedural applications. It also recognized compliance defenses for entities subject to comparable federal regulation, including HIPAA-covered entities, banks and credit unions subject to federal prudential supervision, and insurers subject to the Colorado Division of Insurance's algorithmic governance rules promulgated under the 2021 Colorado insurance anti-discrimination law (SB 21-169).[^4][^17][^25]
Enforcement authority was vested exclusively in the Colorado Attorney General; the act contained no private right of action.[^1] Violations of the act's duties were deemed unfair or deceptive trade practices under the Colorado Consumer Protection Act, subject to civil penalties of up to $20,000 per violation. Because each affected consumer could constitute a separate violation, total exposure for a single deployment could be substantial.[^4][^5][^15]
The act provided two principal defensive postures for covered businesses:
A rebuttable presumption of reasonable care for developers or deployers that complied with the act's enumerated duties and that promptly cured any known violations through internal review, red-teaming, or consumer feedback while maintaining a recognized risk-management framework.[^4][^24]
An affirmative defense for entities in compliance with the NIST AI Risk Management Framework, ISO/IEC 42001, or another framework designated by the Attorney General as offering comparable protection.[^1][^24]
The Attorney General was authorized to promulgate implementing rules, including rules specifying the form and content of impact assessments, the contents of consumer notices, documentation retention requirements, and any additional categories of risk management framework that could give rise to the affirmative defense. The Attorney General began an "Anti-Discrimination in AI" rulemaking process in 2025; that rulemaking was paused in 2026 pending litigation and legislative reconsideration.[^27]
A particularly unusual feature of SB 24-205's enactment was the publicly released letter Governor Polis attached to his signature on May 17, 2024. In that letter, Polis stated that he was signing the bill "with reservations" and identified several concerns.[^21][^22]
Polis wrote that he was "concerned about the impact this law may have on an industry that is fueling critical technological advancements" and warned that "government regulation that is applied at the state level in a patchwork across the country can have the effect to tamper innovation and deter competition in an open market."[^22] He urged the bill's sponsors to "significantly improve" the law during the 21-month period before its effective date and called on the federal government to enact preemptive legislation that would replace the Colorado scheme with "a needed cohesive federal approach."[^21][^22]
Polis's letter further called for narrowing of the definitions of "algorithmic discrimination" and "consequential decision," reconsideration of the Attorney General reporting obligation, examination of the small-business deployer threshold, and the addition of a right to cure before enforcement action. He noted that he would not have signed the bill if he had believed it would impose insurmountable compliance burdens.[^21][^22]
Within weeks of signing, Polis, Attorney General Phil Weiser, and Senator Rodriguez jointly issued a public letter on June 13, 2024 reiterating these concerns and committing to revisit the statute before it took effect, citing concerns raised by the technology industry.[^28][^29]
In response to the signing-statement commitments, the General Assembly established the bipartisan Artificial Intelligence Impact Task Force as part of its 2024 legislative interim activity, with rolling membership drawing from both houses and from stakeholder communities. The Task Force met repeatedly through late 2024 and issued a report in February 2025 identifying 27 areas of potential refinement, grouped into four tiers of stakeholder consensus.[^30][^31]
The report described "apparent consensus" on minor clarifications to documentation and notice obligations; "potential consensus" on tightening the definitions of "consequential decision," scope of the developer-deployer exclusions, and timing of impact assessments; "interconnected issues" requiring further negotiation regarding the definition of "algorithmic discrimination," the breadth of risk management duties, and the reporting obligation to the Attorney General; and "deep divisions" over whether to add a right to cure, how to protect trade secrets in mandated disclosures, the scope of AG enforcement authority, consumer appeal rights, modifications to the small-business exemption, and any further delay of the effective date.[^30][^31]
Industry representatives and public-interest advocates also pressed the Task Force on the definition of "substantial factor," the meaning of "intentional and substantial modification," and the relationship between the act and existing federal civil rights statutes.[^31]
During the 2025 regular session, Senator Rodriguez introduced SB 25-318, titled "Artificial Intelligence Consumer Protections," which would have made substantial substantive amendments to SB 24-205. The bill would have narrowed the definition of "algorithmic discrimination," carved additional exemptions from the high-risk-system definition based on decision volume and investor characteristics, eliminated some developer-to-deployer notification duties, and adjusted the timing of impact assessments and documentation retention.[^29]
After negotiations between industry, civil society, and labor advocates failed to converge, Rodriguez requested that his own bill be postponed indefinitely on May 5, 2025, effectively killing it. Representative Brianna Titone separately blocked a backdoor attempt to insert a delay provision into an unrelated bill, reportedly through procedural maneuvering on the House floor.[^29][^32] The regular 2025 session ended without any amendment to SB 24-205.
In August 2025, citing the failure of the 2025 regular session to address ongoing industry concerns, Governor Polis called a special session of the General Assembly. The special session ran August 21-27, 2025, and considered four competing AI bills:
The Colorado Chamber of Commerce, NetChoice, the Computer & Communications Industry Association, TechNet, and a coalition of technology firms deployed an estimated 100-plus organizations and 150 lobbyists during the special session. Public-interest groups, including the Center for Democracy & Technology, Consumer Reports, and labor organizations affiliated with the AFL-CIO, opposed substantive rollback while supporting limited timing adjustments.[^32]
Only SB 25B-004 was enacted. Signed by Polis on August 28, 2025, with an effective date of November 25, 2025, the law moved SB 24-205's compliance deadline from February 1, 2026 to June 30, 2026 but left the underlying substantive provisions intact.[^6][^7][^32]
Following the special session, the Governor's office convened a Colorado AI Policy Work Group composed of legislators, industry representatives, consumer advocates, and labor leaders. The Work Group met through late 2025 and early 2026 and announced on March 17, 2026 that it had reached "unanimous support" for a substantially revised framework, characterized as an "Automated Decision-Making Technology" or ADMT framework.[^34][^35]
The Work Group's proposal would have replaced the original act's high-risk-AI-system architecture with a narrower regime centered on ADMT used to "materially influence" (rather than be a "substantial factor" in) consequential decisions; removed the risk-management-program, impact-assessment, and Attorney General algorithmic-discrimination reporting obligations; and shifted the law's center of gravity toward consumer-facing notice, post-adverse-outcome explanation, correction, and meaningful human review rights modeled on data-privacy law.[^34][^35]
The Work Group's framework formed the substantive basis of SB 26-189, introduced in the 2026 regular session.[^11][^12]
On April 9, 2026, xAI LLC, the AI company founded by Elon Musk and developer of the Grok family of large language models, filed a federal complaint in the United States District Court for the District of Colorado against Colorado Attorney General Philip J. Weiser. The case is captioned xAI LLC v. Weiser, and seeks declaratory and injunctive relief preventing enforcement of SB 24-205 in advance of its June 30, 2026 effective date.[^8][^9][^36]
The complaint asserted six constitutional claims:
The act violated the First Amendment by compelling xAI to alter the training, fine-tuning, system prompts, and outputs of its Grok models to conform to Colorado's preferred views on contested subjects, and by compelling content- and viewpoint-based disclosures about bias-mitigation practices. The complaint described AI model development as an "expressive act" entitled to full First Amendment protection.[^8][^36]
The act violated the Dormant Commerce Clause by purporting to regulate AI development and deployment activity occurring entirely outside Colorado where outputs might reach Colorado residents.[^8]
The act was unconstitutionally vague under the Due Process Clause of the Fourteenth Amendment because key operative terms (including "algorithmic discrimination," "substantial factor," "historical discrimination," "differential impact," and "intentional and substantial modification") were undefined or impermissibly imprecise.[^8][^36]
The act's "diversity carve-out" in the definition of algorithmic discrimination violated the Equal Protection Clause by codifying race-conscious decision-making while penalizing other forms of differential treatment.[^8][^10]
and 6. Additional claims raised conflict preemption and ultra vires arguments.[^9]
On April 24, 2026, the United States Department of Justice's Civil Rights Division filed a statement of interest and a motion to intervene as a co-plaintiff supporting xAI. The DOJ's filing characterized SB 24-205 as one of "a growing number of state laws that threaten to dismantle American leadership in artificial intelligence" and asserted that the federal interest in a uniform national AI policy outweighed Colorado's interest in pretextual consumer protection. Commentators uniformly described the DOJ filing as unprecedented; it was the first time the federal government had affirmatively intervened to invalidate a state AI law.[^9][^10][^37]
On April 27-28, 2026, a federal magistrate judge granted a joint motion filed by xAI and the Colorado Attorney General's office staying enforcement of SB 24-205 pending the conclusion of (i) the 2026 Colorado legislative session and any related rulemaking, and (ii) the court's disposition of xAI's anticipated preliminary-injunction motion.[^9][^10][^38] The stipulated stay reflected an unusual procedural posture in which the defendant Attorney General effectively conceded that enforcement should be paused, in light of the parallel legislative reconsideration. Attorney General Weiser had previously characterized aspects of the act as "really problematic" in public remarks and had expressed concerns that strict enforcement could "drive innovation out of the state."[^36][^38]
As of the law's repeal in May 2026, no court had ruled on the merits of any of xAI's constitutional claims.[^11][^39]
SB 26-189, formally titled "Automated Decision-Making Technology" and informally referred to as the "Colorado AI Act rewrite" or "Colorado AI Act 2.0," was introduced in the Colorado Senate on May 1, 2026 by Senate Majority Leader Robert Rodriguez and Senator James Coleman, with Representatives Monica Duran and Jennifer Bacon as House sponsors. Additional sponsors included Senator Mark Baisley and Representative Brianna Titone. The bill drew 38 additional co-sponsors and was framed by sponsors as the legislative product of the Colorado AI Policy Work Group's unanimous framework.[^11][^39][^40]
The bill moved through the General Assembly in fewer than two weeks. It passed the Senate on May 7, 2026 by a 34-1 vote and the House on May 9, 2026 by a 57-6 margin, both with substantial bipartisan support. Governor Polis signed SB 26-189 into law at the State Capitol on May 14, 2026.[^11][^12][^41] In remarks at the signing, Polis described the bill as a "balanced" framework that would protect consumers while preserving Colorado's standing as a destination for AI investment.[^41]
SB 26-189 repealed Part 17 of Article 1 of Title 6 of the Colorado Revised Statutes (the original SB 24-205 codification) and replaced it with a new regime structured around the term "covered automated decision-making technology" (covered ADMT). Key changes included:[^11][^12][^13][^39]
Replacement of "high-risk AI system" with "covered ADMT", defined as a technology that "processes personal data and uses computation to generate output, including predictions, recommendations, classifications, rankings, scores, or other information that is used to make, guide, or assist a decision, judgment, or determination concerning an individual."[^11][^13]
Replacement of the "substantial factor" standard with a "materially influence" standard, intended to narrow the universe of covered decisions to those for which the ADMT was decisive rather than merely contributing.[^12][^34]
Elimination of the affirmative duty of reasonable care to prevent algorithmic discrimination, in favor of an obligation-based notice, transparency, correction, and human-review framework.[^12][^13]
Elimination of the risk-management-program requirement and the annual impact assessment.[^12][^13]
Elimination of the requirement that developers and deployers report algorithmic discrimination to the Attorney General.[^12][^34]
Retention of consumer pre-use notice and adverse-decision explanation rights, with adverse-decision explanations now required within 30 days of the adverse outcome.[^11][^12]
Addition of an explicit consumer right to request meaningful human review and reconsideration of an ADMT decision producing an adverse outcome.[^11][^13]
Replacement of the 50-employee small-deployer carve-out with a conditional 40-employee threshold, with separate rules where ADMT is used to materially influence hiring or compensation.[^26][^12]
Retention of exclusive Attorney General enforcement with no private right of action, and addition of a 60-day cure period before any enforcement action under the Colorado Consumer Protection Act.[^11][^12][^13]
Implementation deferral until January 1, 2027, with enforcement contingent on the Attorney General's completion of implementing rulemaking.[^11][^39]
Senate Majority Leader Rodriguez summarized the political compromise embodied in SB 26-189 with the often-quoted phrase, "Everybody lost and everybody won."[^41] The Colorado Technology Association described the bill as representing "meaningful progress for Colorado and a more balanced path forward," while AFL-CIO Colorado legislative director Kjersten Forseth, speaking for the labor-aligned coalition "Protect AI in the Rockies Together" (PART), described it as "a good first step to protect the interests of everyday Coloradans."[^41]
Several legislators voted for the rewrite while expressing dissatisfaction. Representative Javier Mabrey (D-Denver), one of six representatives who voted no, complained that the bill did "nowhere near enough to protect the people of Colorado" and pledged to introduce further legislation reinstating broader anti-discrimination duties, including a private right of action. "These black boxes are deciding who gets hired, who gets housing, who gets to go to their dream school," Mabrey told reporters.[^41][^42]
The Center for Democracy & Technology and Consumer Reports criticized the rewrite as having eliminated the original act's most important consumer protections, while major industry trade associations (the U.S. Chamber of Commerce, NetChoice, TechNet, and the Computer & Communications Industry Association) treated the rewrite as a substantial improvement that nevertheless still imposed significant compliance costs.[^32][^41]
The major national technology industry trade associations opposed SB 24-205 in real time. The U.S. Chamber of Commerce argued that the bill would hamper small-business AI adoption and that targeted gap-filling of existing civil rights statutes would be preferable to a broad AI-specific regime. The Chamber of Progress, the Consumer Technology Association, NetChoice, and TechNet voiced similar concerns, emphasizing the burdens of annual impact assessments, public-website disclosures, and Attorney General reporting on early-stage and venture-funded firms.[^32][^43] TechNet regional executive director Andrew Wood argued that deployer-to-consumer adverse-decision notices could compel disclosure of proprietary information, including trade secrets in training data and model architecture.[^32]
The Colorado Chamber of Commerce, Colorado Technology Association, and TechNet jointly submitted consolidated amendment proposals to the AI Impact Task Force in December 2024, advocating significantly narrowed definitions, a right to cure, and a delayed effective date.[^31][^43]
The Center for Democracy & Technology, Consumer Reports, the AI Now Institute, the Brookings Institution's Center for Technology Innovation, and several state-level civil rights and labor organizations supported the original act's substantive design. They argued that the act aligned with existing federal civil rights jurisprudence in employment and housing, that the absence of a private right of action substantially limited the act's enforcement bite, and that the small-business exemption was already sufficiently broad. Several public-interest organizations called for strengthening, not weakening, the act in subsequent rulemaking and amendment.[^4][^32]
A wide range of academic commentators and law firms produced analyses of SB 24-205 in 2024-2025. Legal commentary from Skadden, Wilson Sonsini, Davis Wright Tremaine, Gibson Dunn, Cooley, Mayer Brown, Latham & Watkins, Hogan Lovells, Kirkland & Ellis, Baker Botts, and Brownstein Hyatt Farber Schreck (among others) generally accepted the act's framing as the closest U.S. analogue to the EU AI Act but flagged significant operational challenges in defining "algorithmic discrimination," determining what would constitute "reasonable care" in a fast-evolving technical field, calibrating documentation and impact-assessment requirements, and reconciling the act with existing federal sectoral regulation (HIPAA, the Fair Credit Reporting Act, the Equal Credit Opportunity Act, Title VII, and the Fair Housing Act).[^2][^17][^25][^44]
The National Association of Attorneys General published a "deep dive" analysis in 2024 highlighting both the act's pioneering nature and the absence of comparable federal infrastructure to support multistate enforcement coordination.[^4]
By the time SB 24-205 was repealed in May 2026, Colorado was one of more than a dozen states to have enacted some form of AI legislation. Utah's HB 149 of March 2024 focused on disclosure obligations for generative AI; California enacted a series of more targeted measures, including the California Senate Bill 53 frontier-model transparency law of September 2025, the AB 2013 training-data disclosure law, and various sectoral measures. California's broader SB 1047 safety bill was vetoed by Governor Gavin Newsom in September 2024.[^45]
Texas, Connecticut, Maryland, Virginia, and New York all considered comprehensive AI legislation modeled on the Colorado act during 2024-2025; only a few, including Texas's narrower Responsible Artificial Intelligence Governance Act of 2025, were enacted in any form. Several jurisdictions explicitly cited Colorado's experience, including its industry pushback and litigation, as cautionary in their own drafting.[^45][^46]
The Colorado act's relationship to the EU AI Act was the subject of extensive comparative analysis.[^2][^17] Common features included:
Major differences included:
At the federal level, the Biden Administration's Executive Order on AI of October 30, 2023 imposed obligations primarily on federal agencies and on federal contractors developing dual-use foundation models. The order was rescinded in January 2025 by an early executive order of the Trump Administration. By 2026, federal policy had shifted toward an explicitly deregulatory posture: the federal government's intervention in xAI v. Weiser reflected a broader policy preference, articulated in the Trump Administration's America's AI Action Plan of 2025, for preempting state AI regulation in favor of a uniform national approach to be developed primarily through executive action and voluntary industry coordination.[^9][^37]
Although the Colorado Artificial Intelligence Act was repealed before any of its obligations attached, its 24-month life cycle had a significant effect on the trajectory of AI regulation in the United States and beyond.
First, SB 24-205 established a template (developer-deployer bifurcation, reasonable-care duty, impact assessments, NIST-framework affirmative defense, AG-only enforcement) that became the reference architecture for numerous state proposals and academic model statutes during 2024-2026.[^45][^46]
Second, the act's repeal and replacement under industry, gubernatorial, judicial, and federal pressure became a widely cited case study of the political-economic difficulty of enacting cross-sectoral AI regulation at the state level in the U.S., particularly in the absence of a coordinated federal framework. Commentators noted that Colorado's two-year fight had produced a final statute (SB 26-189) substantially weaker than the original, with the principal substantive duty (the duty to use reasonable care to prevent disparate treatment and disparate impact in AI outputs) removed in favor of a procedural notice-and-explanation regime.[^32][^41]
Third, the xAI v. Weiser litigation, even though it was not decided on the merits, signaled the increasing willingness of AI developers and the federal government to invoke First Amendment and Commerce Clause doctrines against state-level AI regulation, raising substantial constitutional questions about whether the developer-deployer bifurcation popularized in Colorado, the EU AI Act, and elsewhere could survive U.S. constitutional scrutiny when applied to expressive AI outputs.[^8][^10]
Fourth, the act's interaction with the AI governance regime developed by the Bletchley Declaration, the AI Safety Summit process, and other international initiatives illustrated the structural difficulty of reconciling distributed, multi-jurisdictional AI safety and consumer-protection efforts. Colorado's experience helped shift policymaker attention toward the question of preemption and toward narrower, sector-specific approaches focused on transparency and consumer rights rather than substantive anti-discrimination duties.[^45][^46]