A PYMNTS Company

Colorado Refines, Rather Than Retreats From, AI Regulation

 |  June 16, 2026
AI regulations, government, legislation

Colorado first enacted a landmark AI law in 2024 that sought to protect consumers from algorithmic discrimination by imposing obligations on developers and deployers of “high-risk” AI systems. After industry criticism, constitutional challenges and recommendations from a state AI Policy Working Group, lawmakers repealed and reenacted the statute in May 2026 with substantial revisions.

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    According to an analysis by Mintz, the revised law shifts the regulatory focus away from the technology itself and toward the real-world outcomes AI systems produce. Businesses operating in Colorado will need to understand not only what AI tools they use, but also whether those tools materially influence decisions that can adversely affect consumers in areas such as employment, housing, healthcare and financial services.

    The law contains five core components that will have significant compliance implications.

    The first major change is an expansion of the technologies subject to regulation. The original law applied primarily to “high-risk AI systems.” The reenacted statute instead covers a broader category known as “automated decision-making technology,” defined as technology that processes personal data and generates outputs such as predictions, rankings, classifications, recommendations or scores used to assist decisions about individuals.

    While the law retains exclusions for technologies such as calculators, databases, spell-checkers, and anti-virus tools, businesses will need to conduct detailed reviews of their AI inventories to determine which tools fall within the statute’s scope.

    The second component narrows the law’s focus to adverse outcomes arising from consequential decisions in education, employment, housing, financial services, insurance, healthcare, and government services and public benefits

    WHAT’S NEXT IN TECHREG™

    The revised law also provides a more concrete definition of “consequential decisions” and establishes nine categories of exclusions, including routine administrative activities, scheduling, workflow management, cybersecurity functions, fraud prevention and marketing activities.

    A third significant revision broadens the law’s reach by replacing the original “substantial factor” test with a new “materially influence” standard. Under the statute, AI may be regulated even when humans remain involved in the decision-making process if AI outputs meaningfully affect rankings, classifications, recommendations or other elements that shape the final decision.

    Read more: Banking Groups Pitch Anti-Money Laundering Rules for Stablecoins

    Mintz notes that this standard is broader than comparable approaches adopted elsewhere, including California regulations that focus on systems replacing or substantially replacing human decision-making. As a result, organizations may not be able to avoid regulatory obligations simply by maintaining a human reviewer in the process.

    The fourth component establishes advance notice and post-adverse-outcome disclosure requirements. Organizations using covered AI systems must notify consumers when AI is involved in decision-making. When an adverse outcome occurs, businesses must explain how AI contributed to the decision, inform individuals how to correct inaccurate information, and disclose their right to seek meaningful human review and reconsideration.

    The Colorado attorney general is expected to issue additional sector-specific guidance before the law takes effect. Businesses operating across multiple regulated sectors will likely need separate compliance workflows tailored to different types of decisions and disclosures.

    Finally, the law imposes extensive documentation obligations on AI developers. Developers must identify intended and reasonably foreseeable uses of their systems, describe training data categories, document limitations, specify inappropriate uses and provide instructions regarding monitoring and human oversight.

    Although the requirements formally apply to developers doing business in Colorado, Mintz argues that vendors nationwide may need to adopt similar documentation practices because Colorado-based customers will likely demand the information to satisfy their own compliance obligations.

    Mintz concludes that the law’s overarching theme is governance. Rather than regulating AI models in the abstract, Colorado is creating a framework that requires organizations to identify where AI materially influences consequential decisions, assess potential harms, maintain documentation and provide meaningful transparency to affected individuals. With the law taking effect in January 2027, businesses operating in Colorado have a limited window to build governance programs capable of mapping AI use cases, monitoring outcomes and implementing new notice and documentation procedures.