Colorado Moves to Replace AI Bias Audit Law With New Transparency Framework: Your Guide to Understanding the Changes
Colorado lawmakers are moving to repeal the state’s first-in-the-nation AI antidiscrimination law and replace the mandatory bias audit and risk impact assessment requirements with a streamlined transparency-and-notice framework. The May 1 proposal, backed by key lawmakers, instead focuses on automated decision-making technology (ADMT) used in “consequential” decisions. If the bill gets passed into law, new employer obligations would kick in on January 1, 2027. Here’s what the proposed replacement would mean for your business and what you should be doing right now.
Quick Recap: How We Got Here
- The original law passed in 2024 imposed broad obligations on both AI developers and the businesses deploying AI tools, including mandatory bias audits, risk impact assessments, and extensive disclosure requirements. It was set to take effect February 1, 2026.
- The business and tech communities immediately pushed back, arguing the requirements were unworkable and would crush innovation. After repeated failed attempts to revise the law during the 2025 legislative session and a failed special session, lawmakers simply delayed the effective date to June 30, 2026, buying time to find a compromise.
- In March, a working group released a proposed rewrite that would strip out the most burdensome requirements and replace them with a transparency-and-notice framework, pushing the effective date to January 1, 2027.
- Then came the litigation. Elon Musk’s xAI teamed up with the US Department of Justice to sue the state, arguing the law unconstitutionally compels AI developers to embed the state’s preferred viewpoints into their products. On April 27, just days before the new bill was introduced, a federal court granted a temporary restraining order blocking Colorado from enforcing the law at all while the litigation continues.
What the New Bill Would Do
SB 26-189, sponsored by Sen. Robert Rodriguez (D-Denver) – the same legislator who championed the original 2024 law – takes a markedly different approach from its predecessor. The bill focuses on automated decision-making technology (ADMT) used in consequential decisions.
Who’s Covered?
The bill applies to any entity doing business in Colorado that either:
- Develops an ADMT (builds it, sells it, licenses it, or substantially modifies it), or
- Deploys a “covered ADMT,” meaning an ADMT that is used to materially influence a consequential decision.
What Counts as a “Consequential Decision”?
The bill defines consequential decisions as those affecting an individual’s:
- Employment or employment opportunities that create or may create an employer-employee relationship
- Access to education or education enrollment
- Housing (lease or purchase of residential real estate)
- Financial or lending services
- Insurance coverage, pricing, or claims adjudication
- Healthcare services
- Essential government services and public benefits
Notably, the bill explicitly carves out low-stakes or routine business processes like routine scheduling, administrative routing, customer service triage, and workflow management. Advertising, marketing, and content moderation are also excluded.
What Would Employers and Other Deployers Have to Do?
Under the proposed framework, businesses that deploy covered ADMTs would have several obligations:
- Notice at point of interaction: Deployers must provide clear, conspicuous notice to employees, applicants, and others when a covered ADMT is used.
- Post-adverse outcome disclosure: If an ADMT makes a consequential decision that leads to an adverse outcome, the deployer must provide a plain-language explanation of the ADMT’s role within 30 days.
- Data rights: Employees and applicants (and other consumers) can request the personal data used in an ADMT decision and can request correction of any factually inaccurate data.
- Human review rights: Anyone who receives an adverse outcome from a covered ADMT has the right to request meaningful human review and reconsideration.
- Recordkeeping: Both developers and deployers must retain compliance records for at least three years.
What Would AI Developers Have to Do?
Developers must provide deployers with technical documentation covering the ADMT’s intended uses, categories of training data, known limitations, and guidance on appropriate use and human review. They must also notify deployers of any material updates to the product.
How Would Liability Work?
The bill does not create a new private right of action. The attorney general would enforce the law through the Colorado Consumer Protection Act and treat violations as deceptive trade practices. Importantly, before initiating any enforcement action, the AG must provide a 60-day notice and opportunity to cure unless the violations are knowing or repeated.
The bill also clarifies how fault should be allocated between developers and deployers in civil actions alleging unlawful discrimination under existing law. It also says that any contract clause that tries to shift ADMT discrimination liability between a developer and deployer is automatically void.
When Would it Take Effect?
The law would kick in on January 1, 2027, giving the attorney general time to adopt rules clarifying the post-adverse outcome disclosure requirements before the law takes effect.
What’s Next?
The legislature is scheduled to wrap up May 13, leaving a tight window to get this bill passed. But the bill is moving quickly through the legislature and appears poised for final passage before the deadline. Once enacted, it will head to Governor Polis for his signature.
5 Steps Employers Should Take Now
1. Map your AI tools. Identify every AI-assisted tool involved in employment-related decisions affecting Colorado workers (hiring, screening, performance evaluation, compensation, benefits) and assess whether those tools would qualify as covered ADMTs under the new bill’s definitions.
2. Engage your vendors. Ask your AI vendors now what documentation they can provide on intended use cases, training data categories, known limitations, and human review guidance.
3. Build a disclosure process. Start thinking through what your consumer notice and post-adverse outcome disclosure processes would look like. The 30-day window to explain an adverse ADMT outcome to a consumer is operationally significant.
4. Document, document, document. The three-year recordkeeping requirement will apply to both developers and deployers. Build your compliance documentation habits now, before the law takes effect.
5. Keep watching the legislature and the courts. The bill still needs to clear committee, pass both chambers, and survive the remaining legislative session – and the inevitable legal challenges that will spring up. Subscribe to Fisher Phillips’ Insight System to receive updates as they develop.
Conclusion
We will continue to monitor the situation and provide updates as they unfold. Make sure you are subscribed to Fisher Phillips’ Insight System to receive the most up-to-date information directly to your inbox. For more information, contact your Fisher Phillips attorney, the authors of this Insight, or any attorney in our Denver office or in our AI, Data, and Analytics Practice Group.
Related People
