The proposed revisions would reduce compliance requirements, narrow the scope, and shift obligations for companies that build and use high-risk AI systems.

Colorado lawmakers are advancing amendments in the 2026 legislative session to revise Senate Bill 24-205, the state’s Consumer Protections for Artificial Intelligence Act, following concerns about how the law applies to businesses and public agencies.

The law, signed by Governor Jared Polis in 2024, applies to companies that build artificial intelligence systems (“developers”) and organizations that use those systems in decisions affecting individuals (“deployers”), including employers, lenders, landlords, and healthcare providers.

The proposed amendments would change several core requirements in the law.

Fewer required processes for companies using AI
Before: Deployers – including employers, banks, and other organizations that use AI in decision-making – would be required to conduct formal impact assessments and maintain risk management programs.
After: Those requirements would be reduced or removed, lowering the operational burden on companies using AI tools.

Shift from risk testing to disclosure requirements
Before: Deployers would be required to demonstrate they are actively identifying and reducing risks, including algorithmic discrimination, before using AI systems.
After: The focus would shift to disclosures, requiring companies to notify individuals when AI is used and provide explanations after adverse decisions.

Narrower definition of high-risk AI systems
Before: A broader set of AI systems used in consequential decisions could be subject to the law, affecting a wide range of companies.
After: The definition would be narrowed, reducing the number of systems and companies subject to the law.

Expanded exemptions for certain businesses
Before: Many organizations that use AI could be covered, regardless of size or level of use.
After: Additional exemptions would apply, particularly to smaller businesses and organizations that use AI only for limited purposes.

Shift in responsibility toward AI developers
Before: Deployers, such as employers and financial institutions, carried significant responsibility for compliance when using AI systems.
After: More responsibility would shift to developers, requiring them to provide documentation of system capabilities, limitations, and risks.

More flexibility in enforcement and timing
Before: Companies could face enforcement if they did not meet requirements by the implementation date.
After: Lawmakers are considering allowing time to correct violations before penalties and extending the timeline beyond the current June 30, 2026 effective date.

The revisions follow concerns raised by the governor’s office, state agencies, and industry stakeholders that the original law’s scope and compliance requirements were difficult to apply in practice. The bill remains under consideration in the Colorado General Assembly.