Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

Colorado Repeals and Replaces Its AI Act

Skadden Publication / AI Insights

Stuart D. Levi Mana Ghaemmaghami

Executive Summary

  • What’s new: Colorado has repealed its landmark Artificial Intelligence Act (CAIA) before it took effect and replaced it with the less expansive Automated Decision-Making Technology Act (ADMTA) in response to federal government and industry complaints that the CAIA was too proscriptive.
  • Why it matters: The ADMTA significantly narrows Colorado’s anticipated AI governance scheme, shifting from the more substantive obligations of the CAIA and its focus on discrimination to a regime centered around transparency about the use of automated decision-making technology. The change signals that at least some states may be influenced by the strong opposition from industry and the Trump administration to state regulation of AI.
  • What to do next: Companies should monitor the Colorado attorney general’s rulemaking process, which must be completed before the ADMTA takes effect on January 1, 2027.

__________

Background

With the enactment of the Colorado Artificial Intelligence Act (CAIA) on May 17, 2024, Colorado became the first state to adopt a comprehensive law governing the development and deployment of artificial intelligence (AI) systems.1 The CAIA was originally set to take effect February 1, 2026, but that was subsequently delayed in the rulemaking process. The law focused on “high-risk” AI systems that are a substantial factor in reaching a “consequential decision” (e.g., relating to education, employment, lending, health, etc.) and the potential of such systems to yield algorithmic discrimination. See our June 24, 2024, client alert “Colorado’s Landmark AI Act: What Companies Need to Know.”

The CAIA was met with immediate and sustained industry opposition. Critics argued that its requirements were unworkable and would stifle AI innovation while placing a disproportionate compliance burden on smaller companies. In April 2026, X.AI sued to enjoin enforcement of the CAIA. The federal government moved to intervene — the first instance of federal authorities joining a suit challenging state-level AI laws. The Colorado attorney general agreed to suspend enforcement of the CAIA pending resolution of X.AI’s motion for a preliminary injunction and any amendment to the CAIA.

President Trump has also opposed state-level AI regulation as a general matter, taking the position that state laws imposing algorithmic discrimination obligations threaten U.S. AI competitiveness and improperly impose race- and sex-conscious mandates on AI developers. In a December 2025 Executive Order,2 which specifically called out the Colorado legislation, the president directed the U.S. attorney general to establish an AI Litigation Task Force charged with identifying and challenging state AI laws.

On May 14, 2026, likely in response to these developments, Colorado Gov. Jared Polis signed the Automated Decision-Making Technology Act (ADMTA),3 repealing and replacing the CAIA with a narrower framework focused on increased transparency about consequential decisions and disclosures about adverse outcomes affected by automated decision-making technology (ADMT). An “adverse outcome” is defined as a decision that materially reduces a consumer’s access to an opportunity or service, and/or results in a materially less than favorable price, cost, compensation or other material term.

The law takes effect January 1, 2027, provided the Colorado attorney general completes the required rulemaking by that date.

ADMTA Scope

The ADMTA applies only when covered ADMT is used to materially influence a “consequential decision.”

ADMT is defined as technology that processes personal data and uses computation to generate predictions, recommendations, classifications, rankings, scores or similar outputs used to make or assist decisions about individuals. In contrast to the CAIA, and to avoid being labeled an AI law, the ADMTA does not mention of AI in its definition of ADMT, nor does it use the term “high risk.”

A “consequential decision” is one regarding a consumer that affects access to, eligibility for, selection for, compensation for, or material terms within one of the following covered domains:

  • Education admissions and opportunities.
  • Employment.
  • Housing.
  • Lending and financial services.
  • Insurance.
  • Health care.
  • Government benefits and services.

These areas closely track those that were in the CAIA. However, the ADMTA avoids any mention of discrimination and eliminates the discrimination-related obligations in the CAIA, such as the duty of care to mitigate algorithmic discrimination risks, requirements regarding algorithmic discrimination, and requirements to perform annual impact assessments and maintain a risk management program.

Compliance Obligations

The act allocates responsibilities between developers (those doing business in Colorado that develop or offer ADMT or a component thereof) and deployers (those doing business in Colorado that deploy covered ADMT).

Developer Responsibilities

Developers are required to provide deployers of ADMT with:

  • Documentation regarding its intended use and any known harmful uses, risks and limitations.
  • Categories of personal data used in training the system.
  • Instructions for the deployer to implement meaningful human oversight.
  • Notice of material ADMT updates (such as changes in known limitations).

Developers must retain such records, along with certain other documents, for a minimum of three years.

Deployer Responsibilities

Consumer Notice

Before employing a covered ADMT to materially influence a consequential decision, the deployer must provide notice to the consumer that:

  • A covered ADMT is being used or will be used.
  • The system will render a consequential decision.
  • The consumer may request additional information and how to do so.

Rather than providing individualized notice to each consumer, deployers may satisfy this requirement through a prominent public notice that is accessible at the point of consumer interaction.

Handling Adverse Outcomes

When a covered ADMT materially influences a consequential decision and the consumer receives an adverse outcome, the deployer must provide the following disclosures within 30 days:

  • A plain language description of the decision and the role played by ADMT.
  • How the consumer may obtain additional information about the ADMT, to the extent such information was provided by the developer.
  • An explanation of the consumer’s rights under the ADMTA (discussed below).

The specific requirements of this disclosure, including how it might vary by industry, will be determined through rules to be adopted by the Colorado attorney general on or before January 1, 2027.

Record-Keeping

Deployers must retain records for a minimum of three years following any consequential decision using ADMT. This includes any documentation received from developers, the ADMT version used, and documentation of any mitigation changes made by the deployer.

Consumer Rights

Following an adverse outcome, consumers may request access to the personal data used in the consequential decision, and correction of factually incorrect or materially inaccurate personal data relied upon. Additionally, consumers are entitled to request a meaningful human review and reconsideration of the decision, to the extent commercially reasonable. Deployers are required to designate an individual who will receive training to conduct such human reviews and who has the authority to potentially override a consequential decision made by the covered ADMT. The right to human review was not included in the CAIA, and allows Colorado to couch the ADMTA as a consumer protection law and not an “anti-AI” law.

Enforcement

As with the CAIA, the ADMTA does not provide a private right of action. The Colorado attorney general has exclusive enforcement authority, and violations are treated as deceptive trade practices under the Colorado Consumer Protection Act, carrying penalties of up to $20,000 per violation. Before initiating enforcement, the Colorado attorney general must provide written notice of the alleged violation and a 60-day opportunity to cure, where a cure is possible. The cure period does not apply to knowing or repeated violations and sunsets on January 1, 2030.

What Companies Should Consider Now

Developers of ADMT and those who deploy it, or plan to deploy it, to make consequential decisions should begin to build out a record-keeping and compliance infrastructure, and consider that as part of their product planning so they are prepared to comply with the act by its effective date of January 1, 2027.

While Colorado has watered down the CAIA, the state remains active in proposed AI legislation. Awaiting the governor’s signature are three other AI-related bills:

  • Conversational Artificial Intelligence Service Operator Requirements.4
  • Use of Artificial Intelligence in Health Care.5
  • Psychotherapy Artificial Intelligence Restrictions.6

Summer associate Harper Didlake contributed to this article.

_______________

1 Consumer Protections for Artificial Intelligence. S.B. 205, 74th Gen. Assemb., 2nd Reg. Sess. (Colo. 2024).

2 Exec. Order. No. 14365, 90 Fed. Reg. 239, Dec. 16, 2025.

3 Automated Decision-Making Technology, S.B. 189, 75th Gen. Assemb., 2nd Reg. Sess. (Colo. 2026).

4 Conversational Artificial Intelligence Service Operator Requirements, H.B. 1263, 75th Gen. Assemb., 2nd Reg. Sess. (C.O. 2026).

5 Use of Artificial Intelligence in Health Care, H.B. 1139, 75th Gen. Assemb., 2nd Reg. Sess. (C.O. 2026).

6 Psychotherapy Artificial Intelligence Restrictions, H.B. 1195, 75th Gen. Assemb., 2nd Reg. Sess. (C.O. 2026).

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP