Colorado's AI Act Takes Effect: Inside America's First State Law Against Algorithmic Discrimination

On February 1, 2026, Colorado became the first U.S. state to enforce a comprehensive law specifically designed to combat algorithmic discrimination by artificial intelligence systems. SB24-205, the Colorado Artificial Intelligence Act, imposes binding obligations on both the developers who build AI systems and the companies that deploy them, covering AI used in what the law terms 'consequential decisions' — employment, housing, healthcare, education, insurance, financial services, and government benefits. While developer obligations took effect in February, the full scope of the law — including deployer obligations — becomes enforceable on June 30, 2026, establishing what legal experts are calling the most rigorous state-level AI accountability framework in the United States.

What the Law Covers: Consequential Decisions

The Act defines 'algorithmic discrimination' as unlawful differential treatment or impact on individuals based on protected characteristics — age, race, disability, gender, religion, veteran status, and genetic information, among others — arising from the use of a 'high-risk artificial intelligence system.' A system is classified as high-risk if it makes or substantially influences a consequential decision about a person. This deliberately broad scope captures a wide range of AI applications: résumé screening tools, automated lending decisions, healthcare triage algorithms, insurance risk models, tenant screening services, and educational admissions software all fall within the law's purview.

The Developer Side: Documentation and Disclosure

Developers — defined as entities that create or substantially modify high-risk AI systems — must exercise reasonable care to protect consumers from known or reasonably foreseeable risks of algorithmic discrimination. Critically, developers must provide deployers with comprehensive documentation: statements outlining foreseeable uses and risks, summaries of training data and its limitations, the system's intended purpose and benefits, and details of risk mitigation measures. If a developer discovers or receives a credible report of algorithmic discrimination in their system, they must disclose it to the Colorado Attorney General and to all known deployers within 90 days. They must also maintain a publicly accessible website summarizing the types of high-risk systems they develop and how they manage discrimination risks.

The Deployer Side: Assessments, Notices, and Explanations

The obligations on deployers — the companies that actually use AI systems to make decisions about consumers — are even more operationally demanding. Deployers must implement a risk management policy and program that incorporates recognized frameworks such as the NIST AI Risk Management Framework or ISO/IEC 42001. They must complete an impact assessment for each high-risk AI system annually, and within 90 days of any intentional and substantial modification to the system. When an AI system is involved in a consequential decision about a consumer, the deployer must inform the consumer that AI is being used, explain its purpose, and notify them of their right to opt out of certain data processing under the Colorado Privacy Act. If the AI system makes an adverse decision — a denied loan, a rejected job application, a higher insurance premium — the deployer must provide a clear, plain-language explanation of the primary reasons for the decision and information on how to appeal.

Enforcement, Exemptions, and the Federal Question

The Colorado Attorney General holds exclusive enforcement authority — there is no private right of action, meaning individual consumers cannot sue under the Act. Violations are classified as deceptive trade practices under the Colorado Consumer Protection Act, and companies are given a 60-day period to remediate identified violations before enforcement action. A narrow exemption exists for employers with fewer than 50 employees who do not use their own data to train their AI systems — a provision that effectively shields small businesses using off-the-shelf AI tools from the law's compliance requirements.

The Act's long-term significance may depend on federal developments. In December 2025, a presidential Executive Order signaled intent to consolidate AI oversight at the federal level and potentially preempt state laws deemed 'onerous.' In January 2026, the Department of Justice established an AI Litigation Task Force to challenge state AI laws in federal court. Whether Colorado's Act survives potential federal preemption remains an open legal question — but for now, it establishes the most detailed template for AI accountability in American law and is already influencing similar legislation in other states. Companies operating AI systems that touch Colorado consumers have no choice but to comply.