Colorado AI Act (SB 205): What Your Business Needs to Know in 2026
The first US state AI law with enforcement teeth. Effective February 2026. Here's what it means in plain English.
Who's covered
The law distinguishes between two roles. Developers create AI systems. Deployers use them. Most small businesses are deployers.
Both roles have obligations if the AI is used for "consequential decisions" — defined broadly to include:
- Employment, hiring, promotion, termination
- Education and educational opportunities
- Financial or lending services (credit, loans)
- Healthcare services
- Housing
- Insurance
- Legal services
- Essential government services
What deployers (most SMBs) must do
- Risk management program. A documented approach to identifying and mitigating algorithmic discrimination.
- Impact assessments. Conducted annually and whenever the system materially changes.
- Notice to affected individuals. Before a consequential decision is made, tell the person that AI is being used.
- Right to appeal. Let the person contest adverse decisions and request human review.
- Disclosure to the AG. Report any discovered discrimination within 90 days.
What developers must do
- Provide deployers with documentation about the AI system (training data overview, known limitations, evaluation results).
- Describe reasonably foreseeable risks of algorithmic discrimination.
- Publish a public summary of systems available for deployment in Colorado.
Small business exemption
Companies with fewer than 50 full-time employees that don't use their own training data get a partial exemption from the impact-assessment requirement — but not from notice and appeal duties.
Penalties
The Colorado Attorney General has exclusive enforcement authority. There is no private right of action. Violations are handled under the Colorado Consumer Protection Act, meaning civil penalties per violation and potential injunctive relief.
How to comply — practical steps
- Map every AI system touching Coloradans. Flag ones used for consequential decisions.
- Get vendor documentation. If the vendor can't produce it, that's a red flag.
- Draft a risk management program. A 2-page memo covering governance, review cadence, and escalation is enough for most SMBs.
- Add AI notice to any customer-facing screen where a consequential decision happens.
- Build an appeal mechanism. Even a simple email: "Reply if you want a human to review this decision."
- Schedule an annual impact assessment on your calendar.
Colorado vs. EU AI Act — quick comparison
| Dimension | Colorado SB 205 | EU AI Act |
|---|---|---|
| Effective date | February 1, 2026 | August 2, 2026 (full) |
| Scope | AI for consequential decisions about Coloradans | All AI placed on EU market |
| Enforcement | Colorado AG | EU national regulators |
| Penalties | Consumer Protection Act civil penalties | Up to €35M or 7% of revenue |
| SMB exemption | Partial (under 50 FTE) | None (proportional obligations) |
Related reading
Get your compliance score
12 questions. 2 minutes. Free. Covers Colorado, EU, California, and more.
Take the Free Check →