Effective June 30, 2026, Colorado’s Senate Bill 24-205 (SB24-205) becomes the most detailed AI-specific consumer protection law in the United States. Are you ready?
Colorado’s new AI law explained: What SB24-205 means for developers and deployers
Colorado SB24-205, officially titled the Consumer Protections for Artificial Intelligence Act, is a state-level AI regulation designed to safeguard consumers from algorithmic discrimination resulting from the use of high-risk AI systems. Signed into law in May 2024, the bill places sweeping responsibilities on both developers and deployers of AI technologies that make or influence consequential decisions such as those impacting housing, lending, employment, education, or healthcare.
Unlike laws that tiptoe around AI ethics, Colorado’s approach goes all in. It’s not just about disclosure; it’s about governance, risk management, accountability, and fairness baked into every stage of AI system deployment.
Who must pay attention?
If your organization develops or substantially modifies AI systems, or deploys them to make consequential decisions affecting Colorado residents, you’re in scope.
What is Colorado’s AI law SB24-205?
SB24-205 represents Colorado’s bold entry into the AI regulatory arena. It targets high-risk AI systems, specifically those that make or heavily influence what the law calls consequential decisions. That includes AI tools determining eligibility for jobs, loans, education, housing, insurance, and other essential services.
Under SB24-205, a consequential decision is one that has a material legal or similarly significant effect on an individual’s life. Specifically, the law lists decisions related to:
- Employment or job opportunities
- Educational access or enrollment
- Housing eligibility or terms
- Healthcare services
- Insurance coverage or pricing
- Financial or lending services
- Essential government services
- Legal services
These decisions are considered “consequential” because they can significantly shape an individual’s access to resources, opportunities, and protections. If your AI system makes or materially influences any of these types of decisions, it qualifies as high-risk under Colorado’s AI law and is subject to the full scope of SB24-205’s requirements.
What makes Colorado’s AI law different from others?
This is not just another transparency law. SB24-205 is a comprehensive governance framework that requires businesses to treat algorithmic outcomes with the same care and due diligence as any other legally regulated process.
The law’s scope is defined with precision:
- It applies to machine-based systems that infer from inputs to generate outputs such as decisions, recommendations, or predictions that can materially affect individuals.
- It requires action from both the developer (the entity building or modifying the system) and the deployer (the entity using it to make real-world decisions).
- It clearly defines “high-risk,” excluding systems used purely for internal procedures or narrow technical functions like antivirus software or spam filtering.
Colorado’s law also aligns with evolving national and global expectations. It echoes elements of the EU AI Act and builds on the compliance philosophy seen in frameworks like NIST’s AI Risk Management Framework.
With enforcement beginning on June 30, 2026, businesses have a clear, though narrow, window to get their systems, documentation, and governance programs in order.
Need help mapping your AI systems and understanding your obligations under SB24-205? Start a free trial of Nymity Research to access expert-curated legal insights and tools designed to simplify AI compliance.
Who must comply with Colorado’s AI law and when?
If your organization is involved in either the creation or deployment of AI systems in Colorado, it’s time to review your role. SB24-205 draws a bright regulatory line between two key actors:
- Developers: Those who build or substantially modify AI systems.
- Deployers: Those who use those systems to make consequential decisions that materially affect consumers.
The trigger for compliance is simple: if your AI system contributes directly or significantly to decisions about employment, education, housing, healthcare, or access to financial or legal services, it qualifies as high-risk. And if it operates within Colorado, you’re within reach of the law.
Importantly, size doesn’t exempt you. Even smaller businesses are subject to core obligations. An exemption exists for organizations with fewer than 50 full-time employees, but only if they do not train the AI system using their own data. The law anticipates exceptions, but the baseline expectation is clear: know your system’s impact, and govern it accordingly.
This exemption is narrow by design. If a small business uses its own data to train or fine-tune a high-risk AI system rather than licensing or deploying a third-party model, it is no longer exempt from SB24-205’s requirements. This condition ensures that any business actively shaping model behavior with proprietary data remains accountable for downstream risks, even if the organization is relatively small.
Failing to meet these standards is a regulatory liability. The Colorado Attorney General can issue a notice of violation, and if your organization fails to respond or cure the issue within 60 days, enforcement actions may follow. These violations are classified under unfair trade practices, opening the door to steep consequences.
How mature is your AI risk management? Take the quiz.
Colorado AI law compliance requirements for businesses
Impact assessments: The backbone of AI compliance
For developers and deployers alike, SB24-205 requires organizations to move beyond vague policy statements and into actionable AI governance.
The centerpiece of these obligations is the impact assessment. This formal, repeatable evaluation must be completed before deployment, annually, and within 90 days of any intentional and substantial modification to the system. These assessments go beyond surface-level documentation. Deployers must disclose the system’s purpose, intended use cases, deployment context, and any benefits the system is expected to provide.
Each impact assessment must also include:
- A detailed analysis of whether the system poses any known or foreseeable risk of algorithmic discrimination and how those risks will be mitigated.
- The categories of data the system processes as inputs, and the outputs it generates.
- An overview of any data used to customize the system (if applicable).
- A description of the transparency measures taken, including whether and how consumers are notified that AI is in use.
- A plan for post-deployment monitoring and user safeguards, including how issues will be tracked, reviewed, and addressed over time.
Colorado’s AI law requires these components to ensure the consistent, accountable, and transparent use of high-risk AI systems.
Developer duties: Documentation and risk disclosure
Developers, on the other hand, must provide detailed documentation to deployers. This includes technical and procedural disclosures that help deployers understand how the system works, how it was trained, and where its limitations lie. At a minimum, this documentation should include:
- A model card describing the system’s architecture, training objectives, performance benchmarks, and intended uses.
- A dataset card detailing the origin, structure, curation, and governance of the training data.
- A description of governance measures applied to ensure data quality, relevance, and representativeness.
- Known or foreseeable limitations and harmful use cases.
- The types and sources of data used to train or customize the system.
- Evaluation methods for performance, fairness, and bias mitigation.
This documentation must be provided to deployers before any system deployment and updated as needed. It forms the basis for deployers’ own impact assessments and downstream compliance obligations.
Both parties must keep this documentation readily accessible, especially in the event of an AG request. For deployers, completed assessments must be retained for three years after the final deployment.
Developers also have a statutory obligation to disclose risks. If a developer discovers that a high-risk AI system has caused or is likely to cause algorithmic discrimination, they must act. Within 90 days, they must notify the Colorado Attorney General and any known deployers or developers. This applies whether the issue is identified through internal testing or reported by a deployer. Timely disclosure is a legal requirement, not a best practice, reinforcing the law’s emphasis on transparency and cross-stakeholder accountability.
Consumer rights: Notice, opt-out, and appeals
There’s also a requirement that every AI system be transparent in practice, not just in theory. That means:
- Clearly disclosing when an individual is interacting with an AI and explaining its purpose and impact in plain language.
- Providing opt-out options for automated profiling.
- Allowing users to appeal adverse decisions and obtain human review, unless a delay would pose a risk to the consumer’s life or physical safety.
Consumer notifications: What must be disclosed and when
Under SB24-205, deployers must provide consumers with a clear and accessible statement whenever a high-risk AI system is used to make a consequential decision. This statement must include:
- The purpose of the AI system
- The nature of the decision being made or influenced
- A description of the system in plain language
- Contact information for the deployer so that individuals can inquire about or appeal the decision
This notification must be made at or before the time of the decision, and it must be designed for a general audience—legal jargon, technical terms, or AI-specific buzzwords won’t meet the law’s clarity requirement. The goal is to make the AI’s role in the decision-making process obvious, understandable, and accountable.
Deployers are not required to notify consumers when the interaction with an AI system would be obvious to a reasonable person. For example, if a user is engaging with a clearly automated chatbot or AI-generated self-service tool, and the AI nature of that system is self-evident, formal notification is not required. This exception ensures that organizations can focus disclosures on contexts where the distinction between human and machine is less clear and the legal impact more consequential.
In short, the law expects organizations to operationalize AI accountability, not just talk about it.
Mitigating AI bias and ensuring fairness
The heart of SB24-205 is fairness. Specifically, the law is designed to combat algorithmic discrimination, defined as unlawful differential treatment based on characteristics like race, sex, religion, disability, reproductive health, veteran status, and more.
The obligations to prevent this kind of harm are not one-sided.
Developers must use reasonable care to anticipate and mitigate risks. That means identifying not just how a system is intended to be used, but also how it could be misused or misapplied in ways that lead to discriminatory outcomes.
Deployers are required to go a step further. SB24-205 mandates that they implement a Risk Management Policy and Program that is dynamic, iterative, and rooted in recognized standards.
Employers are required to develop and maintain a Risk Management Program that aligns with a nationally or internationally recognized framework, such as the NIST AI Risk Management Framework, ISO/IEC 42001, or another standard designated by the Colorado Attorney General. This alignment is not optional; it ensures that risk identification, mitigation, and documentation are consistent with widely accepted best practices and regulatory expectations.
This risk program must evolve as the system evolves. It should cover everything from personnel roles and documentation procedures to the handling of post-deployment monitoring.
Ultimately, the law’s bias mitigation approach is not punitive. It’s proactive. It recognizes that bias is a systems problem, and solving it requires structure, transparency, and ongoing effort.
How Colorado’s AI law compares to other AI regulations
While Colorado may not be the only state pursuing AI oversight, SB24-205 sets a new bar for comprehensive, private-sector AI governance. Here’s how it stacks up against other major regulatory efforts:
| Jurisdiction | AI Regulation Scope | Key Impact |
|---|---|---|
| Colorado (SB24-205) | Broad, risk-based governance applying to developers and deployers of high-risk AI systems | Deep governance framework focused on accountability and transparency |
| Texas (TRAIGA) | Focused on prohibited, intentional AI practices across both public and private sectors | Targets misuse; not a comprehensive governance regime |
| California | Enacted SB942 (AI transparency) and AB2013 (training data disclosure) | Clear GenAI content transparency obligations |
| EU AI Act | Tiered, risk-based framework across the AI lifecycle | International benchmark in comprehensive AI regulation |
What sets Colorado apart?
Colorado’s SB24-205 is the first U.S. law to impose comprehensive, enforceable AI governance obligations on private-sector organizations. It requires ethical AI. Developers and deployers of high-risk AI systems must conduct annual impact assessments, implement robust risk management programs aligned with standards like NIST or ISO/IEC 42001, and provide detailed documentation and consumer disclosures. These obligations apply to systems making consequential decisions in employment, housing, healthcare, education, and more—not just generative AI tools.
Colorado’s law is unique in how deeply it embeds accountability, documentation, and consumer rights into the private deployment of decision-making AI. It does more than regulate outcomes. It governs the entire lifecycle. As a result, SB24-205 may become the benchmark that shapes future U.S. regulation, especially for companies that operate across multiple states or jurisdictions.
How to prepare for Colorado AI law SB24-205 compliance readiness checklist
To prepare for Colorado’s 2026 enforcement deadline, consider the following:
- Inventory your high-risk AI systems
Identify all AI systems used across the organization, especially those influencing decisions in employment, finance, healthcare, housing, or other regulated areas. - Classify systems that make consequential decisions
Determine which systems meet the law’s definition of “high-risk” based on their impact on individuals’ legal or economic rights. - Document intended uses, risks, and training data
Create detailed records of each system’s purpose, intended use cases, training datasets, and known or foreseeable risks. - Develop a Risk Management Program
Align your program with recognized frameworks such as NIST’s AI Risk Management Framework or ISO/IEC 42001. Ensure it is iterative and tied to your organization’s size and system complexity. - Conduct annual Impact Assessments
Assess systems before deployment, annually thereafter, and after any significant modifications. Include use context, data flows, risks of bias, and mitigation strategies. - Implement consumer opt-out and appeal workflows
Provide users with meaningful notice, opt-out rights, opportunities to correct inaccurate data, and options for human review of adverse decisions. - Retain documentation and prepare for AG inquiries
Maintain copies of all assessments, policies, and communications for at least three years. Be prepared to furnish them upon request. - Train internal teams on SB24-205 responsibilities
Ensure privacy, legal, IT, and business leaders understand the law’s scope, obligations, and enforcement triggers. - Monitor for algorithmic bias post-deployment
Establish ongoing oversight and post-deployment evaluation processes to identify and address discriminatory outcomes. - Review vendor contracts for downstream compliance
Confirm third-party vendors meet SB24-205 obligations and provide necessary documentation to support your own compliance posture.
Need help? TrustArc provides the tools to automate assessments, streamline documentation, and operationalize governance.
Tools and solutions to simplify SB24-205 compliance
Navigating this regulation manually is time-consuming and high risk. TrustArc offers targeted solutions built for this evolving landscape.
TRUSTe Responsible AI Certification
Demonstrate your organization’s commitment to ethical, fair, and transparent AI governance. Certification signals that your practices align with regulatory expectations.
Nymity Research
Your real-time privacy research engine. Track SB24-205 updates, compare global obligations, and access templates to operationalize compliance efficiently.
Data Mapping & Risk Manager
Automate data flow mapping, risk assessments, and documentation. Produce AI system records and impact assessments with ease.
These tools support your compliance across the full AI lifecycle from development and deployment to documentation and defense.
Leading with confidence in Colorado’s AI era
SB24-205 is a blueprint for building trustworthy, transparent systems today. For developers and deployers alike, this law delivers a clear message: when AI influences decisions that shape lives, responsible governance isn’t optional.
Yes, the obligations are significant. But so is the opportunity.
This is your chance to get ahead by formalizing how your organization identifies risk, builds documentation, notifies consumers, and reviews system outcomes. If you already have strong privacy practices, SB24-205 can complement and elevate your existing workflows. If you’re just starting, now is the moment to build your AI governance program with intention.
The good news? You’re not alone.
With the right frameworks, expert guidance, and automated tools, compliance doesn’t have to be overwhelming. TrustArc’s solutions, including TRUSTe AI Certification, Nymity Research, and our Data Mapping & Risk Manager, help you operationalize these requirements with efficiency and confidence.
SB24-205 isn’t about punishing innovation. It’s about protecting people and the businesses that serve them from preventable harm. In that way, this law is more than a mandate. It’s a milestone in the journey toward responsible AI.
Responsible AI, Certified and Simplified
Prove your AI systems are fair, transparent, and built for accountability. TRUSTe Responsible AI Certification helps you demonstrate compliance with SB24-205 and beyond.
Certify your AI Governance
Dynamic Mapping. Confident Compliance
Visualize data flows, automate risk analysis, and generate AI impact assessments on demand. With Data Mapping & Risk Manager, staying audit-ready has never been easier.
Map your AI riskColorado SB24-205: Frequently Asked Questions (FAQ)
What is Colorado SB24-205?
Colorado Senate Bill 24-205, also called the Consumer Protections for Artificial Intelligence Act, is the first U.S. state law to establish detailed governance requirements for high-risk AI systems. It applies to both developers and deployers of AI systems that influence consequential decisions affecting Colorado residents.
Who must comply with Colorado’s AI law?
SB24-205 applies to:
- Developers: Entities that build, modify, or train high-risk AI systems.
- Deployers: Entities that use high-risk AI systems to make consequential decisions.
It applies regardless of where the organization is headquartered, so long as the system affects individuals in Colorado.
What is considered a high-risk AI system under SB24-205?
A high-risk AI system is any system that makes or substantially influences a consequential decision, defined as one that has a legal or similarly significant impact on an individual’s life. Covered areas include:
- Employment
- Education
- Housing
- Health care
- Insurance
- Lending and financial services
- Government services
- Legal services
What are developers required to do under SB24-205?
Developers must:
- Use reasonable care to avoid algorithmic discrimination.
- Provide deployers with comprehensive documentation, including model and dataset cards.
- Notify the Colorado Attorney General and known deployers if the AI system causes or is likely to cause algorithmic discrimination.
What are deployers required to do under SB24-205?
Deployers must:
- Conduct impact assessments before deployment, annually, and after major changes.
- Implement a Risk Management Policy and Program aligned with a recognized framework (e.g., NIST AI RMF or ISO/IEC 42001).
- Provide clear consumer notices when AI is used to make a consequential decision.
- Offer human review of adverse decisions unless it poses a safety risk.
- Retain documentation and assessments for three years.
What must an impact assessment include?
Deployers’ impact assessments must document:
- The AI system’s purpose and deployment context
- Any risks of algorithmic discrimination and mitigation strategies
- Data inputs, outputs, and training/customization data
- Transparency measures and consumer notices
- Post-deployment monitoring and safeguards
When are consumer notifications required?
Deployers must notify consumers at or before making a consequential decision using high-risk AI. The notice must include:
- The AI system’s purpose
- The nature of the decision
- A plain-language system description
- Contact information for appeals or inquiries
No notice is required if it’s obvious to a reasonable person that AI is in use (e.g., an automated chatbot).
Is human review of AI decisions always required?
Human review must be offered when an AI system makes a consequential decision with adverse effects, unless delays would pose a risk to the individual’s life or physical safety.
Are small businesses exempt from SB24-205?
Only in limited cases. Businesses with fewer than 50 employees are exempt only if they do not use their own data to train or fine-tune the AI system. Customizing a model with proprietary data removes the exemption.
What is algorithmic discrimination under SB24-205?
The law defines algorithmic discrimination as an unlawful differential impact or treatment based on protected classes (e.g., race, sex, religion, disability, reproductive health decisions, veteran status, etc.) in consequential decisions.
When does SB24-205 go into effect?
SB24-205 takes effect June 30, 2026. Developers and deployers must prepare their governance programs, documentation, and consumer-facing processes before that date.
