DisclosureIndependent directory. Not a CPA firm. Nothing here is legal, audit, or tax advice. Methodology.

Colorado AI Act (SB 189): 2026 SaaS checklist

By Editorial team · Published · Last updated

Colorado SB 24-205 was repealed and replaced by SB 189 on May 14, 2026, before the original law took effect. New enforcement date: January 1, 2027. Here is what survives, what is gone, and the compliance checklist for SaaS.

The Colorado AI Act has been rewritten. On May 14, 2026, Governor Jared Polis signed SB 189, which repeals and replaces SB 24-205 (the original Colorado AI Act) before it ever took effect. The new law — formally the Automated Decision-Making Technology (ADMT) framework — takes effect January 1, 2027. If you have content, controls, or compliance plans built around the June 30, 2026 SB 24-205 enforcement date, they are now obsolete. This is what changed, what survives, and what SaaS vendors need to do next.

Timeline — what actually happened

What SB 189 actually requires

SB 189 takes a disclosure-based approach focused on Automated Decision-Making Technology (ADMT) that 'materially influences' consequential decisions. The covered domains are: education, employment, financial/lending, essential government services and public benefits, healthcare, residential real estate, and insurance.

Consumer notices before ADMT use

Before using ADMT to make or assist a consequential decision about a Colorado consumer, the deployer must provide a notice describing the ADMT, its purpose, and the categories of personal data used. The notice format and timing will be specified by AG rules to be issued before January 1, 2027.

Post-adverse-outcome rights

When ADMT contributes to an adverse outcome — a decision that denies, revokes, or materially reduces a consumer's access to or eligibility for an opportunity or service — the consumer has three rights: (1) explanation of the principal reasons for the adverse outcome; (2) right to correct inaccurate personal data used in the decision; (3) right to human review of the decision.

Recordkeeping

Three-year recordkeeping requirement for ADMT use that materially influences consequential decisions. Records must capture data sources, decision logic at a high level, and consumer requests for explanation, correction, or human review.

Key definitions in SB 189

Enforcement and penalties

SaaS compliance checklist (begin Q3 2026)

  1. Inventory your AI/automated decision systems. For each, document: data sources, decision logic at a high level, consequential decisions influenced (yes/no), Colorado consumer exposure.
  2. Identify Covered ADMT. If your product materially influences a consequential decision (denial of credit, hiring rejection, insurance underwriting, healthcare access, housing decisions) for Colorado consumers, you are in scope.
  3. Draft consumer notice templates. Until AG rules are issued, base templates on the SB 189 statutory text. Update once rules drop (expected late 2026).
  4. Build adverse-outcome workflow. When an automated decision contributes to denial, revocation, or material reduction of an opportunity: surface the principal reasons; provide a data correction channel; route to human review on request.
  5. Implement 3-year recordkeeping. Append-only storage for ADMT decision logs, including data inputs and consumer requests.
  6. Update vendor contracts. If you are a developer providing ADMT to deployers, your contract should describe the ADMT, its known limitations, and the consequential decisions it is designed to influence. Indemnification for your own discriminatory conduct is unenforceable under SB 189 — do not pretend it works.
  7. Coordinate with HR and product. Employment decisions are explicitly in scope. Internal HR tooling that uses ADMT to influence hiring, promotion, or termination decisions is covered.

How SB 189 compares to other state and federal AI laws

What this means for SOC 2 programs

SOC 2 does not address SB 189 directly. The Trust Services Criteria most closely related are CC2 (Communication and Information — pre-use notices and adverse-outcome explanations) and CC7 (System Operations — recordkeeping). Treat SB 189 compliance as a separate workstream from SOC 2 readiness. The good news: SB 189's recordkeeping requirement (3 years) is much lighter than the original SB 24-205's impact assessment and annual review requirements would have been. The complexity that was projected for June 30, 2026 simply did not materialize.