Colorado Overhauls AI Act for Transparency and Liability

Colorado's AI law now puts transparency first and penalties second. Governor Polis signed SB 189 on May 15, overhauling the Colorado AI Act into the Colorado ADM Act, or CADMA, after two years of intense negotiations and national debate over how to regulate automated decision making. The revision shifts the regime from a broad algorithmic discrimination frame to a more targeted, disclosure‑driven approach, and it narrows the scope to reduce regulatory overhead while preserving consumer protections.

CADMA regulates developers and deployers of covered automated decision-making technologies used for consequential decisions in education, employment, financial, or lending domains. The core change is a pivot away from heavy governance mandates toward transparency requirements and liability allocations. Developers must provide deployers with a general statement about the covered ADMT, and deployers must disclose to consumers before use that a covered ADMT will be involved in any decision. Importantly, deployers must tell consumers whether and to what extent the ADMT contributed to a given adverse decision. That link between disclosure and accountability is designed to curb opaque decision making while avoiding a sprawling, one-size-fits-all regulatory scheme.

When an adverse decision occurs, CADMA grants consumers specific rights: an explanation of how the ADMT contributed, the ability to seek correction, and an avenue for appeal. The framework ties new obligations to existing legal channels rather than creating a separate compliance apparatus. Enforcement will occur through Colorado’s existing anti‑discrimination regime, and developers’ liability is limited to the intended use of the ADMT rather than every possible misapplication. In short, CADMA replaces broad governance requirements with a clearer liability structure and transparency duties that aim to empower consumers without imposing sweeping new governance mandates.

For compliance officers and product leaders, the changes create a tight set of operational milestones. First, organizations must craft and maintain a general ADMT statement for each covered technology and ensure deployers can share it with partners. Second, there is a pre‑use disclosure obligation to inform users that a covered ADMT will be used, which means designing user‑facing notices that are concise and understandable. Third, when a decision is adverse, teams must provide an explanation of the ADMT’s role and the extent of its influence, plus a process for correction or appeal. The shift to liability‑based enforcement means firms will increasingly need cross‑functional controls: legal teams to interpret remedies, privacy and data protection leads to manage data provenance, and product engineers to support audit trails and explainability.

The CADMA pivot matters most in practice because it changes why and how firms invest in AI governance. Companies can no longer lean on distant governance regimes; they must embed clear disclosure and accountability into product design, vendor contracts, and customer communications. Yet the law’s narrower scope also creates a watchlist: sectors outside education, employment, finance, and lending remain outside CADMA’s direct remit, which could invite certain teams to push borderline decisions into non‑covered areas. And because enforcement rides on existing anti‑discrimination channels, firms should expect regulatory wheels to turn through civil rights and human relations channels rather than through a standalone AI regulator.

What to watch next: guidance from Colorado’s regulators on what constitutes a sufficient general ADMT statement and what counts as a meaningful explanation will shape how these notices are drafted. Look for sample language, clarifications on what qualifies as an adverse decision, and guidance on how to document the extent of an ADMT’s contribution for defensible compliance. Vendors will likely tighten contract language to require upfront disclosures and maintain auditable logs that demonstrate conformance with the rights framework, while companies in sensitive industries prepare for audits and potential investigations under existing anti‑discrimination provisions.