Back to Local AI Laws
Effective February 1, 2026

Colorado AI Act (SB24-205): Complete Compliance Guide

First comprehensive state AI law. High-risk AI definitions, impact assessments, consumer rights. Avoid $20,000 per violation penalties.

Check Compliance

High-Risk AI Categories

Employment & Education

Examples:
  • AI resume screening
  • Candidate ranking algorithms
  • Performance evaluation AI
  • Student admissions AI
Requirements:

Impact assessment, bias testing, human review option

Financial Services

Examples:
  • Credit scoring AI
  • Loan approval algorithms
  • Insurance underwriting AI
  • Fraud detection systems
Requirements:

Explainability, adverse action notices, appeal process

Healthcare

Examples:
  • Diagnostic AI
  • Treatment recommendation systems
  • Patient triage algorithms
  • Insurance claim AI
Requirements:

Clinical validation, HIPAA compliance, physician oversight

Housing

Examples:
  • Tenant screening AI
  • Rental application scoring
  • Property valuation algorithms
  • Eviction prediction AI
Requirements:

Fair housing compliance, discrimination testing, transparency

Legal Services

Examples:
  • Bail recommendation AI
  • Sentencing algorithms
  • Legal research AI
  • Contract analysis tools
Requirements:

Human oversight, explainability, audit trails

6-Step Compliance Roadmap

1

Determine if Your AI is High-Risk

AI making consequential decisions about employment, credit, housing, education, healthcare, insurance, or legal services

Deadline: Before deployment
$20,000 per violation
2

Conduct Impact Assessment

Document: purpose, data sources, known limitations, bias testing results, safeguards implemented

Deadline: Annually + when material changes
$20,000 per violation
3

Implement Risk Management Program

Policies for: governance, testing, monitoring, human oversight, incident response

Deadline: Before February 1, 2026
$20,000 per violation
4

Provide Consumer Disclosures

Notify consumers: AI is being used, purpose, how to opt out, how to appeal decisions

Deadline: At point of interaction
$20,000 per violation
5

Enable Opt-Out Rights

Consumers can opt out of AI profiling and request human review of AI decisions

Deadline: Within 45 days of request
$20,000 per violation
6

Maintain Documentation

Impact assessments, testing results, consumer complaints, opt-out requests, incident reports

Deadline: Ongoing (3 years retention)
Audit failures

Colorado AI Act FAQ

When does the Colorado AI Act take effect?

February 1, 2026. However, you should start compliance now: conduct impact assessments, implement risk management programs, and prepare consumer disclosures. The Attorney General can begin enforcement on the effective date.

Does the Colorado AI Act apply to companies outside Colorado?

Yes, if you deploy high-risk AI systems that impact Colorado consumers. Similar to GDPR and CCPA, the law has extraterritorial reach. If you serve Colorado customers and use AI for consequential decisions, you must comply regardless of where your company is located.

What is an "impact assessment" under the Colorado AI Act?

A documented evaluation of your high-risk AI system covering: (1) Purpose and intended use, (2) Data sources and categories, (3) Known limitations and risks, (4) Bias testing methodology and results, (5) Safeguards to prevent discrimination, (6) Post-deployment monitoring plan. Must be updated annually and when material changes occur.

How do I know if my AI system is "high-risk"?

Your AI is high-risk if it makes or substantially assists in making consequential decisions about: employment, education, financial services, healthcare, housing, insurance, or legal services. Examples: AI resume screening (employment), credit scoring (financial), tenant screening (housing), diagnostic AI (healthcare). If unsure, err on the side of caution and conduct an impact assessment.

What are the penalties for violating the Colorado AI Act?

$20,000 per violation. Each instance of non-compliance is a separate violation. Examples: Using high-risk AI without impact assessment, failing to provide consumer disclosures, not honoring opt-out requests, inadequate bias testing. Violations can accumulate quickly - 100 consumers without disclosure = $2M in potential penalties.

Can I use the same impact assessment for multiple AI systems?

No. Each high-risk AI system requires its own impact assessment. However, you can use a template approach: create a master framework, then customize for each system's specific purpose, data sources, risks, and safeguards. HAIEC provides impact assessment templates to streamline this process.

What is the difference between Colorado AI Act and EU AI Act?

Colorado AI Act: State law, applies to Colorado consumers, $20K per violation, effective Feb 2026. EU AI Act: EU regulation, applies to EU market, up to 6% revenue fines, phased implementation 2024-2027. Both require impact assessments for high-risk AI, but EU AI Act has stricter requirements and broader scope. If you serve both markets, comply with the stricter EU requirements.

Check Your Colorado AI Act Compliance

Free assessment. Get instant compliance status and impact assessment template.

Free Compliance Check