Colorado Just Rewrote Its AI Law: What SB 26-189 Means for Professional Services Web Tools

For two years, professional services firms watched Colorado’s landmark AI law approach like a deadline that would not move. Then, on 14 May 2026, Governor Jared Polis signed SB 26-189, repealing the original Colorado AI Act (SB 24-205) before it ever took effect on 30 June – and replacing it with a narrower regime focused on automated decision-making technology. The new rules take effect 1 January 2027. If your firm screens candidates, scores applicants, ranks vendors, or determines eligibility through software, the practical work of compliance lands squarely in your web and mobile products. Here is what changed and what it means for the tools you actually run.

What Colorado swapped out — and what it swapped in

The original Colorado AI Act would have imposed a heavy framework on “high-risk artificial intelligence systems,” including mandatory risk-management programs, impact assessments, annual reviews, and algorithmic-discrimination reporting. After repeated attempts to soften it, lawmakers scrapped that approach. SB 26-189 replaces the “high-risk AI” concept with a tighter target: “automated decision-making technology,” or ADMT, used to materially influence a consequential decision about a person. The headline obligations shift from sweeping governance paperwork toward transparency, notice, disclosure, recordkeeping, and human review – obligations that live where your users interact with your software.

The timing matters. Employers and firms that spent months preparing for a 30 June 2026 go-live now have a different target and a new date: 1 January 2027. Colorado is not alone, either – Connecticut enacted its own AI law in early June 2026, a signal that state-by-state automated-decision rules are becoming a permanent feature of the landscape rather than a one-off.

What “automated decision-making technology” actually covers

SB 26-189 defines ADMT as technology that processes personal data and uses computation to generate output – predictions, recommendations, classifications, rankings, or scores – used to make, guide, or assist a decision about an individual. Crucially, not every automated tool is in scope. The law excludes calculators, databases, firewalls, spell-checking, certain spreadsheets, and tools used solely to summarize, organize, translate, draft, route, or present information for human review or administrative processing.

The trigger is “material influence” over a consequential decision – one affecting a person’s access to, eligibility for, selection for, or compensation related to things like employment. An output counts as material when it is a non-de-minimis factor that shapes the outcome by constraining, ranking, scoring, recommending, or classifying. In other words, a human signing off at the end does not automatically remove a tool from scope. What matters is how the software actually shapes the decision, not how the vendor markets it.

The four duties that touch your software

For firms that deploy covered ADMT, SB 26-189 creates a set of obligations that are, at bottom, product requirements. They are the kind of thing that has to be designed into a portal, an applicant-tracking screen, or a mobile flow – not bolted on afterward:

• Clear and conspicuous notice that covered automated technology was used or will be used in a consequential decision affecting the person.
• After an adverse decision involving ADMT, a plain-language explanation – within 30 days – describing the decision and the role the technology played.
• A way for the individual to request correction of factually incorrect or materially inaccurate personal data, and to seek meaningful human review and reconsideration, to the extent commercially reasonable.
• Recordkeeping for not less than three years after a consequential decision, so the firm can show what happened if the Colorado Attorney General asks.

Enforcement sits with the Colorado Attorney General; there is no private right of action. But the practical exposure is real: each of these duties assumes you can surface a notice at the right moment, generate an accurate explanation, accept and route a correction or review request, and retrieve a clean record on demand.

Why professional services firms are squarely in scope

Staffing and recruiting agencies, HR and background-screening providers, consultancies, and other firms that evaluate people for clients are among the most exposed. They run exactly the kind of scoring, ranking, and eligibility logic the law targets – often inside applicant portals, client dashboards, and candidate-facing apps. And because the rule reaches Colorado residents and anyone evaluated by a business operating in Colorado, web-based intake systems make it hard to assume the law simply will not apply. Firms serving a national client base will likely find it cleaner to build these capabilities once and apply them broadly than to fence off a single state.

How Vadimages helps

Vadimages builds the web and mobile software that turns these obligations into working features. We do not supply AI models, legal opinions, or compliance consulting – we build the product layer your firm uses to meet the requirements your counsel defines. For professional services teams preparing for SB 26-189, that typically means:

• Candidate and client portals with a clear, conspicuous notice component that appears at the right point in an application or evaluation flow – on web and mobile.
• An adverse-decision explanation workflow: a templated, plain-language disclosure screen and a tracked 30-day delivery process, wired into your existing case or applicant records.
• Self-service request flows that let an individual submit a data-correction request or ask for human review, then route it to the right reviewer with status tracking.
• A reviewer dashboard that gives staff the context to reconsider a decision and log the outcome – supporting meaningful human review rather than a rubber stamp.
• An audit and recordkeeping dashboard with retention rules that keep the relevant records accessible for at least three years and exportable on request.
• Integration layers – REST or GraphQL – that connect your applicant-tracking, CRM, or scoring vendors so notices, explanations, and records stay in sync across systems.

Because the law is built around how tools are actually used, clean interfaces and accurate records do real work: they make it possible to show, at the screen level, what a candidate was told and when. That is a software problem, and it is the kind we solve.

Bottom line

Colorado’s reset gives professional services firms something they rarely get with new regulation: lead time. SB 26-189 is narrower than the law it replaced, but its notice, explanation, correction, human-review, and recordkeeping duties become concrete product requirements on 1 January 2027. Firms that map those duties to their portals, dashboards, and apps now – rather than in December – will spend the runway building rather than scrambling.

This article is general information about a software-readiness topic and is not legal advice; consult qualified counsel about how SB 26-189 applies to your firm.