Colorado ADMT Act
Consumer Protections for Automated Decision-Making Technology — SB24-205 as amended by SB26-189
Standard Introduction
Colorado ADMT Act is an active standard published by State of Colorado. It is commonly used across Technology, Finance & Banking, Healthcare, Education, Services, Government and applies in United States.
Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with Colorado ADMT Act.
Consequential-decision focus
The amended law centers on automated decision-making technology used for consequential decisions affecting Colorado consumers.
Developer and deployer duties
Developers and deployers have role-specific obligations for disclosures, risk management, impact assessments, notices, and consumer controls.
US state-law signal
Colorado is an important indicator of how US state AI regulation may develop outside a single federal AI statute.
list_alt Operational Controls
- Inventory ADMT systems used in consequential decisions
- Define developer vs deployer responsibilities
- Conduct impact assessments for covered decisions
- Maintain risk management policies and documentation
- Provide consumer notices and appeal pathways where required
- Monitor for algorithmic discrimination and remediation needs
Who Needs to Comply?
Developers and deployers of automated decision-making technology doing business in Colorado or producing consequential decisions affecting Colorado consumers. Relevant areas include employment, lending, education, housing, insurance, healthcare, legal services, and government benefits.
Key Requirements
Determine ADMT scope
Identify automated decision-making technology that makes, or is a substantial factor in, consequential decisions. Document why each system is or is not in scope.
Use reasonable care
Implement policies, testing, monitoring, and governance designed to protect consumers from algorithmic discrimination risks.
Run impact assessments
For deployers, assess purpose, intended use, benefits, known risks, data inputs, outputs, safeguards, and mitigation measures for covered ADMT systems.
Provide notices and controls
Prepare consumer-facing notices, adverse decision information, correction or appeal workflows, and internal incident escalation procedures where applicable.
Implementation Roadmap
Prepare scope, ownership and obligations
Define the high-risk AI governance and consumer protection program scope across high-risk AI systems, developers, deployers, algorithmic discrimination risks, impact assessments, consumer notices, risk management policies, documentation, and Attorney General reporting. Assign accountable owners, identify applicable legal, customer, certification, or regulatory drivers, and agree how evidence will be governed.
Gap analysis and risk prioritisation
Assess current practices against Colorado AI Act expectations and risk context. Review high-risk AI inventory, developer documentation, deployer impact assessments, risk management, algorithmic discrimination controls, consumer disclosures, adverse decision notices, post-deployment monitoring, incident reporting, and governance accountability, then prioritize gaps by legal exposure, safety or consumer impact, customer impact, operational dependency, and review readiness.
Implement controls, records and reporting
Deploy required controls, operating processes, documentation, supplier or partner workflows, testing, reporting, and escalation paths. Build traceable evidence around AI inventories, system documentation, impact assessments, risk-management policies, bias testing records, consumer notices, adverse-decision notices, monitoring reports, incident assessments, and governance approvals.
Review, audit and keep current
Complete readiness reviews, internal checks, and corrective actions before the internal AI governance review or Attorney General inquiry. Refresh the program after product, service, supplier, technology, legal, market, incident, or regulator changes.
Compliance Checklist
checklist Scope and accountability
checklist Controls and evidence
checklist Monitoring and improvement
Penalties & Enforcement
The Colorado Attorney General has enforcement authority. Violations may be treated as deceptive trade practices under Colorado consumer protection law, exposing companies to investigations, injunctive relief, civil penalties, and remediation obligations.
Frequently Asked Questions
Who needs Colorado AI Act?
expand_more
Colorado AI Act is relevant for organizations whose products, services, systems, or regulated activities fall within high-risk AI systems, developers, deployers, algorithmic discrimination risks, impact assessments, consumer notices, risk management policies, documentation, and Attorney General reporting. It is commonly driven by regulation, customers, certification, market access, or assurance needs.
What is the main purpose of Colorado AI Act?
expand_more
The practical purpose is to create a repeatable program for high-risk AI inventory, developer documentation, deployer impact assessments, risk management, algorithmic discrimination controls, consumer disclosures, adverse decision notices, post-deployment monitoring, incident reporting, and governance accountability. The program should make obligations visible, define accountable owners, operate controls, and keep evidence current.
What should be done first?
expand_more
Start by confirming scope, ownership, and applicable obligations. This prevents teams from building documents or controls that do not match the actual product, service, system, or regulated activity.
How long does implementation take?
expand_more
A focused implementation can take several weeks or months. Timing depends on maturity, number of sites or systems, supplier involvement, technical complexity, testing needs, and external review depth.
What evidence is most useful?
expand_more
Useful evidence includes AI inventories, system documentation, impact assessments, risk-management policies, bias testing records, consumer notices, adverse-decision notices, monitoring reports, incident assessments, and governance approvals. Reviewers usually expect traceable evidence that connects obligations to decisions, controls, tests, reports, and corrective actions.
How should suppliers or partners be managed?
expand_more
Supplier and partner duties should be documented through contracts, onboarding requirements, data or evidence requests, performance monitoring, and escalation routes for findings, incidents, or changes.
When should the program be updated?
expand_more
Update the program after legal changes, product or service changes, supplier changes, new markets, incidents, complaints, regulator feedback, or audit findings. Stale evidence is a common compliance failure.
Can this be integrated with other programs?
expand_more
Yes. Colorado AI Act can usually share governance, document control, training, supplier management, issue tracking, risk management, internal review, and corrective-action workflows with adjacent compliance programs.
Official Documentation
Official PDF for Colorado ADMT Act
Official publication or summary for Colorado ADMT Act
Official online resource
State of Colorado guidance and reference material
Implementation toolkit
Templates, guidance, or companion resources for Colorado ADMT Act