What is Colorado Algorithmic Accountability Act?

The Colorado Algorithmic Accountability Act (Senate Bill 205) is the first US state law specifically governing the use of high-risk artificial intelligence systems in consequential decision-making. Effective February 1, 2026, it requires developers and deployers of high-risk AI to conduct impact assessments, disclose algorithmic decision-making to affected individuals, and take corrective action when discrimination is discovered.

Why It Matters

Colorado is the first state to pass comprehensive algorithmic accountability legislation, establishing a model that other states are watching closely. While the EU AI Act addresses similar concerns at a supranational level, the Colorado law is currently the most significant algorithmic accountability obligation for US businesses — and its passage is expected to catalyze similar legislation in California, Illinois, and other states.

The law reflects a growing concern: AI systems used for consequential decisions — who gets a loan, who gets hired, who gets healthcare services — can encode and amplify discriminatory patterns present in training data, often invisibly to the people affected.

Scope: What Is a "High-Risk AI System"?

The law applies to "high-risk automated decision systems" — AI or machine learning systems that make or substantially contribute to consequential decisions about individuals in these domains:

• Employment — Hiring, firing, pay, promotion, job assignment
• Housing — Rental, sale, or mortgage decisions
• Credit and lending — Loan approval, credit limits, interest rates
• Education — Admissions, financial aid, academic evaluation
• Healthcare — Access to services, treatment recommendations, insurance coverage
• Insurance — Underwriting and claims decisions

Not all automated decisions fall under the law — only those where the AI system has a "material effect" on an individual's life. Simple rule-based systems without machine learning components may fall outside scope.

Who the Law Covers

The law applies to two categories:

Developers — Organizations that create or substantially modify high-risk AI systems for use in Colorado or by Colorado residents.

Deployers — Organizations that use high-risk AI systems to make consequential decisions about Colorado residents, even if they did not build the system.

For businesses that use off-the-shelf AI products, this means: if a vendor's AI makes hiring or lending decisions about your Colorado customers or employees, your organization has compliance obligations — not just the vendor.

Key Requirements

Impact Assessments Deployers must conduct algorithmic impact assessments before deploying a high-risk AI system and annually thereafter. These assessments must:

• Identify the purpose, intended uses, and known limitations of the system
• Evaluate the risk of algorithmic discrimination across protected classes
• Document findings and corrective actions taken

Transparency to Affected Individuals When an AI system makes a consequential decision that adversely affects an individual, the deployer must:

• Disclose that an automated system was used
• Provide meaningful information about the factors considered
• Explain how those factors influenced the decision
• Describe how the individual can request human review

Right to Appeal Individuals adversely affected by a high-risk AI decision have the right to appeal the decision to a human reviewer and to correct inaccurate information used in the decision.

Transparency Statement Deployers must publish a plain-language statement describing the high-risk AI systems they deploy, their intended uses, and the risk management process.

Enforcement

The Colorado Attorney General enforces the law. There is no private right of action — individuals cannot sue under the Act directly, but the AG can pursue civil penalties for violations. The AG also has authority to conduct investigations and require production of impact assessment documentation.

Colorado vs. EU AI Act: Key Differences

Aspect	Colorado Act	EU AI Act
Scope	Consequential decisions in specific domains	Broad AI applications across EU market
Prohibited AI	No categorical prohibitions	Bans social scoring, mass surveillance AI, certain biometric systems
Conformity assessment	Impact assessments by deployers	Third-party audits required for highest-risk systems
Enforcement	State AG only	National regulators + EU AI Office
Extraterritoriality	Colorado residents	EU market
Effective date	February 2026	Phased 2024–2027

What Organizations Should Do Now

1. Inventory AI systems — Identify all automated systems that make or contribute to decisions in the covered domains for Colorado residents
2. Assess "high-risk" status — Determine whether each system meets the threshold for mandatory assessment
3. Engage AI vendors — Request impact assessment documentation and algorithmic discrimination analysis from vendors whose AI you deploy
4. Build assessment processes — The annual impact assessment requirement is ongoing, not a one-time compliance exercise
5. Prepare disclosure templates — Individual disclosure notices must be ready before adverse decisions are communicated