SB26-189 – Automated Decision-Making Technology

Summary

Repeals and reenacts Colorado’s prior SB24-205 artificial-intelligence consumer-protection framework as an automated decision-making technology law governing consequential decisions. Covered consequential decisions include decisions related to education, employment, housing, financial or lending services, insurance, health-care services, and essential government services. Beginning January 1, 2027, developers of covered ADMTs must provide deployers with technical documentation, developers and deployers must retain compliance records for at least three years, deployers must provide point-of-interaction and post-adverse-outcome notices, consumers may request correction of data and meaningful human review/reconsideration after adverse outcomes, and the attorney general enforces violations under the Colorado Consumer Protection Act.

Healthcare Implications

This is not healthcare-specific, but it directly applies to automated decision-making technology used for consequential decisions involving health-care services and insurance. It affects developers and deployers of ADMTs that materially influence health-care access, eligibility, coverage, or related insurance decisions, and creates notice, documentation, recordkeeping, consumer review, and attorney-general enforcement obligations relevant to healthcare AI governance.

Operational Implications

• Deployers must provide clear and conspicuous notice to consumers at the point of interaction with a covered ADMT and must provide a plain-language description of the ADMT’s role within 30 days after a consequential decision resulting in an adverse outcome.
• Consumers affected by an adverse consequential decision made by a covered ADMT may request meaningful human review and reconsideration, as well as access to and correction of certain personal data used by the ADMT.
• Developers must provide deployers with technical documentation on intended uses, training-data categories, known limitations, and appropriate use/human review instructions; developers and deployers must retain records needed to demonstrate compliance for at least three years.