AI Regulation Tracker  /  Regulation signed, effective Jan 2027

Colorado's New AI Law: What SB 26-189 Changed, Who It Binds, and the Trade Secret Catch

Colorado threw out its 2024 AI Act and replaced it with SB 26-189, a narrower disclosure-based rule for automated decision tools that takes effect January 1, 2027. Here is what actually changed, who the new duties now bind, and the trade secret tension counsel should not miss.

By Anthony Guerriero  ·  Reviewed by The Leveraged Years Editorial Desk  ·  Published June 28, 2026  ·  Last updated June 28, 2026

On May 14, 2026, Colorado Governor Polis signed SB 26-189, which repeals and replaces the state's 2024 AI Act (SB 24-205) with a narrower, disclosure-based framework for automated decision-making technology (ADMT) used in consequential decisions, effective January 1, 2027. The old law's duty of care, risk management programs, and impact assessments are gone; the new law binds developers and deployers of covered ADMT to a chain of disclosures, enforced by the Attorney General, who must issue clarifying rules by January 1, 2027. A trade secret tension comes with it: developers must hand deployers documentation about a tool's intended uses, training data categories, and known limitations, with narrower trade secret protection than they had under the 2024 law. Primary source: Colorado SB 26-189.

Colorado traded one hard AI law for a different one

For two years, Colorado's 2024 AI Act was among the country's most ambitious, though it never took effect. SB 24-205 imposed a duty of care to avoid algorithmic discrimination, mandatory risk management programs, and impact assessments. It had been set to apply on June 30, 2026. Instead, on May 14, 2026, Governor Polis signed SB 26-189, which repeals that law and replaces it with something narrower. The new rule takes effect January 1, 2027.

The replacement is built around disclosure, not a duty of care. Gone are the impact assessments, the risk management programs, and the reporting to the Attorney General. What remains is a chain of required notices: developers tell deployers about their tools, and deployers tell consumers when one of those tools shapes a decision about them. For most observers, that reads as a lighter touch. For the companies that build these tools, it opens a problem the old law handled differently.

What the law now requires, and from whom

SB 26-189 regulates automated decision-making technology, defined as technology that processes personal data and computes an output, such as a prediction, ranking, score, or classification, used to make, guide, or assist a decision about a person. The law reaches a covered ADMT when it materially influences a consequential decision, meaning a decision about access, eligibility, or compensation in education, employment, residential real estate, lending, insurance, health care, or essential government services.

The duties split by role. Under the law, a developer, the company that makes the tool commercially available, must give each deployer documentation that describes the tool's intended uses, categories of training data, known limitations, and instructions for appropriate use and human review. A deployer, the company that uses the tool to decide something about a consumer, must give consumers a clear pre-use notice, and within 30 days of an adverse outcome it must hand over a plain-language description of the decision, the tool's role in it, and how to request human review. Both sides have to keep records for at least three years. The Attorney General enforces all of it through the Colorado Consumer Protection Act, with a 60-day cure period that sunsets on January 1, 2030.

The trade secret catch counsel should not miss

Here is where it gets uncomfortable for the builders. The disclosures run downhill, and the trade secret protection does not run evenly with them.

A deployer is allowed to withhold trade secrets from its disclosures to consumers, as long as it tells the consumer it is doing so. A developer does not appear to get the same clean carve-out for its disclosures to deployers, and the statutory text has been read both ways. As Matthew D'Amore laid out in Bloomberg Law on June 26, 2026, the statute tells developers to make their disclosures to deployers in a form that protects trade secrets, but only one of the five required disclosure categories clearly allows information to be withheld, and even there the act is not explicit that trade secrets are a valid basis. D'Amore's reading is that a developer cannot simply refuse to provide the required documentation on trade secret grounds. It has to provide it and rely on confidentiality agreements to keep it secret.

Not every commentator reads the statute this way. Finnegan's May 26, 2026 overview states that developers are not required to disclose trade secret information, a more developer-friendly reading. The text is ambiguous enough that the two interpretations can sit side by side, which is itself the warning: counsel should plan for the stricter version rather than assume the generous one.

The text changed materially from the prior version. The 2024 bill gave developers and deployers the same trade secret protection. The 2026 law pulled them apart. That matters because a trade secret is only a trade secret as long as a company takes reasonable steps to keep it secret. A statute that compels a developer to disclose the categories of its training data, its model's known limitations, and its intended uses to every customer is a statute that forces proprietary information out the door on a recurring basis.

Why an attorney outside Colorado should still read this

Two reasons. First, the reach. The law covers consequential decisions about Colorado residents, including employees and job applicants. A national vendor selling a hiring or lending tool that touches a single Colorado applicant is plausibly a developer under this statute. Counsel advising any ADMT vendor with national reach has to assume Colorado is in scope.

Second, the pattern. Colorado is not alone in choosing disclosure over a broad duty of care, and the way it handled trade secrets is now a live design question other states will copy or reject. New York City's bias-audit law for hiring tools carried no trade secret protection at all. California's new ADMT rules let deployers withhold trade secrets with notice. Colorado split the difference and put the heavier burden on developers. Whichever model spreads, the lesson for counsel is the same: the disclosure obligation and the trade secret strategy can no longer be handled by two different teams who never talk.

What to do before January 1, 2027

The work is concrete and it starts now. Inventory every covered ADMT your client develops or deploys, and tag which Colorado consequential decisions each one touches. For each required disclosure, draft what it will actually say, then run it past someone who understands the trade secret exposure, because the document that satisfies the regulator is the same document that can give away the model. Rebuild the vendor agreements so the mandated documentation moves under confidentiality provisions strong enough to preserve trade secret status, since the statute is leaving that protection to your contracts rather than handling it itself. Review indemnification clauses too, because the law voids any provision that tries to hold a party harmless for its own violation. And watch the rulemaking. The Attorney General has to issue rules clarifying the post-adverse-outcome disclosure by January 1, 2027, and those rules will decide how much detail actually has to leave the building.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.