By 
US companies operating across state lines are now running into two live AI statutes at once, each with its own trigger, its own enforcer, and its own penalty math. Colorado's Senate Bill 24-205 - the Colorado Artificial Intelligence Act (CAIA) - takes effect 30 June 2026. California's CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology, and Insurance Regulations took effect on 1 January 2026, with the core ADMT obligations (pre-use notice, opt-out, access rights) compliance date on 1 January 2027.
Treating either as a box-tick exercise misreads both. Colorado is enforced exclusively by the state Attorney General under the Colorado Consumer Protection Act at up to $20,000 per violation, with each affected consumer counting as a separate violation. California's CCPA regime is enforced by the California Privacy Protection Agency (CPPA) and the Attorney General, with fines of $2,500 per violation and $7,500 per intentional violation under Cal. Civ. Code §1798.155. The two regimes target different problems - algorithmic discrimination in consequential decisions (Colorado) and consumer privacy and autonomy around automated decisions (California) - but they overlap heavily on hiring, lending, housing, education, and healthcare systems.
The Colorado Artificial Intelligence Act: structure and scope
The CAIA is the first comprehensive state-level AI regulation in the United States, modelled in part on the EU AI Act. Its central mechanic is a general duty of reasonable care to protect consumers from known or reasonably foreseeable risks of algorithmic discrimination - imposed on both developers and deployers of high-risk AI systems.
A high-risk AI system under CAIA is any system that, when deployed, makes or is a substantial factor in making a consequential decision. The statute defines consequential decisions as decisions that have a material legal or similarly significant effect on the provision, denial, cost, or terms of:
- Education enrollment or opportunity
- Employment or an employment opportunity
- Financial or lending service
- Essential government service
- Health-care service
- Housing
- Insurance
- Legal service
Developer obligations
Developers must, on and after 30 June 2026:
- Provide deployers with documentation sufficient to complete impact assessments - model cards, dataset cards, intended use statements, known limitations, and evaluations for risks of algorithmic discrimination.
- Publish a public statement summarising the types of high-risk systems the developer has built or substantially modified, and how it manages discrimination risk.
- Disclose to the Colorado Attorney General, and to all known deployers, any known or reasonably foreseeable risks of algorithmic discrimination - no later than 90 days after discovery.
- Respond to Attorney General documentation requests within 90 days (proprietary-information and privilege protections apply).
Deployer obligations
Deployers carry the heavier operational load. On and after 30 June 2026 they must:
- Implement a risk management policy and program aligned with a nationally or internationally recognised framework - the statute specifically invites reliance on the NIST AI Risk Management Framework or ISO/IEC 42001.
- Complete an impact assessment before first deployment, at least annually, and within 90 days of any intentional and substantial modification. Impact assessments must cover purpose and context, discrimination risk analysis and mitigation, data categories, performance metrics and limitations, transparency measures, and post-deployment monitoring. Retain for at least three years after final deployment.
- Provide consumers with pre-decision notice when the system will make or substantially influence a consequential decision, and adverse-decision notice including the right to correct inaccurate personal data and to appeal for human review where technically feasible.
- Publish a website statement summarising the high-risk systems in deployment.
- Notify the Attorney General within 90 days of discovering that the system has caused algorithmic discrimination.
Exemptions and affirmative defence
CAIA contains a narrow small-deployer exemption (fewer than 50 full-time employees, plus additional conditions - notably, the exemption does not apply if the business uses its own data to train or fine-tune the system). The law also exempts certain federally regulated activities, insurers subject to Colorado insurance rules, and systems approved by specified federal agencies.
The compliance lever that matters most is the rebuttable presumption of reasonable care. A developer or deployer that complies with the statute and any applicable Attorney General rules - or that demonstrates alignment with a recognised framework such as NIST AI RMF or ISO/IEC 42001 - is presumed to have exercised reasonable care. The presumption shifts the evidentiary burden to the Attorney General to prove non-compliance. The Attorney General must also provide written notice of an alleged violation and a 60-day cure period before bringing an enforcement action.
Enforcement and penalties
The Colorado Attorney General has exclusive enforcement authority. There is no private right of action. Violations are treated as deceptive trade practices under the Colorado Consumer Protection Act, which authorises civil penalties of up to $20,000 per violation. Critically, each affected consumer or transaction can be counted as a separate violation, which is how aggregate exposure scales quickly for widely deployed systems. The Attorney General may also seek injunctive relief - including orders to stop using non-compliant systems.
California's ADMT regulations under the CCPA
On 23 September 2025, the California Office of Administrative Law approved the CPPA's finalised regulations covering automated decision-making technology, risk assessments, cybersecurity audits, and insurance company duties. The regulations took effect 1 January 2026 with phased compliance deadlines.
What counts as ADMT and a significant decision
The regulations define ADMT as any technology that processes personal information and uses computation to replace or substantially replace human decision-making. That framing means manual processes with token human sign-off will not always escape the definition - the question is whether the human is actually exercising judgement.
A significant decision is one resulting in the provision or denial of:
- Financial or lending services
- Housing
- Education enrollment or opportunity
- Employment or independent contracting, including compensation
- Healthcare services
Advertising alone is expressly not a significant decision in the final rules, which was a notable change from earlier drafts.
Core ADMT obligations
Businesses that use ADMT to make a significant decision about a California consumer must:
- Issue a pre-use notice before collecting personal information for ADMT use or before using existing data, describing how the ADMT works, what personal information affects its outputs, what outputs it generates, how those outputs are used in the decision, and the alternative process if the consumer opts out.
- Grant a right to opt out of ADMT use for significant decisions (subject to narrow exceptions, such as fraud prevention or security), with at least two clearly presented opt-out methods.
- Honor a right to access information about the ADMT, including the logic, key parameters that generated the output for that consumer, and planned future use of outputs. Businesses can withhold content that would reveal trade secrets, compromise security, enable fraud, or endanger physical safety - but the access right is not optional.
Businesses already using ADMT for significant decisions before 1 January 2027 must be in compliance by that date. Any ADMT use starting on or after 1 January 2027 must be compliant before first use.
Risk assessments and cybersecurity audits
Separate from the ADMT rules, the regulations require risk assessments before any high-risk processing - selling or sharing personal information, processing sensitive personal information, using ADMT for significant decisions, profiling for employee or student monitoring, and similar. Risk-assessment duties apply from 1 January 2026. For processing that began before that date and continues, initial assessments are due by 31 December 2027. Summary reports to the CPPA begin 1 April 2028.
Cybersecurity audit obligations apply to businesses whose processing presents "significant risk" (including large processors and heavy sellers or sharers of personal information). Independent annual audits must be conducted, with certifications submitted to the CPPA on staggered deadlines through 2028–2030 depending on revenue.
Enforcement and penalties
The CPPA and the California Attorney General share enforcement authority. Under Cal. Civ. Code §1798.155, penalties are:
- Up to $2,500 per violation for negligent violations.
- Up to $7,500 per intentional violation or per violation involving a minor's personal information.
These are per-violation amounts, not per-consumer amounts. There is no general private right of action for ADMT violations - the CCPA's private right of action is limited to certain data-breach scenarios. The CPPA can also request copies of risk assessments during audits or investigations.
Side-by-side: what actually differs
| Dimension | Colorado CAIA (SB 24-205) | California ADMT (CCPA Regs) |
|---|---|---|
| Primary concern | Algorithmic discrimination in consequential decisions | Consumer privacy and autonomy around automated decisions |
| Who is regulated | Developers and deployers doing business in Colorado | CCPA-covered businesses using ADMT on California residents |
| Effective / compliance date | 30 June 2026 | Rules effective 1 Jan 2026; ADMT compliance 1 Jan 2027 |
| Core duty | Reasonable care to prevent algorithmic discrimination | Pre-use notice, opt-out, access, risk assessments |
| Assessment | Impact assessment (initial, annual, post-modification within 90 days) | Risk assessment before high-risk processing; CPPA submission |
| Enforcer | Colorado Attorney General (exclusive) | CPPA and California Attorney General |
| Maximum penalty | Up to $20,000 per violation (per consumer/transaction) | $2,500 per violation; $7,500 per intentional violation |
| Cure period | 60 days after Attorney General notice | No general cure period (some contexts retain one) |
| Private right of action | None | None for ADMT; limited for data breaches |
| Affirmative defence | Rebuttable presumption via NIST AI RMF or ISO/IEC 42001 | None specified |
A practitioner's unified five-step plan
Because the two regimes overlap on hiring, lending, housing, education, and healthcare, most teams benefit from a single governance programme that satisfies both.
- Inventory every AI system across the tech stack. Tag each with: intended purpose, whether it makes or substantially influences a consequential decision (Colorado), whether it replaces or substantially replaces human decision-making for a significant decision (California), and geographic reach of affected consumers.
- Classify under both regimes in parallel. A system can be in scope in California only, Colorado only, both, or neither. Document the reasoning - Colorado's affirmative defence depends on documentary evidence.
- Build one governance programme anchored on NIST AI RMF or ISO/IEC 42001. Use the framework to satisfy Colorado's risk management policy requirement and California's risk assessment obligation in one documentation set, with state-specific annexes where the obligations diverge (for example, California's opt-out right has no Colorado analogue).
- Update vendor contracts. Demand model cards, documentation packages sufficient for impact assessments, known-limitation disclosures, notice cooperation, indemnification for undisclosed foreseeable harms, and audit rights. Colorado's developer disclosures become the anchor for deployer assessments.
- Stand up consumer-facing mechanisms. Pre-use notices (California), pre-decision and adverse-decision notices (Colorado), opt-out intake (California), appeal process with human review (Colorado and California), and logging of decisions, opt-outs, and overrides.
An illustrative scenario
The following is a hypothetical. It does not describe a real enforcement action.
Imagine a national lender deploys a refreshed credit-scoring model across its Colorado and California operations in Q3 2026. The team rolls the model out without conducting the 90-day post-modification impact assessment required by CAIA, and without updating its CCPA pre-use notice or opt-out mechanism for the model change. A Colorado applicant files a complaint alleging disparate denial rates; California consumers separately file ADMT opt-out complaints through the CPPA.
On the Colorado side, the Attorney General opens an investigation, issues a notice of violation, and invokes the 60-day cure period. If the company can demonstrate good-faith alignment with the NIST AI RMF and show the missing impact assessment was the specific failure, the rebuttable presumption creates a defensible posture - but only if the underlying documentation exists. If it does not, $20,000 per affected applicant is the statutory ceiling, and widely deployed lending decisions multiply that quickly. On the California side, the CPPA can pursue intentional-violation penalties at $7,500 each if the pre-use notice and opt-out gaps continue after discovery.
The cost pattern in scenarios like this is rarely the maximum fine. It is the combination of consumer remediation, third-party audits, pauses on automated approvals while the company remediates, and the commercial impact of publicised consent decrees. Early mapping and documented governance tend to be cheaper by an order of magnitude than retrofit under Attorney General pressure.
Compliance FAQ
What triggers Colorado AI Act compliance?
Any high-risk AI system - one that makes or is a substantial factor in making a consequential decision about a Colorado consumer in employment, education, financial or lending services, essential government services, healthcare, housing, insurance, or legal services. Both developers and deployers have direct duties. The effective date is 30 June 2026. Note that further amendments are possible during the 2026 legislative session, so the final operational scope may shift before that date.
What counts as ADMT under the California regulations?
Any technology that processes personal information and uses computation to replace or substantially replace human decision-making, used to make a significant decision about a consumer. Token human sign-off on a machine-generated output does not automatically take the system out of scope - the regulations look at whether a human actually exercises judgement.
What must a Colorado impact assessment include?
CAIA requires deployers to cover, at minimum: purpose, intended use cases, deployment context, and benefits; analysis of algorithmic discrimination risks and mitigation steps; categories of input and output data; performance metrics and known limitations; transparency measures; and post-deployment monitoring. Update before first deployment, at least annually, and within 90 days of any intentional and substantial modification. Retain for at least three years after final deployment.
Who carries liability - developer or deployer?
Under CAIA, both. Developers are liable for failure to provide required documentation, disclosures, and risk notifications. Deployers are liable for failure to maintain reasonable care, to perform impact assessments, to issue consumer notices, and to monitor for discrimination. Under California's ADMT regulations, the business using the ADMT is the primary duty-bearer regardless of whether the underlying technology is developed in-house or licensed.
Does complying with one state satisfy the other?
No. The regimes measure different things. Colorado measures discrimination-risk governance; California measures consumer-facing privacy rights around automated decisions. A full ADMT programme in California will not give you CAIA impact assessments, and CAIA compliance will not produce the ADMT opt-out mechanism. Build one programme that satisfies both rather than treating them as separate tracks.
Can the federal government override either of these?
Not directly, as of April 2026. The federal government has signalled a different enforcement philosophy on disparate-impact analysis (see Executive Order 14281), but that order does not invalidate state statutes. Preemption challenges are possible but not settled. Plan for both regimes to apply as written.
The bottom line
The cost of inaction in 2026 is Attorney General investigations, multi-million-dollar settlements, operational pauses on core AI workflows, and public consent decrees that follow companies for years. The cost of action is meaningful but bounded: a documented inventory, an impact-assessment template, risk-assessment documentation, pre-use notices, opt-out intake, appeal processes, and a framework-aligned risk management policy. Companies that build this once - anchored on NIST AI RMF or ISO/IEC 42001 - can satisfy both regimes and most other US state laws that arrive next.
Start with the inventory. Everything else depends on knowing what you actually operate.
Last updated: April 2026. This article is educational content and is not legal advice. State AI law is in active motion: Colorado's 2026 legislative session may amend CAIA before the 30 June 2026 effective date, and California regulators continue to issue interpretive guidance. Consult qualified counsel before making compliance decisions.