Colorado’s Senate Bill 24-205, commonly called the Colorado AI Act, was enacted in 2024 as the first comprehensive US state law addressing algorithmic discrimination by high-risk AI systems. Its story is also one of repeated delay: the effective date was pushed back more than once before the framework itself was reshaped. This article describes the law and that timeline. It is news analysis, not legal advice.
What SB24-205 set out to do
The original law established duties for developers and deployers of high-risk artificial-intelligence systems — broadly, systems that make, or are a substantial factor in making, a consequential decision affecting access to things such as employment, education, financial services, housing, healthcare, insurance or legal services. Its central obligation was a duty of reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination. The bill text and history are published by the Colorado General Assembly.
Key obligations in the original text
As originally drafted, SB24-205 contemplated obligations including:
- Risk-management practices for deployers of high-risk systems.
- Impact assessments evaluating the risk of algorithmic discrimination.
- Consumer notice when a high-risk system is used to make a consequential decision.
- Opportunities for consumers to be informed about, and in some cases to correct or appeal, adverse decisions.
- Public disclosures about the types of high-risk systems a developer or deployer handles.
The structure — distinguishing developers from deployers and centring on consequential decisions — drew comparison with risk-tiered approaches elsewhere, including the EU AI Act, though the Colorado law was narrower and built on a discrimination-protection foundation.
The deferred effective date
SB24-205 was originally scheduled to take effect on 1 February 2026. Before that date arrived, the legislature acted to postpone it. According to reporting and the legislative record, a subsequent bill moved the effective date to 30 June 2026, citing the need for more time to refine the framework. The repeated deferral became a notable feature of the law’s history: the first comprehensive US state AI statute spent much of its early life not yet in force.
Coverage indicated that the framework was subsequently revisited and reshaped through further legislation rather than taking effect in its original form. Because the legislative position continued to evolve, readers should verify the current status directly against the General Assembly’s records rather than rely on any single account.
Why the delays happened
Public discussion around the postponements centred on implementation concerns: businesses, advocacy groups and officials raised questions about the breadth of definitions such as “consequential decision” and “substantial factor,” the burden of impact assessments, and how the duty of reasonable care would be interpreted. Supporters of delay framed the extra time as an opportunity to align the law with developing practice and to harmonise with parallel efforts elsewhere; critics warned that repeated postponement risked leaving consumers without the protections the law promised. The episode is frequently cited as an illustration of the practical challenges of being first — of writing comprehensive AI rules before consensus on definitions, methods and burdens had settled.
Its significance regardless of the delays
Even unimplemented in its initial form, SB24-205 was influential as a template. It demonstrated a US state model built around algorithmic-discrimination risk, developer-versus-deployer duties and impact assessments — concepts that recur across the wider patchwork of US state AI laws. Legislators and advocates in other states studied its drafting closely, and its definitions and mechanisms surfaced in later bills, so its conceptual footprint extended well beyond Colorado regardless of when, or whether, the original text bound anyone. Organisations structuring governance in response often look to voluntary instruments such as the NIST AI RMF and ISO/IEC 42001 to operationalise risk assessment and documentation, although those do not satisfy any specific statutory duty.
Developers versus deployers
One of SB24-205’s structural choices was to split duties between two roles. Developers — those who build or substantially modify a high-risk system — were expected to provide deployers with information needed to complete impact assessments and to make public disclosures about the systems they offer. Deployers — those who put a system to use in making consequential decisions — carried obligations around risk management, impact assessment, consumer notice and, in defined circumstances, opportunities for consumers to respond to adverse outcomes. This division mirrors a pattern increasingly common in AI legislation, recognising that the party building a system and the party using it often differ and hold different information.
The attorney-general enforcement model
Like several US state AI measures, SB24-205 placed enforcement with the state attorney general rather than creating a private right of action for individuals. The original framework also contemplated affirmative defences or safe-harbour-style provisions tied to following recognised risk-management frameworks and discovering and curing violations — a design intended to reward documented good-faith governance. The precise contours of these provisions were among the elements subject to revision as the law’s timeline shifted, which is a further reason to consult the current statutory text directly.
Terminology
The law leans on defined terms — high-risk AI system, consequential decision, algorithmic discrimination, developer and deployer — whose precise statutory meanings drive scope. Readers approaching these for the first time may find plain-language entries in our dictionary a useful companion to the statutory text.
In summary
Colorado’s SB24-205 was the first comprehensive US state AI law to target algorithmic discrimination, built around a duty of reasonable care, impact assessments and consumer notice. Its effective date was deferred more than once and the framework was later reshaped, so its current status should be checked against official records. This article is a neutral summary of those developments and not legal advice.
Leave a Reply