Chicago Business Attorney Blog
You may have seen the headlines earlier this year about the Colorado AI Act taking effect June 30, 2026. If you were preparing for that law, you were preparing for the wrong thing.
The original Colorado AI Act, formally known as SB 24-205, is dead in any practical sense. A federal court stayed enforcement in April 2026. The U.S. Department of Justice and Elon Musk’s xAI joined a lawsuit challenging its constitutionality. The Colorado legislature responded by passing a replacement bill. Governor Polis signed the replacement, SB 26-189, into law on May 14, 2026.
What that means is that the comprehensive compliance framework most businesses were tracking, the one with risk management programs, annual impact assessments, and sweeping algorithmic discrimination duties, has been replaced with something narrower. The June 30 deadline for the original law is effectively moot.
But here is what most businesses are getting wrong: the story does not end there. The replacement law is real, it has its own compliance obligations, and the broader AI regulatory landscape it sits within is moving fast in ways that affect every business using AI tools, including businesses in Illinois that have never given Colorado law a second thought.
What the Original Colorado AI Act Was Going to Require
To understand why this matters, you need to understand what got killed and why.
The original Colorado AI Act was the first comprehensive state AI law in the United States. It adopted a risk-based approach to AI regulation, focused on high-risk AI systems defined as any system that, when deployed, makes or is a substantial factor in making a consequential decision. Consequential decisions included employment, housing, credit, insurance, healthcare, education, and legal services.
The law imposed obligations on both developers and deployers. Deployers were required to implement and annually review a risk management program, conduct yearly impact assessments covering what the system does, what data it uses, known risks, and mitigation steps, and disclose to consumers before an AI decision affects them that AI is involved, explain its role, and make clear whether it was the sole basis for the outcome.
Violations were treated as deceptive trade practices, and fines could reach $20,000 per violation once any initial grace period expired.
The business and tech communities pushed back hard from the moment it passed. The requirements were called unworkable. The effective date was delayed twice. Then in April 2026, a federal court put enforcement on hold entirely.
What the Replacement Law Actually Requires
The replacement law, SB 26-189, signed May 14, 2026, is a significant scaling back. Gone are the risk management programs, the annual impact assessments, and the broad reasonable care duty. What remains is a narrower framework focused on notice, transparency, and process.
When an AI-assisted decision results in an adverse outcome such as a rejection, a termination, or a denial of an opportunity, the employer must provide the affected individual within 30 days a plain-language explanation of the AI’s role, the categories of data the system used, instructions on how to request correction of inaccurate personal data, and information on how to request human review.
Workers and applicants who receive an adverse AI-assisted decision can request meaningful human review and reconsideration to the extent commercially reasonable. That human reviewer must have actual authority to override the decision, must be trained for the role, and cannot simply defer to the system’s output.
The Colorado Attorney General retains exclusive enforcement authority. There is no private right of action under this law. Violators get a 90-day cure period before the AG can seek civil penalties, unless the violation was knowing or repeated.
The replacement law also pushed the effective date back to January 1, 2027, giving businesses additional time to build compliant processes.
What this means practically: if your business uses AI tools that influence hiring, firing, credit, housing, insurance, or healthcare decisions involving Colorado residents, you need to build a notice and disclosure process and ensure a genuine human review pathway exists. That is a more manageable obligation than the original law imposed, but it is still a real legal obligation with a real penalty structure attached to it.
Why Illinois Businesses Cannot Simply Ignore This
Here is the question most Illinois business owners ask when they hear about Colorado AI law: why does this affect me?
The answer has two parts.
First, the economic nexus question. You do not need a physical office in Colorado to be subject to Colorado law if you do business with Colorado residents. The same economic nexus logic that Illinois applied to the new crypto tax applies here. If your business uses AI to make decisions affecting Colorado customers in employment, lending, insurance, housing, or healthcare contexts, and you are doing meaningful business volume in the state, you are a deployer under Colorado law regardless of where you are based.
Second, and more importantly for most Illinois businesses, Colorado is not the only state moving on AI. It is the first. And the legal framework it is building, even in its scaled-back form, is a preview of where every state is heading.
Illinois has already moved. The Illinois Human Rights Act amendments that took effect January 1, 2026 prohibit employers from using AI in hiring, promotion, discharge, and other employment decisions in ways that discriminate based on protected classes. The law also imposes notification requirements when AI influences employment decisions. Illinois businesses using applicant tracking systems, resume screening tools, performance management software, or any other third-party platform that uses algorithmic scoring in employment decisions are already subject to these obligations.
The question is not whether AI regulation is coming to your business. It is whether you will be ready when the first enforcement action lands.
The Three Things Every Business Using AI Should Be Doing Right Now
Regardless of whether the Colorado law ultimately applies to your specific operations, the compliance framework it created is the template that every state is going to use. The businesses that come through the next three to five years of AI regulation without significant legal exposure are the ones that start building governance infrastructure now, not the ones that wait for a deadline to arrive.
Here is the practical framework.
Know what AI you are actually using. This sounds obvious and most businesses cannot answer it accurately. The relevant question is not just what software you have purchased. It is whether any of the tools in your stack, your ATS, your CRM, your performance management system, your fraud detection software, your customer service platform, uses algorithmic scoring or machine learning to influence decisions about people. Your HR software vendor may be using AI you have never been informed about. Your insurance underwriting tool almost certainly does. You need to know.
Understand whether you are a developer, a deployer, or both. These terms carry different legal obligations under every AI law currently on the books. A deployer is a business that uses an AI tool someone else built to make decisions affecting consumers or employees. That is most businesses. A developer is a business that builds or substantially modifies AI systems. If you are deploying a third-party tool, you are not off the hook. You are responsible for how that tool affects the people it touches in your operations.
Review your vendor contracts for AI liability allocation. This is where most businesses have the clearest gap. When you signed up for your hiring software, your customer service platform, or your underwriting tool, the vendor’s contract almost certainly does not address who bears liability if that tool discriminates, produces a biased outcome, or fails to comply with Illinois or Colorado AI law. That gap is your problem when a claim arises. Your vendor agreement needs to address AI-specific indemnification, notification obligations if the AI causes harm, and what documentation you are entitled to receive about how the system works.
The Federal Picture Is Shifting Too
The Colorado story does not exist in isolation. The federal government is also moving on AI, though in a different direction.
On June 2, 2026, President Trump signed an executive order directing federal agencies to harden government and private-sector systems against AI-enabled cybersecurity threats, establishing a voluntary clearinghouse for identifying and patching software vulnerabilities, and creating a framework under which AI developers may voluntarily provide the government early access to frontier models for up to 30 days before broader release. The order is explicitly voluntary for developers and does not create mandatory licensing or preclearance requirements.
The current federal posture is to promote AI development and resist state regulation. The Trump administration has been actively attempting to preempt state AI laws it views as innovation-hostile. That tension between federal permissiveness and state-level consumer protection is the defining feature of the current AI regulatory landscape, and it is not going to resolve quickly.
What that means for businesses: you cannot rely on federal law to set a floor that protects you from state compliance obligations. Illinois has its own AI employment law. Colorado has its replacement framework. California has multiple AI statutes. Texas has the Responsible AI Governance Act. These state laws run independently and the federal posture does not eliminate them.
What the Florida vs. OpenAI Lawsuit Tells Every Business About AI Vendor Liability
While Colorado was rewriting its AI law, Florida made its own history. Florida became the first state to sue OpenAI and CEO Sam Altman directly, alleging the company knowingly released addictive and unsafe AI technology and contributed to harmful incidents involving users, particularly minors.
Whatever the outcome of that litigation, the legal theory behind it matters to every business using AI vendor products. If a state can sue an AI developer for downstream harms caused by its product, the question of what liability flows to businesses that deploy those products and make decisions based on their outputs is not abstract anymore. It is the next legal frontier.
If your business uses ChatGPT, any OpenAI product, or any other AI platform to assist with decisions that affect customers, employees, or third parties, your vendor agreement needs to address what happens when the AI causes harm. Right now, most of those agreements put virtually all of that risk on you.
The Practical Takeaway for Illinois Businesses
The AI regulatory landscape is moving faster than most compliance programs. The Colorado AI Act story is a perfect illustration: a law was passed, delayed, challenged in court, replaced, and revised, all within two years. The businesses that were rigidly preparing for the original June 30 deadline are now recalibrating. The businesses that were building flexible AI governance infrastructure are in a much better position.
For Illinois businesses, the specific steps that matter right now are straightforward.
Audit your AI tools. Know what every platform in your stack does with data and how it influences decisions. Review your vendor contracts and identify the gaps in AI liability allocation. Make sure your employment practices comply with the Illinois Human Rights Act’s AI provisions that have been in effect since January 1, 2026. If you have Colorado customers and use AI in consequential decisions affecting them, understand your obligations under SB 26-189 before the January 1, 2027 effective date.
And build governance documentation now. AI impact assessments, vendor audit records, and internal policy documents are not just bureaucratic overhead. They are your defense when a regulator or plaintiff comes looking.
About George Bellas
George Bellas
Partner, Bellas and Wachowski
businessattorneychicago.com
George Bellas is a Chicago business attorney with decades of experience helping Illinois businesses navigate complex regulatory environments, commercial transactions, and emerging legal developments. As artificial intelligence transforms how businesses hire, serve customers, manage risk, and make decisions, the legal questions it generates have moved from theoretical to immediate.
Understanding what AI laws apply to your business, how your vendor contracts allocate AI-related liability, and what documentation you need to defend your practices is no longer optional. It is a core business legal question.
If your business uses AI tools in employment, customer service, underwriting, lending, or any other consequential decision-making context and has not had its practices reviewed in light of current law, contact George Bellas for a consultation.
Call 800.825.9260 or visit businessattorneychicago.com. The regulatory landscape is moving fast. The businesses that act now will not be the ones scrambling later.