Does the Colorado AI Act regulate advertising and ad targeting?

The Colorado AI Act does not regulate advertising or ad targeting as such — advertising is not listed among the consequential decisions that trigger the law — but it can still reach marketing organizations through the AI they deploy in adjacent functions, so the accurate answer is that it applies based on what an AI system decides, not on whether the activity is called marketing. The Act regulates high-risk AI systems, defined around their role in making or being a substantial factor in a consequential decision, and it defines consequential decisions as those with a material legal or similarly significant effect on a consumer's access to, or the cost or terms of, specified life areas: education, employment, financial or lending services, essential government services, healthcare, housing, insurance, and legal services. Ad targeting and ad delivery are not on that list, so a campaign that simply decides which audience sees which creative is not, by that fact alone, making a consequential decision under the Act. This is why a marketing team should not assume the law governs its targeting the way a privacy law like a state comprehensive privacy act governs targeted advertising opt-outs. However, two things complicate the simple conclusion that marketing is exempt. First, marketing organizations increasingly operate AI in functions that are consequential decisions even though they sit near or within marketing — for example, AI that qualifies leads for a lending or insurance product, that determines eligibility or pricing for an offer, or that screens applicants for employment or housing. When AI is a substantial factor in those decisions, the deployer obligations apply regardless of the marketing context. Second, the law is a directional signal: as the first comprehensive US state AI law, it indicates where regulation of algorithmic decision-making is heading, and that trajectory increasingly intersects with profiling and automated personalization. So the disciplined reading for marketers is neither 'this is an ad-targeting law' nor 'this does not apply to us,' but rather 'we must map where our AI makes consequential decisions and govern those uses.' For the EU framework that does reach ad creative through transparency obligations, see the EU AI Act Article 50 guide , and to audit AI-driven decisioning use the AI Compliance Audit . The organizing principle is that the Act governs consequential decisions, not advertising per se, so marketers are in scope precisely where their AI crosses into consequential-decision territory.

When does the Colorado AI Act take effect, and why was it delayed?

The Colorado AI Act is set to take effect on June 30, 2026, after being postponed from its original effective date of February 1, 2026, and the delay reflects the law's contested politics rather than a change in its substance. The legislative timeline is specific. Governor Jared Polis signed Senate Bill 24-205 into law on May 17, 2024, making Colorado the first US state to enact a comprehensive AI statute. The law was structured so that its substantive obligations would take effect on and after February 1, 2026, giving organizations a lead time to prepare. As that date approached, however, there was significant debate about amending the law, driven by concerns from the governor and businesses about the cost and complexity of compliance for companies and for state and local governments. A special legislative session was convened to work through possible amendments, but lawmakers were unable to reach a compromise. The result was Senate Bill 25B-004, which Governor Polis signed on August 28, 2025, postponing implementation of the Colorado AI Act from February 1, 2026 to June 30, 2026. As of mid-2026, the effective date stands at June 30, 2026. The important caveat for compliance planning is that the law has remained politically contested through its run-up to effect, with ongoing discussion of amendments and broader debate about state AI regulation, so organizations should confirm the current status and any late changes against official Colorado sources rather than relying on a single point-in-time summary. The practical consequence of the delay is that organizations gained additional preparation time but should not have treated the postponement as a reprieve from the obligations themselves — the substance of the law, centered on high-risk AI and algorithmic discrimination, was not gutted by the delay, and the revised date is now close. Organizations with potential exposure should use the remaining window to inventory AI systems, identify consequential-decision uses, and build governance, rather than waiting for enforcement to clarify scope. Track the law's status and any amendments on the Policy Change Tracker , and ground the broader US picture with the United States advertising compliance guide . The organizing principle is that the effective date is June 30, 2026 following a postponement driven by amendment debate, and the status should be reconfirmed against official sources because the law has stayed contested.

What is a 'high-risk AI system' and a 'consequential decision' under the Act?

Under the Colorado AI Act, a high-risk AI system and a consequential decision are the two linked concepts that determine whether an AI use is regulated, and understanding them is essential because the law's obligations attach only when an AI system operates in the consequential-decision space. A consequential decision is defined as a decision that has a material legal or similarly significant effect on the provision or denial to a consumer of, or the cost or terms of, certain enumerated life areas. Those areas under the Act include education enrollment or an education opportunity, employment or an employment opportunity, a financial or lending service, an essential government service, healthcare services, housing, insurance, and a legal service. The common thread is that these are decisions that materially shape a person's access to important opportunities and resources, which is why the law treats AI involvement in them as high-stakes. A high-risk AI system is, broadly, an AI system that when deployed makes, or is a substantial factor in making, a consequential decision. The phrase 'substantial factor' is important because it means the AI does not have to be the sole decision-maker for the law to apply; if the AI meaningfully contributes to or drives a consequential decision, the system can be high-risk even where a human is nominally in the loop. The Act also contemplates certain exclusions and carve-outs for specific technologies and uses that do not present the same risk, which is part of why scope analysis requires care rather than assumption. For an organization, the analysis runs in two steps: first, identify whether a given use produces or feeds a consequential decision in one of the enumerated areas; second, assess whether the AI is a substantial factor in that decision. If both are true, the system is likely high-risk and the developer and deployer obligations come into play. If the AI is used for something outside the enumerated areas — general analytics, content generation, or audience targeting that does not itself determine access to a consequential resource — it is likely outside the high-risk definition, though the broader direction of AI regulation still merits attention. To work through where an organization's AI may fall in scope, use the Legal Compliance Scan , and define terms precisely with the compliance glossary . The organizing principle is that the law regulates AI that is a substantial factor in consequential decisions across enumerated life areas, so scope turns on the decision the AI affects, not the technology in the abstract.

What must deployers of high-risk AI actually do to comply?

Deployers of high-risk AI systems under the Colorado AI Act must build a governance program around the system rather than simply using it, and the core duties center on managing risk, assessing impact, monitoring for discrimination, and giving consumers transparency and recourse — obligations designed to operationalize the law's goal of preventing algorithmic discrimination. A deployer is an entity that uses a high-risk AI system, as distinct from a developer that builds or substantially modifies one, and most organizations adopting third-party AI tools will be deployers. The first duty is to implement a risk-management policy and program governing the high-risk system; this is the organizational backbone, establishing how the entity identifies, documents and mitigates the risks the system poses. The second duty is to complete impact assessments for the deployment, evaluating the system's purpose, the data it uses, the risk of algorithmic discrimination, and the safeguards in place — a structured analysis rather than an informal review. The third duty is ongoing review: the deployer must review the deployment, at a regular cadence, to ensure the system is not causing algorithmic discrimination, recognizing that a system can drift or produce discriminatory outcomes over time even if it appeared sound at launch. The fourth duty is consumer notification: when a high-risk system is a substantial factor in making a consequential decision about a consumer, the deployer must notify that consumer, bringing transparency to automated decision-making that affects them. The fifth duty is correction and appeal: the deployer must provide consumers an opportunity to correct inaccurate personal data that the system processed and, where a consequential decision is adverse, an opportunity to appeal it, ideally with human review. Together these duties convert the abstract goal of non-discrimination into concrete processes: document the risk, assess the impact, monitor for discriminatory effect, tell affected consumers, and give them a way to fix data and challenge outcomes. Enforcement authority for the Act rests with the Colorado Attorney General. For an organization preparing to comply, the practical sequence is to determine which systems are high-risk, assign developer or deployer responsibility, and then stand up the program, assessments, monitoring and consumer-facing mechanics before the effective date. To audit AI decisioning and the data flowing through it, use the AI Compliance Audit , and track obligations on the Policy Change Tracker . The organizing principle is that deployers must govern, not just use, high-risk AI: risk program, impact assessment, discrimination monitoring, consumer notice, and correction and appeal.

How should a marketing organization prepare for the Colorado AI Act before the effective date?

A marketing organization should prepare for the Colorado AI Act by mapping where AI sits in its decisioning, isolating any consequential-decision uses, and building governance for those uses — a preparation program that takes the law seriously where it actually bites rather than either ignoring it or over-applying it to ordinary advertising. The first step is to inventory AI across the organization and its vendors, because exposure depends on use, not on department names. Marketing-adjacent functions increasingly run AI: lead qualification that feeds lending or insurance decisions, eligibility or pricing engines for financial or insurance offers, screening tools that influence employment or housing opportunities, and automated systems that determine who can access a consequential product. The inventory should capture these uses specifically, not just obvious 'AI products.' The second step is to flag consequential-decision uses: for each AI system, ask whether it makes, or is a substantial factor in making, a decision affecting a consumer's access to or the cost or terms of education, employment, financial or lending services, government services, healthcare, housing, insurance, or legal services. Systems that touch those areas are the ones likely to be high-risk; systems used purely for content generation, analytics, or audience targeting that does not gate access to a consequential resource are likely outside the high-risk definition, though they still merit documentation given the direction of regulation. The third step is to stand up governance for in-scope systems: a risk-management program, completed impact assessments, and a regular review cadence to monitor for algorithmic discrimination. The fourth step is to build the consumer-facing mechanics the law requires — notification when a high-risk system is a substantial factor in a consequential decision, and processes for consumers to correct inaccurate data and appeal adverse decisions. The fifth step is to confirm current status: because the law has been contested and amended in its run-up to the June 30, 2026 effective date, verify its standing and any late changes against official Colorado sources before finalizing the program. Finally, organizations operating in both Colorado and the EU should align this work with the EU AI Act, since the Colorado law is modeled in part on it and a single governance framework can address both. To stress-test multi-jurisdiction exposure use the Legal Compliance Scan , to audit AI decisioning use the AI Compliance Audit , and to monitor developments use the Policy Change Tracker . The organizing principle is to govern AI where it makes consequential decisions: inventory, flag consequential uses, build the program and consumer mechanics, and confirm the law's current status before the deadline.

Colorado AI Act 2026: High-Risk AI Rules for Marketers

Quick Answer

The Colorado AI Act, originally Senate Bill 24-205, is the first comprehensive US state law regulating artificial intelligence, and it is set to take effect on June 30, 2026 after being postponed from its original February 1, 2026 date. Signed into law on May 17, 2024 and modeled in part on the EU AI Act, it regulates 'high-risk' AI systems — those that make, or are a substantial factor in making, a 'consequential decision' affecting a consumer's access to or the cost or terms of things like education, employment, financial or lending services, essential government services, healthcare, housing, insurance, and legal services. It imposes duties on both developers and deployers of high-risk AI systems, centered on preventing 'algorithmic discrimination.' Deployer obligations include implementing a risk-management policy and program, completing impact assessments, reviewing deployments for algorithmic discrimination, notifying consumers when a high-risk system is a substantial factor in a consequential decision about them, and giving consumers the chance to correct data and appeal adverse decisions. The crucial point for marketers is that the Act does not regulate advertising as such — ad targeting is not itself a listed consequential decision — but marketing organizations increasingly deploy AI in adjacent functions (lending, insurance, housing and employment offers, eligibility and pricing) that can be consequential decisions, and the law signals the direction of US AI regulation that will increasingly touch algorithmic profiling. The law's final form has been politically contested, so its status should be confirmed against current sources. Audit AI-driven decisioning with the AI Compliance Audit, stress-test multi-jurisdiction exposure with the Legal Compliance Scan, and track changes on the Policy Change Tracker.

Colorado AI Act (SB 24-205) in 2026: High-Risk AI, Algorithmic Discrimination and What It Means for Marketers

What the Colorado AI Act Is

The Colorado AI Act, originally Senate Bill 24-205, is the first comprehensive state-level artificial-intelligence law in the United States. Modeled in part on the European Union's AI Act, it regulates the use of "high-risk" AI systems with the central goal of preventing "algorithmic discrimination" against consumers, and it imposes obligations on both the developers who build these systems and the deployers who use them.

It is a consumer-protection and anti-discrimination statute rather than an advertising law, which is exactly why marketers need to understand it carefully: its reach depends on what an AI system is used to decide, not on whether the organization calls itself a marketer. Where an AI system makes, or is a substantial factor in making, a consequential decision about a consumer, the Act's duties apply.

"The Colorado AI Act does not regulate ad targeting as such. It regulates AI that drives consequential decisions — and marketing organizations increasingly operate exactly that kind of AI in lending, insurance, housing and employment functions.
— AuditSocials analysis of the Colorado AI Act"

This guide covers the law's timeline, its definitions of high-risk AI and consequential decisions, the developer and deployer obligations, and a realistic reading of what it means for marketers. Ground the US regulatory picture with the United States advertising compliance guide, and define terms in the compliance glossary.

Signed in 2024, Delayed to June 2026

The law's path to effect has been unusually contested, and the dates matter for compliance planning.

Key Dates

Date	Event
May 17, 2024	Governor Polis signs SB 24-205 into law
February 1, 2026	Original effective date for the substantive requirements
August 28, 2025	SB 25B-004 signed, postponing implementation
June 30, 2026	Revised effective date for the substantive requirements

The postponement followed a special legislative session in which lawmakers could not agree on amendments, against a backdrop of concern about compliance cost for businesses and government. As of mid-2026 the effective date stands at June 30, 2026, but because the law has been the subject of continued amendment debate and political contention, its precise final form and status should be confirmed against current official sources before locking compliance decisions. Track movement on the Policy Change Tracker.

High-Risk AI and Consequential Decisions

The Act's scope turns on two linked definitions: a "high-risk" AI system and a "consequential decision." Together they decide whether an AI use is regulated.

The Definitions That Trigger the Law

A high-risk AI system is, broadly, one that makes or is a substantial factor in making a consequential decision. A consequential decision is one that has a material legal or similarly significant effect on a consumer's access to, or the cost or terms of, key life areas. Under the Act these areas include:

Education enrollment or opportunity
Employment or an employment opportunity
Financial or lending services
Essential government services
Healthcare services
Housing
Insurance
Legal services

Notably, advertising and marketing are not themselves listed as consequential decisions. That single fact shapes how the law touches marketers, as the dedicated section below explains. Stress-test where AI decisioning may fall in scope with the Legal Compliance Scan.

Developer and Deployer Obligations

The Act splits duties between developers (those who build or substantially modify high-risk AI systems) and deployers (those who use them), with the deployer obligations most relevant to organizations that adopt AI tools rather than build them.

Core Deployer Duties

Risk-management program: Implement a risk-management policy and program governing the high-risk system.
Impact assessments: Complete impact assessments for the deployment of the high-risk system.
Ongoing review: Review deployments to ensure the system is not causing algorithmic discrimination.
Consumer notification: Notify consumers when a high-risk system is a substantial factor in making a consequential decision about them.
Correction and appeal: Provide consumers an opportunity to correct inaccurate personal data and to appeal adverse consequential decisions.

The unifying purpose is preventing algorithmic discrimination — unlawful differential treatment or impact based on protected characteristics arising from an AI system. Enforcement authority sits with the Colorado Attorney General. Audit AI-driven decisioning and data flows with the AI Compliance Audit.

What It Actually Means for Marketers

Because the Act does not list advertising as a consequential decision, it is tempting for marketing teams to conclude it does not apply to them. That conclusion is too quick. The honest reading is more nuanced.

Three Ways It Reaches Marketing Organizations

Adjacent consequential functions: Marketing organizations increasingly deploy AI in functions that are consequential decisions — qualifying leads for lending or insurance, determining eligibility or pricing, screening for employment or housing offers. Where AI is a substantial factor in those decisions, the deployer duties attach regardless of the marketing label.
Directional signal: As the first comprehensive US state AI law, the Act sets the template that other states and frameworks are watching. The trajectory of US AI regulation increasingly points toward governance of algorithmic profiling and automated decision-making, which over time intersects with ad targeting and personalization.
Alignment with the EU model: Because the Act is modeled in part on the EU AI Act — which does reach advertising through transparency obligations for AI-generated content — organizations building governance for one are building toward the other.

The defensible posture is not to assume exemption but to map where AI sits in the organization's decisioning, identify any consequential-decision uses, and build governance accordingly. For the EU counterpart that does touch ad creative, see the EU AI Act Article 50 guide.

How to Prepare Before June 30

With the effective date set for June 30, 2026, organizations with potential exposure should treat the remaining window as preparation time rather than waiting for enforcement to clarify scope.

Preparation Steps

Inventory AI systems: Catalogue where AI is used across the organization, including marketing-adjacent functions.
Flag consequential-decision uses: Identify any AI that makes or substantially factors into education, employment, lending, insurance, housing, healthcare, government-service or legal decisions.
Stand up governance: For in-scope systems, build the risk-management program, impact assessments and review cadence.
Prepare consumer-facing mechanics: Notification, data correction and appeal processes for consequential decisions.
Confirm current status: Because the law has been contested, verify its standing and any amendments against official sources before finalizing.

Stress-test multi-jurisdiction exposure with the Legal Compliance Scan, and keep watch on developments through the Policy Change Tracker.

Colorado AI Act Readiness Checklist

[ ] AI systems across the organization inventoried, including marketing-adjacent uses
[ ] Consequential-decision uses (lending, insurance, housing, employment, etc.) identified
[ ] Developer vs deployer role determined for each in-scope system
[ ] Risk-management policy and program implemented for high-risk systems
[ ] Impact assessments completed for in-scope deployments
[ ] Ongoing review for algorithmic discrimination established
[ ] Consumer notification mechanism for consequential decisions in place
[ ] Data-correction and appeal processes available to consumers
[ ] Current status and any amendments confirmed against official sources
[ ] Governance aligned with the EU AI Act where the organization operates in both

Don't miss the next policy change.

Create a free account — track every policy change across 8 platforms, get instant alerts, and access every free compliance tool. Or try our Meta Rejection Predictor first.

Create Free Account

Report Keywords — Run AI Compliance Audit

#Colorado AI Act#Artificial Intelligence#Algorithmic Discrimination#Regulation#High-Risk AI#Ad Targeting#Profiling#Advertisers#2026 Policy#United States#Data Protection#Compliance Guide 2026

Share This Report

Tweet Share

EU AI Act Article 50 Transparency Code of Practice June 2026: What AI Ad Creative Must Disclose Before August 2

The European Commission published its Transparency Code of Practice for AI-generated content on June 10, 2026 — weeks before EU AI Act Article 50 obligations apply on August 2. Here is what advertisers using AI ad creative must label, mark, and document.

Deepfake Political Ads 2026 — Platform-by-Platform Detection, Disclosure & Advertiser Liability

Deepfake political ads 2026: where seven platform policies diverge, when FCC and FEC rules apply, and how advertiser liability shifts when synthetic likenesses appear in paid placements.

AI Avatars in Your Ads: The June 9 New York Law That Could Pull Your Creative Overnight

On June 9 every visual or audiovisual ad distributed to New York audiences that uses an AI-generated human likeness must conspicuously disclose it. The 3-week creative audit brands need now.

Colorado AI Act (SB 24-205) in 2026: High-Risk AI, Algorithmic Discrimination and What It Means for Marketers