State AI Laws in 2026: Colorado, California, and New York

The federal AI regulatory landscape in the United States — as of 2026 — consists of executive orders, agency guidance, and the scattered application of existing statutes like the FTC Act and anti-discrimination laws. No comprehensive federal AI law has passed. The legislative activity has instead happened at the state level, where at least eighteen states introduced AI bills in 2024 and four enacted binding obligations that are now in effect or will be in effect within the year.

Three states matter most for developers and deployers building AI products that touch consumers: Colorado, California, and New York (specifically New York City). Their requirements overlap in some places and conflict in others.

Colorado SB 24-205: The high-risk AI developer obligation

Colorado’s SB 24-205, signed in May 2024 and effective February 1, 2026, is the most direct attempt by any U.S. state to impose EU-AI-Act-style obligations on AI developers and deployers. The full text ↗ is worth reading because it is unusual in defining who is responsible for what across the AI supply chain.

What it covers

The law applies to high-risk AI systems — defined as systems that make, or are a substantial factor in making, “consequential decisions” about Colorado residents. Consequential decisions include decisions about education enrollment or completion, employment and employment opportunities, financial services (loans, insurance, credit), essential government services, healthcare, and housing.

The law creates two distinct categories of obligation:

Developer obligations. Entities that develop high-risk AI systems must:

• Make available to deployers the intended uses, known limitations, and documentation needed to conduct a bias impact assessment
• Perform bias impact assessments covering reasonably foreseeable uses
• Disclose known risks of algorithmic discrimination

Deployer obligations. Entities that deploy a high-risk AI system must:

• Implement a risk management policy using a risk management framework (the NIST AI RMF is explicitly named as an acceptable framework)
• Perform impact assessments before deployment and annually thereafter
• Notify consumers when a consequential decision is made using a high-risk AI system
• Provide consumers a meaningful opportunity to appeal or contest an adverse consequential decision
• Disclose to consumers that the system is AI-based when they interact with it

The appeal right is the sharp edge

The consumer notice and appeal provisions are operationally demanding. An adverse consequential decision — rejection for a loan, denial of employment, adverse health-plan determination — must be accompanied by a notice explaining that AI was a substantial factor, what the decision was, and how the consumer can request a human review.

Critically, the law requires a mechanism for contesting the decision that does not require the consumer to prove the AI was wrong in any technical sense. The appeal right is procedural: the consumer is entitled to request human review, and the deployer must provide it. Automating the appeal response — routing the contest back through the same AI system — would not satisfy this provision.

What it is not

Colorado SB 24-205 is not a ban on AI in high-risk decision-making. It is an accountability requirement: use the AI, but track what you’re doing, assess for bias, tell the consumer, and give them recourse. The obligations are procedural and documentation-heavy rather than substantive.

The penalty provision is also weaker than EU AI Act penalties: the Attorney General can bring a civil action for violations, but there is no per-violation civil penalty floor comparable to the €35M threshold in the EU Act. Enforcement is complaint-driven and AG-discretionary.

California: The transparency approach

California did not pass comprehensive AI legislation comparable to Colorado SB 24-205. The state’s headline bill, SB 1047 (which would have imposed safety obligations on developers of large foundation models), was vetoed by Governor Newsom in September 2024.

What California did enact includes AB 2013, the AI Training Data Transparency Act, signed in September 2024 and effective January 1, 2026. The statute ↗ requires AI developers who make a GenAI system available to California consumers to publish documentation about the data used to train the system, including:

• A high-level summary of the datasets used, including the sources and types of data
• Whether personal information was included, and if so, the general categories
• Whether any data was collected from sources known to include copyrighted material, personal information, or data subject to specific legal restrictions
• The date ranges of the training data

The documentation must be posted on the developer’s website. The disclosure obligation applies to systems “available to Californians” — which in practice means any consumer-facing AI system, given California’s population. There is no carve-out for systems not specifically marketed to California.

What AB 2013 does not require

The training data transparency obligation does not require disclosure of the full dataset, specific data sources by name, or details that would compromise proprietary data pipelines. It is a high-level summary requirement — the kind of disclosure that lets a sophisticated regulator or researcher ask follow-up questions, not the level of detail needed to independently audit training data composition.

The statute’s enforcement mechanism is also disclosure-based: if a developer fails to publish the documentation, the AG or any person can seek injunctive relief. There is no damages provision tied to the disclosure failure itself.

New York City Local Law 144: The employment testing mandate

NYC Local Law 144, enacted in 2021 and effective July 2023, targets a specific use case: automated employment decision tools (AEDTs) used in hiring and promotion decisions affecting New York City residents. The law’s text ↗ and implementing rules from the NYC Department of Consumer and Worker Protection (DCWP) are the primary source, but the operational details are in the DCWP rules.

What it requires

Any employer or employment agency using an AEDT to screen candidates or employees for positions in New York City must:

1. Conduct an annual bias audit of the AEDT before using it and annually thereafter. The audit must be conducted by an independent third-party auditor.
2. Publish a summary of the audit results on the employer’s website, including: the date of the most recent audit, the categories of data the tool uses, the distribution of scores (if the tool generates scores), and demographic breakdown of selection rates.
3. Notify candidates and employees that an AEDT is being used as part of the hiring process, at least ten business days before the tool is used.
4. Provide accommodation to any candidate who requests an alternative selection process not relying on the AEDT.

The bias audit standard requires analysis of selection rate differences between demographic groups. The DCWP implementing rules define the analysis as requiring calculation of selection rates by sex, race/ethnicity, and intersectional categories.

The divergence problem for multi-state deployers

An employer using the same AI hiring tool in Colorado and New York City faces non-trivially different obligations. Colorado requires a consequential-decision impact assessment (broader, internal, covering all Colorado residents) and an appeal right (procedural, human review). New York City requires an external third-party bias audit (narrower technically, but independently validated) and pre-use candidate notice.

These are not contradictory — a deployer can comply with both — but the processes are different and the documentation requirements diverge. The Colorado assessment is internally produced against a risk management framework. The NYC audit must be independently conducted against specific demographic selection-rate analysis requirements.

This divergence is the clearest argument for a federal floor: not because either state law is wrong, but because compliance costs for employers operating across states are substantially higher when the standards differ in process even when they share the same underlying goal.

What the patchwork tells us

Three observations from the emerging state landscape:

Disclosure and impact assessment are the chosen tools. The most durable provisions across state AI laws are documentation requirements (train data, bias audits, impact assessments) and notice requirements (consumers and applicants told when AI is used). Outright prohibitions on AI in specific domains have been harder to pass; procedural accountability has been more politically viable.

The supply chain question is unresolved. Colorado’s developer/deployer distinction is the most explicit attempt to allocate responsibility across the AI supply chain. But it does not resolve the harder question: what happens when a high-risk AI system is built on a foundation model whose documentation does not meet the developer disclosure obligations? The foundation model provider is a developer; the enterprise customer is a deployer; the AEDT-as-fine-tuned-model occupies an unclear position. No state law has squarely addressed this.

Enforcement is AG-discretionary, not automatic. None of these laws trigger automatic enforcement on violation. They require the AG to bring a civil action, or (in the NYC case) the city enforcement agency. Whether these laws have teeth depends heavily on whether the relevant enforcement office dedicates staff to AI cases — which, in most states, has not yet happened at meaningful scale.

Sources

• Colorado SB 24-205 (full bill text, Colorado General Assembly) ↗ — the primary statute; Article 34, Title 6 of Colorado Revised Statutes.
• California AB 2013: AI Training Data Transparency Act ↗ — primary text; the training data disclosure requirements are in Section 22756 of the Business and Professions Code.
• NYC Local Law 144 (2021) ↗ — AEDT requirements; the DCWP implementing rules issued in April 2023 define the audit methodology requirements in detail.
• NCSL: Artificial Intelligence 2024 Legislation (National Conference of State Legislatures) ↗ — overview of state legislative activity; useful for tracking which states have passed or are considering AI bills.
• Future of Privacy Forum: State AI Legislation Tracker ↗ — FPF’s running tracker of enacted and pending state AI legislation, updated regularly.