Colorado’s and Connecticut’s new AI laws have added to the patchwork of decision-making tool regulations across the U.S. Covered companies need to prepare now to adjust their compliance programs and procedures to address the laws’ requirements, which impact developers and deployers of automated decision-making technology (ADMT) and AI decision-making tools and operators of AI companions, frontier developers and producers of synthetic content.

This article, with insights from Ballard Spahr, DLA Piper, Fisher Phillips, Holland & Knight and the senator who sponsored the Connecticut law, provides compliance tips for companies seeking to prepare for the new laws and examines what anticipated enforcement may look like. Part one distilled and analyzed the laws’ key provisions.

See “Updating Compliance Programs to Address the CPPA’s Regulations on ADMT and Risk Assessments” (Sep. 17, 2025).

Seven Compliance Steps to Take Now

1) Determine What Is Covered

In preparing for compliance with both the CO ADMT Law and the CT AI Act, the first step is to determine what tools will be covered.

CO ADMT Law

The CO ADMT Law no longer requires a company to analyze how technology is classified, but rather whether it is used to make a significant decision, Daniel Pepper, a partner at Fisher Phillips, pointed out. The focus of the law is on identifying all the ways that the company transacts with the consumer and the extent to which ADMT touches any decision-making process, he told the Cybersecurity Law Report. Companies will have lighter obligations per system than with the prior law, but broader obligations because more systems are in scope, he predicted.

To comply with the CO ADMT Law, “step one is getting through the company’s roadmap of where its covered ADMT is,” according to Gregory Szewczyk, a partner at Ballard Spahr. Developers must ask whether they make a covered technology, and deployers must assess whether they use one, he said. To figure out what compliance bucket they will be in, deployers should also ask whether they are modifying any third-party tools in a way that puts them at risk of becoming a developer, he advised. Although there may be additional rulemaking, companies should begin to create maps of covered systems, he added.

Pepper agreed that, as a first step, deployers should inventory all their technologies and products, noting that “it’s hard to really put together a governance framework until you know what’s in your house,” he reflected. In addition to identifying what ADMT they use, deployers should indicate the tool’s intended uses, known harmful uses and limitations, training data categories, and when humans need to get involved in the decision process, he recommended.

Examples of tools covered by the CO ADMT Law include resume rankers, credit or underwriting scoring used in lending decisions, tenant scoring engines, and algorithmic tools driving discipline or compensation, Pepper explained. “Insurance coverage determinations, eligibility, underwriting and claims also are covered. A tool that only recommends products for a consumer to consider may fall under the advertising and marketing exclusion,” he noted, adding that “fraud detection and anti-fraud scoring are generally excluded, and credit decisions by creditors complying with the Equal Credit Opportunity Act, Regulation B and the Fair Credit Reporting Act are exempt to that extent.”

See “How to Address the Colorado AI Act’s ‘Complex Compliance Regime’” (Jun. 5, 2024).

CT AI Act

As with the CO ADMT Law, the first step in complying with the related portions of the CT AI Act is to determine whether the company uses any covered technology or any exceptions apply, DLA Piper of counsel Michael Atleson told the Cybersecurity Law Report.

The most difficult part of complying with the new CT AI Act will be determining what processes are covered, opined Rachel Marmor, a partner at Holland & Knight. The statute might be overly broad and arguably cover binary decisions such as determining whether a person lives within 100 miles of an office, she told the Cybersecurity Law Report. A lot of companies will probably take some risk there, but the risk of enforcement is likely “pretty low,” she posited. Nonetheless, she advised, companies should “err on the side of caution” if they use AI in a nonbinary manner in the employment context.

The use of AI to evaluate applications or to conduct skill-based assessments will clearly be covered, Marmor noted. For example, qualitative reviews of resumes and recommending or rejecting applicants for interviews based on AI scoring “is very clearly going to be in scope,” she stated.

2) Prepare to Give Notice

Covered companies should begin to prepare their forms of notice to comply with the new laws.

“The pre-decision notice is a disclosure that ADMT is in use, plus instructions for obtaining more information. It can be satisfied with a prominent, publicly accessible notice,” delivered before or at the point at which the automated process begins to evaluate the person, Pepper said. “It is not a customer contract amendment, as it reaches employees and applicants who have no such contract,” he stated.

“The pre-decision notice works best when tailored to the context of the interaction,” Marmor explained. The form will depend on the person and the nature of the decision. “Practically, companies can fold the opt-out into that same workflow – a plain-language statement that AI will be used to make or substantially inform the decision, she said.

The CT AI Act requires companies to notify employees or applicants when AI is used to make, or is a substantial factor in, an employment‑related decision, explain the purpose and nature of the decision, and inform them of their right to opt out. The degree of human involvement in a significant decision will inform whether notice is required under the law, Marmor explained. The law’s lack of clarity about the quantum of human review necessary to take a decision outside of the scope of the law will necessitate weighing compliance risks, she declared. An employer may choose to provide disclosures to avoid regulatory risk arising from uncertainty over whether a human is involved enough to render AI not a “substantial factor” in the decision, she posited.

For adverse decision notices, “the most practical approach is to use template notices organized by decision type so that the explanation maps to the factors the model actually used,” Marmor recommended. Correction requests can be funneled to existing data subject rights or dispute resolution processes, she added. “Companies should also close the loop: when data is corrected, the decision should be reevaluated, and the company should keep records showing that the correction was received, acted upon and reflected in any reconsideration,” she suggested.

3) Plan to Conduct Post-Decision Human Review

Developers are required by the CO ADMT Law, but not by the CT AI Act, to provide an opportunity for “meaningful human review” after an adverse consequential decision.

In other contexts, laws have provided that meaningful human review requires the person reviewing a decision to have both an understanding of the technology and “the ability to actually change something,” Szewczyk noted. The reviewer cannot be someone who just rubber stamps a decision, he commented. In high-volume contexts, companies may struggle to find enough qualified people with proper expertise and knowledge of the technology to task with authority to review and overturn the decision, he said.

4) Modify Developer-Deployer Agreements

Developers and deployers need to review their agreements with each other to align with the new statutes.

With respect to both the Connecticut and Colorado laws, developers should specify in contracts with deployers or employers what their ADMT tool does and the permitted use cases, Pepper recommended. Failing to exclude a particular use “potentially provides a permissive use,” while having such a provision can protect a developer if the deployer uses the technology off-label, he stated.

In turn, a deployer should ensure that the agreement requires the developer to provide the information necessary for the deployer to comply with its statutory notice obligations to consumers, with respect to the Colorado law, and to employees and job applicants, with respect to the Connecticut law, Pepper advised. A deployer or employer should “ensure enough transparency from the developer about how the sausage is made,” he stated. The agreement should specify the tool’s purpose, categories and sources of training data that were used, known risks and limitations of the technology, and instructions for appropriate use and human review, he elaborated. It also should address advance notice of updates to the decision-making tool so the deployer or employer can revise its consumer notices accordingly, he said.

In addition, the CO ADMT Law voids any indemnification provision “that tries to shield a party from liability for its own discriminatory acts,” Pepper noted. “Other indemnification and risk allocation stays enforceable, so contracts should be reviewed to remove self-exculpatory indemnity for discrimination, not rewritten wholesale,” he recommended.

Notwithstanding the statutory provisions regarding liability, there will still be fights over indemnity and liability limits, Szewczyk predicted. “Whenever there are statutes that prohibit certain types of contracts between private parties, you always see interesting attempts to work around that. And I would fully expect to see that happen in this context,” he said. Also, a use that may not trigger liability under Colorado law may still trigger liability under the law of a different jurisdiction, such as the EU AI Act or the CCPA, he noted.

Deployers will always seek to shift liability onto the developer, “especially for issues that relate to underlying coding and development of the model itself,” Szewczyk continued, noting that he often sees negotiation on that point “in these contracts.”

See “Contracting With Vendors to Mitigate Third-Party AI Risk” (Feb. 18, 2026).

5) Ensure Compliance With Anti-Discrimination Laws

Companies need to ensure that their use of AI in employment decisions does not run afoul of Colorado or Connecticut anti-discrimination law.

“I think companies have to take into account the fact that discrimination as it looks through a tool is probably going to look different than it does when it occurs in a human process, and they will have to develop new audit or assessment processes to evaluate whether it is occurring,” Marmor suggested.

The CT AI Act contains specific provisions that amend Connecticut’s anti-discrimination laws to prohibit the use of an automated employment decision process in a discriminatory manner. Although not specifically required by the CT AI Act, it would be beneficial for companies to engage in anti-bias testing to ensure compliance with those provisions, Connecticut State Senator James Maroney recommended.

6) Put a Record Retention Process in Place

In preparation for compliance with the CO ADMT Law, covered companies should stand up a record retention process, Pepper said.

According to Pepper, developers should retain documentation of information provided to deployers, including:

• intended uses;
• training data categories;
• known limitations or harmful or inappropriate uses;
• risks and monitoring instructions;
• instructions for appropriate use and human review;
• information the deployer needs to meet its own obligations; and
• version control evidence (e.g., system version identifiers, changelogs and documentation of material updates sent to deployers).

In turn, deployers should “retain decision-level and consumer-facing records,” Pepper added, including:

• the pre-decision notice;
• the post-adverse outcome disclosure (e.g., plain language description of the decision, the role of the ADMT, instructions to request more information and explanation of consumer rights);
• data correction requests;
• human review requests;
• vendor documentation; and
• the identity of the ADMT that made the decision.

Under the CO ADMT Law, developers must retain information for three years from the creation of each record, and deployers, from the date of the consequential decision. Since the deployer’s obligation is tied to the consequential decision, “the retention policy, logging, and audit trail all have to support a three-year lookback keyed to individual decisions and to the specific tool in use at that time,” Pepper stated. In turn, he said, “version cataloguing matters because liability turns on intended use: the version identifiers and changelogs are how a developer later shows an output came from a version used within documented parameters, and how a deployer shows it relied on current vendor documentation.”

The AG is expected to issue rules on disclosure content and on the definition of “materially influence” before the law takes effect on January 1, 2027, so these decision and disclosure records should be designed to take into account additional required fields once that rulemaking is final, Pepper advised.

7) Build Guardrails to Avoid Harm to Children

For providers, compliance with the CT AI Act will largely come down to design, Atleson said. They will have to build in guardrails so the technology avoids reasonably foreseeable harmful interactions with children, he noted.

The “number one” compliance step operators should take – if they do not intend their product to be used by children – is to “figure out how to get most children off their platform,” Marmor stressed. The app store age verification laws can offer an additional layer of support for that if they end up going into effect, she noted.

An operator running a platform highly attractive to children might find it sensible to implement a gating method, Marmor suggested. For individual use, the platform could ask users their age at sign-up, require them to present a driver’s license and take a selfie, or require parental consent, she offered. Companies might lose some customers, but it is a trade-off that they may be willing to make, she surmised.

Operators also should conduct risk assessments and implement protocols to identify reasonably foreseeable harms, especially known harms such as encouraging self-harm or suicide, Marmor recommended. The more difficult problem is spotting unknown risks, she noted. That difficulty does not, however, relieve companies of the obligation of trying to address them, she said.

See our three-part series “Children’s Privacy Grows Up”: Examining New Laws That Now Protect Older Teens (Jan. 15, 2025), FTC Amends COPPA Rule and Targets Data Sharing (Jan. 29, 2025), and Seven Compliance Areas for Protecting Teens (Feb. 12, 2025).

Enforcement Outlook

Factor Mandatory Rulemaking Into Compliance Planning in Colorado

Since the current AG will not be in office when the CO ADMT Law goes into effect on January 1, 2027, it is difficult to predict what the AG’s enforcement priorities will be, Szewczyk said. The backgrounds of the current crop of AG candidates suggest that they might have different priorities and different levels of enforcement activity, so we will have “see how the election goes,” he stated.

Regardless, companies seeking to comply with the CO ADMT Law should factor into their compliance considerations the rulemaking required of the AG. In doing so, companies should differentiate between those aspects of the CO ADMT Law that will be the subject of mandatory rulemaking and those that will not, potentially holding off from implementing certain compliance measures where guidance is still pending, but going forward where the obligations are already clear, Szewczyk suggested. Companies will also need to closely monitor rulemaking around correcting materially inaccurate information and enabling meaningful human review, as notice context and how consumers exercise rights are key. Ultimately, the level of detail in the rules will shape compliance frameworks, he said.

It remains to be seen how rulemaking may impact compliance costs, Szewczyk commented. The rules are expected to be industry-specific, and what they say could “really drive” how consumer rights will be exercised, he said. “It’s possible that the rules will provide some clarity on what needs to be done in a way that won’t drive the cost so high, he posited.

In many ways, the new CO ADMT Law benefits businesses, as compared to the prior CO AI law, because some of the upfront costs of a compliance regime were “scaled back,” Szewczyk continued. The closing of back doors for a private right of action under the old law is “definitely beneficial for business,” he elaborated.

Expect Focus on AI Companions in Connecticut

Enforcement of the CT AI Act is most likely to focus on the children’s protections in the AI companion provision. The Connecticut AG has taken a strong stance on protecting children and is expected to actively enforce the AI companion provisions of the new law, Maroney said.

Given significant legislative and litigation activity around AI companions, those provisions in the CT AI Act may draw the most scrutiny from the state’s AG, Atleson agreed.

For companions, enforcement will likely focus on the lack of systemic controls rather than whether an individual user slipped past the age gate, Marmor predicted.

In contrast, digital watermarking may be less likely to be actively enforced, Atleson suggested. Provisions that condition compliance on technical feasibility can make enforcement more difficult because regulators would likely have to litigate the question of whether a given technology was feasible, he explained.

With respect to AI decision-making, regulators will probably not spend a lot of time on AI that makes binary decisions, Marmor predicted. However, companies wishing to be black-letter-compliant should focus compliance efforts on binary decisions as well, she recommended.