AI & Work

Colorado's AI Hiring Law: What Recruiters Do Before 2027

Arpit TripathiArpit TripathiLinkedIn·July 1, 2026·11 min read

Colorado's AI law (SB24-205, replaced by SB26-189) takes effect Jan 1, 2027, regulating automated hiring decisions via disclosure and notice.

Colorado's AI Act, originally SB24-205, was repealed and replaced by SB26-189, signed by Governor Polis on May 14, 2026, and it now takes effect on January 1, 2027. The rewrite matters for any recruiter using AI to screen candidates, because it dropped the original impact-assessment mandate and the algorithmic-discrimination duty of care. In their place, the operative law regulates automated decision-making technology, or ADMT, in consequential decisions like hiring through disclosure, notice, adverse-decision explanations, and human-review rights. That is the headline. The harder part is that Colorado is only one square on a growing 2026 patchwork, and the requirement most compliance guides skip is not about bias at all.

Here is what recruiters need to sort out before January 2027: which of your tools count as automated decision-making technology, what each law obliges you to do, and where candidate data actually lives once it leaves your applicant tracking system. The last question is the one that quietly breaks careful compliance programs.

What Colorado's replacement AI law asks of recruiters

SB26-189 governs automated decision-making technology used in consequential decisions, and employment is squarely on the list. When an AI system makes or substantially drives a decision like who gets an interview or an offer, the law leans on transparency rather than the impact assessments the original bill required. Developers of the technology owe documentation to the deployers who use it, and deployers owe candidates a set of concrete disclosures and rights.

The practical work splits into three buckets. First, inventory: list every tool in your hiring stack that scores, ranks, or filters people so you know where ADMT is in the loop. Second, notice: tell candidates at the point of interaction when an automated system is weighing their application. Third, explanation and review: when an adverse decision lands, be ready to give a plain-language reason within thirty days, honor a data-correction request, and offer a meaningful human review of the outcome.

Insight

Deployer, not just builder. SB26-189 splits duties: developers document the technology for the deployers who buy it, but deployers still owe candidates notice, adverse-decision explanations, and human review. Buying compliant software does not transfer those disclosure duties away from your team.

  • Map every AI touchpoint in sourcing, screening, and interview scoring.
  • Give candidates notice at the point an automated system enters the decision.
  • Deliver a plain-language explanation within thirty days of an adverse decision.
  • Retain developer documentation and confirm a human can review any AI-driven outcome.

Colorado's original bill was a trend-setter, so expect other states to keep modeling language on transparency and notice. Building the inventory and disclosure habit now costs less than retrofitting it across a dozen jurisdictions later. Note that the source that once framed this as a June 2026 impact-assessment regime has since updated to reflect the repeal-and-replace and the January 1, 2027 effective date.

How to prepare for the disclosure rules without stalling hiring

Getting ready for the ADMT rules does not have to freeze your pipeline. Start with the tools that touch the most candidates, since those carry the widest exposure. For each one, write down the decision it influences, the inputs it reads, and the notice you will show candidates before it runs. Draft the plain-language adverse-decision explanation once, as a template, so a rejection triggers a filled-in reason rather than a scramble. Keep that template dated and versioned so that when the tool or its settings change, your disclosures stay accurate.

The recurring mistake is treating disclosure as a one-time form. An automated system's behavior shifts when the vendor updates the model, when you retrain on new data, or when you change the score threshold that gates an interview. Each of those changes what you should be telling candidates and how you explain an adverse call. Recruiters who wire the notice-and-explanation step into their normal tooling-review cadence spend far less effort than teams scrambling to reconstruct history after the fact.

The EU AI Act treats recruiting tools as high-risk

If you hire anyone in the EU, or process EU candidates' data, the EU AI Act classifies AI recruiting tools such as resume screening and video-interview scoring as high-risk. That classification carries hard obligations: high-quality training data, logging of system activity, meaningful human oversight, and transparency notices to the people being assessed. This is where the impact-assessment style of documentation still genuinely lives, even though Colorado's replacement law walked away from it.

The overlap with Colorado is real but not identical. Both frameworks care about oversight and telling candidates when a machine is involved. The EU version adds explicit demands about training-data quality and audit logging that a purely US-focused program may not cover. Recruiters at multinational employers should build one program that satisfies the stricter standard rather than maintaining two thin ones.

GDPR Article 22 gives candidates a human-review right

GDPR Article 22 grants candidates the right to human review of a solely-automated rejection. If an algorithm rejects someone with no human in the decision, that person can demand a person actually look at it. The penalty ceiling for getting this wrong is up to EUR 20 million or 4 percent of global revenue, whichever is higher.

The operational fix is straightforward: never let a model issue a final rejection unreviewed for candidates covered by GDPR. Route AI-flagged rejections through a recruiter who signs off, and keep a record that the review happened. The right only bites when the decision is solely automated, so a genuine human checkpoint neutralizes most of the exposure. It also lines up neatly with Colorado's human-review right under SB26-189.

ADMT notice rules and Illinois HB 3773

Two more pieces round out the 2026 landscape, and they rhyme with Colorado's new approach. Automated Decision-Making Technology rules, known as ADMT, mandate pre-use notice to candidates, a right to opt out in defined cases, and access to information about how the ADMT is used. That means telling applicants before you run them through the system, not after, and having a process for those who decline.

Illinois HB 3773 requires notice when AI influences hiring, firing, or promotion decisions, effective January 1, 2026. The through-line across ADMT rules, Illinois, and Colorado's replacement law is transparency: candidates get to know when a machine is weighing in. Bake a plain-language AI disclosure into your application flow and you cover most of the notice obligations at once.

What meaningful human oversight actually looks like

Three of the four frameworks lean on the same idea: a person, not just a model, stands behind consequential calls. The EU AI Act asks for human oversight of high-risk recruiting tools, GDPR Article 22 lets candidates demand human review of automated rejections, and Colorado's SB26-189 gives candidates a right to meaningful human review of an adverse ADMT decision. The weak version of this is a rubber stamp. The version regulators want is a reviewer who can see the AI's reasoning, has authority to overturn it, and does so often enough to prove the checkpoint is real.

Design the checkpoint where it changes outcomes, at the reject or advance step, not as a signature collected after decisions are already final. Give reviewers the inputs the model used and a simple way to record a reversal. That record does double duty: it satisfies the human-review expectation and it gives you real evidence of how often the tool gets it wrong, which is exactly what you want if the EU high-risk obligations pull you toward heavier documentation.

The 2026 rules a recruiter faces, side by side

Four frameworks dominate a US-plus-EU hiring program heading into 2027. They differ on scope and on who they bind, so read them together rather than treating any one as the whole picture.

RuleWhat it coversKey obligationWho it applies to
Colorado SB26-189Automated decision-making technology in consequential (incl. employment) decisionsDisclosure and transparency; consumer notice, adverse-decision explanation, data correction, human review (eff. Jan 1, 2027)Developers and deployers of ADMT in Colorado
EU AI ActResume screening, video-interview scoring as high-riskQuality training data, logging, human oversight, transparency noticesProviders and deployers of recruiting AI in the EU
GDPR Article 22Solely-automated rejection decisionsHuman review on request; fines up to EUR 20M or 4% of global revenueAnyone processing EU candidates' personal data
Illinois HB 3773AI influencing hiring, firing, or promotionNotice when AI is used in the decisionEmployers using AI in Illinois employment decisions

The data-retention problem most guides ignore

Here is what most AI hiring compliance guides won't tell you: they obsess over bias audits and paperwork, then say nothing about where candidate data goes once a recruiter pastes it into a consumer chatbot. That gap is where a clean compliance program springs a leak.

Picture the routine move. A recruiter drops a candidate's resume, notes, and contact details into a general-purpose AI tool to draft a summary or an outreach email. Your carefully negotiated vendor data processing agreement covers your applicant tracking system and your approved screening vendor. It does not cover the consumer model window a recruiter used on a whim. That PII now sits outside the DPA, potentially retained, potentially used to train a model, and entirely outside your disclosure records or your GDPR obligations.

Pro Tip

Run a quick audit: list every place candidate PII can be pasted that is not covered by a signed DPA. Consumer chatbots and personal accounts are the usual blind spots. Close them with policy and an approved, controlled alternative.

Bias audits matter, and other regimes like NYC's Local Law 144 and the EU AI Act do push you toward them. But a discrimination review of your screening vendor does nothing about a recruiter feeding sensitive candidate data into a model whose retention terms you never read. The two risks are separate, and only one of them shows up in the popular checklists. Colorado's replacement law focuses on ADMT transparency, not impact assessments, so it will not catch this leak either.

The stakes compound when you map this back to the four frameworks above. GDPR Article 22 and the ADMT notice rules assume you know where a candidate's data is processed, because you owe candidates disclosure and, in some cases, an opt-out. A resume that a recruiter dropped into a personal chatbot account cannot honor an opt-out, cannot be surfaced in a data-access request, and cannot be logged the way the EU AI Act expects. Shadow AI use turns a paperwork problem into a genuine legal one.

  • Write an explicit policy naming which AI tools may handle candidate data.
  • Give recruiters an approved, controlled alternative so the rule is followable.
  • Cover personal accounts and browser extensions, not just company-issued tools.
  • Log where candidate PII is processed so access and opt-out requests are answerable.

Keep recruiter context under your control

Recruiters accumulate context worth protecting: candidate notes, role requirements, interview feedback, and the running memory of who is at what stage. The temptation is to keep that context inside whatever AI tool is open, which is exactly how PII drifts outside your DPA. The fix is a memory layer you control rather than one owned by a consumer model.

MemX is an external memory layer that persists your working context across ChatGPT, Claude, and Gemini while keeping the underlying data isolated and portable. Instead of pasting candidate details into a model window that may retain them, you keep role requirements and notes in a store that is private by architecture, with per-user isolation, encryption at rest, and on-device options, so recruiter context is not folded into a consumer model's training set. It is not a substitute for your legal review, and it does not make you compliant on its own. What it does is give recruiters one controlled place for the context that would otherwise leak into whatever chatbot happened to be open.

Insight

Compliance covers the tools you vetted. The data-retention gap is about the tools your recruiters reach for in the moment. Give them a controlled memory layer and you shrink that gap without slowing anyone down.

Frequently Asked Questions
01When does Colorado's AI hiring law take effect?

Colorado's AI law began as SB24-205 but was repealed and replaced by SB26-189, signed May 14, 2026, and takes effect January 1, 2027. It regulates automated decision-making technology in hiring through disclosure, notice, adverse-decision explanations, and human-review rights.

02What does Colorado's AI law require recruiters to do?

Under SB26-189, developers document the technology and deployers give candidates notice, a plain-language explanation within thirty days of an adverse decision, data-correction rights, and meaningful human review. The original impact-assessment and duty-of-care requirements were removed.

03Does the EU AI Act apply to AI recruiting tools?

Yes. The EU AI Act classifies AI recruiting tools like resume screening and video-interview scoring as high-risk, requiring high-quality training data, logging, human oversight, and transparency notices for candidates being assessed.

04Can a candidate demand human review of an AI rejection?

Under GDPR Article 22, a candidate can require human review of a solely-automated rejection. Penalties for non-compliance reach up to EUR 20 million or 4 percent of global revenue, so keep a human in any final rejection decision.

05Is pasting candidate data into ChatGPT a compliance risk?

It can be. Candidate PII pasted into a consumer chatbot usually falls outside your vendor DPA and may be retained or used for training. Use an approved, controlled tool and keep that data inside systems your agreements actually cover.

The 2026 rule set rewards recruiters who do two things at once: prepare the notice, explanation, and human-review process the statutes demand, and lock down where candidate data physically ends up. Colorado's replacement law and the EU AI Act push the first. The second is on you, and it starts with knowing every window your team can paste a resume into before January 2027 arrives.

Read Next

Or try MemX to access 40+ AI models in one place — including Claude Sonnet 4.6 and GPT-5.4 — and get your questions answered today.

Was this article helpful?

Found this useful? Share it with someone who needs it.

Free · iOS, Android & WhatsApp

Stop losing what you save.
Let MemX remember it for you.

Every screenshot, photo, PDF and voice note — captured, encrypted, and instantly searchable. Ask in plain English, get the answer in seconds.

  • Reads text inside images and handwriting
  • Private and encrypted by default
  • Free to start, no credit card

Takes under a minute to set up. Your data stays yours.

Arpit Tripathi
Written by
Arpit TripathiLinkedIn

Founder of MemX. Ex-Google Staff Tech Lead Manager, ex-AWS Senior SDE (Elastic Block Store). Writes about practical AI on the MemX blog.

Keep reading

More guides for AI-powered students.