O’Melveny Worldwide

State AI Regulatory Landscape Continues to Evolve with Passage of New Laws in Colorado and Connecticut

July 1, 2026

State AI regulation is moving quickly, and businesses that develop or deploy AI tools face an increasingly complex compliance landscape. Colorado recently replaced its landmark AI law with a narrower framework focused on automated decision-making technology, while Connecticut enacted a broader law covering employment-related AI, AI companions, generative AI provenance, minors’ online safety, and state AI governance. Other states, including California and Illinois, are also advancing rules that focus on AI use in a wide variety of areas, including employment, healthcare, advertising, and more. Given the emerging patchwork of different regulations, companies should continue to keep a close eye on state-by-state AI requirements. 

Key Takeaways:

  • Colorado narrows its AI framework: The state repealed and replaced its prior duty-of-care model with a more targeted law centered on notice obligations for automated decision-making technology used in consequential decisions.
  • Connecticut takes a broader approach: Its new law includes employment-related AI notice requirements while also addressing AI companions, generative AI provenance, algorithmic content for minors, frontier AI whistleblower protections, and AI-related layoffs, among other subjects.
  • AI use in HR decisions remains a key focus: Connecticut, California, Illinois, and New York City all now have statutes targeting use of AI in employment-related decisions, reflecting growing regulatory attention in this area.
  • Different states’ approaches to AI reflect both common themes and divergent frameworks: Developers and deployers of AI need to monitor the rapidly evolving state regulatory landscape, while watching for possible federal action affecting state enforcement. 

In recent weeks, Colorado and Connecticut have enacted significant new artificial intelligence laws reflecting two different approaches to AI regulation. Colorado repealed and replaced its first-in-the-nation AI duty-of-care law with a narrower framework focused principally on notice for the use of automated decision-making technology in consequential decisions. The Connecticut law likewise imposes notice requirements for the use of automated employment-related decision technology, but goes further by imposing a number of requirements on AI developers, providers, and operators and setting out an ambitious AI governance agenda for the state.

Together, the Colorado and Connecticut laws illustrate the continued development of a state-law patchwork governing AI. They also reflect a broader trend of states being particularly focused on uses of AI in making consequential decisions affecting states’ residents.

Colorado Repeals and Replaces Its Prior AI Act

Colorado’s prior AI Act, enacted in 2024, was one of the first attempts by a state to broadly regulate the use of AI across industry sectors. It imposed a general duty of care on developers and deployers of “high-risk artificial intelligence systems” to protect Colorado residents from algorithmic discrimination, including obligations to conduct impact assessments and maintain risk-management programs. That law was set to take effect in 2026, but it faced sustained criticism: xAI sued to block the implementation of the law, and the U.S. Department of Justice joined the lawsuit in April 2026, arguing the AI Act violated the Equal Protection Clause.

Colorado has now replaced that framework with SB 26-189, a law that still focuses on “automated decision-making technology” (“ADMT”) used to materially influence certain consequential decisions, but imposes a considerably narrowed set of obligations on developers and deployers. The revised law takes effect January 1, 2027. The law defines ADMT as “technology that processes personal data and uses computation to generate outputs, including predictions, recommendations, classifications, rankings, scores, or other information that is used to make, guide, or assist a decision, judgment, or determination concerning an individual.” The law covers ADMTs used to materially influence consequential decisions within specified domains: education, employment, the lease or purchase of residential real estate in Colorado, financial or lending services, insurance, healthcare services, and essential government services and public benefits. 

Developers of covered ADMTs have the following obligations under Colorado’s revised law: 

  • providing deployers with documentation and related information about the ADMT, including information regarding intended uses, categories of training data, known limitations, and instructions for appropriate use, monitoring, and meaningful human review;
  • providing deployers with notice of material updates, intentional and substantial modifications, and changes to the intended use of, limitations for, or risk mitigation for the covered ADMT; and
  • retaining records demonstrating compliance for at least three years.

Deployers’ obligations include: 

  • providing clear and conspicuous notice to consumers that ADMT has been or will be used in a consequential decision; and
  • in circumstances where ADMT materially influenced a consequential decision that results in an adverse outcome for a consumer: 
    • providing information regarding the decision and the role the ADMT played;
    • providing instructions for requesting additional information about the ADMT and the data used; and
    • providing an explanation of consumer rights, including rights related to requesting and correcting personal data used in the consequential decision and, to the extent commercially reasonable, meaningful human review and reconsideration of the adverse consequential decision.

The law is enforceable by the Colorado Attorney General through the Colorado Consumer Protection Act, and a violation is deemed a deceptive trade practice. Until January 1, 2030, before bringing an enforcement action, the Attorney General must provide notice and a 60-day opportunity to cure (if the Attorney General deems a cure possible), though no cure period is required for knowing or repeated violations. The revised law does not create a new private right of action, but it does address allocation of fault between developers and deployers in civil actions alleging unlawful discrimination under existing law. It also voids indemnification provisions to the extent they cover damages resulting from a developer’s or deployer’s own acts or omissions related to the use of ADMT in making consequential decisions—a provision that may affect how vendors and customers allocate risk in AI procurement and services agreements.

Connecticut Enacts a Broad AI and Online-Safety Law

Connecticut’s new law, Public Act No. 26-15, is both broader and narrower than the Colorado law.

It is narrower as to automated decision-making notice because its provisions are limited to employment-related decisions, rather than extending to education, residential real estate, insurance, health care, and other domains covered by the Colorado law. Beginning October 1, 2027, deployers must provide specified notices to employees and applicants before making covered employment-related decisions using automated employment-related decision technology. As with the Colorado law, developers must provide deployers with information necessary for compliance with the notice requirements. Violations constitute unfair or deceptive trade practices, enforceable solely by the Connecticut Attorney General, and the statute does not create a private right of action. Unlike the Colorado law, Connecticut does not grant affected employees and applicants the right to request human review and reconsideration of adverse decisions. 

Connecticut also amends its employment-discrimination law to make clear that the use of automated employment-related decision technology is not a defense to an employment-discrimination claim. Courts and the state civil rights commission may, however, consider evidence of anti-bias testing or similar proactive efforts to avoid discrimination, including the quality, efficacy, recency, scope, results, and remedial response associated with those efforts when evaluating such claims.

The Connecticut law is broader than the Colorado law in that it covers numerous AI areas beyond automated decision-making. For instance, the Connecticut law also imposes obligations on:

  • Providers of subscription-based AI technologies, who must provide specified notice to subscribers and obtain written acceptance of key subscription terms.
  • Operators of AI companions, who must implement protocols to detect and respond to certain user expressions indicating risk of suicide, self-harm, or imminent physical violence, and provide disclosures if a user could reasonably believe they are interacting with a human rather than an AI companion. The law imposes additional protections for users under 18.
  • Covered providers of publicly accessible generative AI systems, who must include tamper-resistant provenance data in audio, image, or video content created or materially altered by their generative AI systems if commercially and technically reasonable, subject to exceptions.
  • Operators of platforms that recommend user-generated media, who must comply with requirements and prohibitions related to serving algorithmically personalized content to minors.
  • Frontier AI developers, who are prohibited from restricting or retaliating against whistleblower employees in specified circumstances.
  • Employers providing statutory notices of layoffs to the Labor Department, who must disclose if the layoffs relate to the employer’s use of AI.

The law also enacts a number of provisions related to the state’s governance of AI, including plans for an AI regulatory sandbox program, a Connecticut AI Academy, a working group to develop recommendations and propose legislation, a pilot program to evaluate a third-party verification program to assess safety of AI models, and a study on AI’s impact on the workforce. The far-reaching scope reflects Connecticut’s apparent intention to be on the cutting edge of AI regulation and governance.

What Other States Are Doing

So far, other states have varied in their approach to AI regulation. California has been one of the more active states in addressing the use of AI through a variety of rules, including privacy protections, disclosure requirements, and employment protection provisions. As with Connecticut and Colorado, one of the subjects California has focused on is the use of ADMT for consequential decisions. The California Privacy Protection Agency recently approved regulations that impose certain requirements relating to the use of personal information in connection with ADMT—for example, requiring businesses to conduct a risk assessment before using personal information to train an ADMT for a significant decision concerning a consumer. In addition, if a business uses ADMT to make a “significant decision” about a consumer (i.e., results in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services), the business must provide a pre-use notice and give the consumer the right to opt out and access certain information regarding the use of the ADMT. Regulations extend beyond ADMT used in consequential decisions, though, also requiring risk assessments before training a facial-recognition, emotion-recognition, or other technology that verifies a consumer’s identity or conducts physical or biological identification or profiling of a consumer.

California has also issued automated-decision-system regulations under the Fair Employment and Housing Act that clarify that existing, generally applicable, anti-discrimination rules, including disparate-impact principles, reasonable-accommodation obligations, and recordkeeping requirements, apply to automated systems used to make or facilitate employment decisions. The regulations also provide that evidence of anti-bias testing or similar proactive efforts may be relevant in evaluating claims or defenses. This approach is an example of using existing legal frameworks to address concerns about AI technology.

Illinois is another state that has focused heavily on the use of AI in employment contexts, and it has gone further than others in regulating this area. Effective January 1, 2026, amendments to the Illinois Human Rights Act restrict employers’ use of AI in employment decisions, including recruitment, hiring, promotion, discipline, discharge, tenure, training, apprenticeship, and decisions over other terms or conditions of employment. Illinois requires notice when employers use AI for covered employment purposes and prohibits the use of AI in ways that result in discrimination based on protected classes, including through the use of zip codes as proxies for protected characteristics. Illinois has been developing implementing rules, although the state recently postponed proposed rulemaking proceedings. Illinois (along with Maryland) also has laws regulating the use of AI video tools for job interviews. At the municipal level, New York City has been the leading regulator of AI employment-decision tools, requiring annual bias audits in addition to notice and opt-out rights. 

Other states take a variety of approaches to regulating various aspects of AI, but there are a few emerging themes. Beyond regulating the use of AI in employment, some of the specific areas attracting attention are:

  • Use of AI in significant decisions in areas such as healthcare, education, insurance, housing, provision of financial or lending services, and criminal justice. Over a dozen states have now adopted consumer privacy laws that require businesses to provide consumers with notice and opportunity to opt out when personal data is used for purposes of automated decision-making in specific circumstances.
  • Use of AI to generate deepfakes.
  • Use of AI in healthcare communications or provision of mental health services.
  • Use of AI in advertising and commercial communications.
  • Use of AI chatbots by governmental agencies or certain regulated professions.
  • Use of AI in elections communications and political ads.
  • Use of AI to create digital replicas or synthetic performers.
  • Use of AI to help determine insurance rates or set personalized prices.
  • Chatbots, and in particular disclosures and safeguards relating to use of chatbots by minors and users expressing suicidal ideation or intention to self-harm.
  • Use of AI by social media platforms. 
  • Requirements for developers of frontier AI models (disclosures, risk assessments, safety frameworks, incident reporting systems). 
  • Disclosures relating to training data used in AI models. 
  • Disclosures and detection tools identifying AI-generated content. 
  • Use of common algorithms (i.e., algorithms also used by competitors) to set prices.
  • Use of AI in critical infrastructure.

Practical Takeaways

Both developers and deployers of AI tools should continue to monitor the rapidly developing state-level regulatory landscape. While there are common themes and approaches (e.g., a focus on automated consequential decisions), there is considerable variation in areas targeted by different states and in the specific requirements imposed by different state laws. It is also important to monitor federal AI efforts and potential preemption of state rules. As covered in our prior alert, the Trump administration issued an Executive Order in December 2025 implementing various policies and initiatives targeting “onerous” state AI laws and specifically referring to the now-repealed Colorado law. And on June 4, 2026, Representatives Jay Obernolte (R-CA) and Lori Trahan (D-MA) released a discussion draft for potential federal AI legislation (Great America AI Act) that would create a federal framework for regulating frontier AI models and preempt state rules on AI development, though not deployment.  The allocation of regulatory powers between federal and state enforcers remains an open issue in the AI space—and one to watch for companies developing and deploying AI.

For more information, please reach out to one of the attorneys listed in this alert or your regular O’Melveny contact.


This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Jonathan P. Schneller, an O’Melveny partner licensed to practice law in California; Reema Shah, an O’Melveny partner licensed to practice law in New York; Daniel R. Suvor, an O’Melveny partner licensed to practice law in California; Sergei Zaslavsky, an O’Melveny partner licensed to practice law in the District of Columbia and Maryland; Scott W. Pink, an O’Melveny special counsel licensed to practice law in California; Gillian Mak, an O'Melveny associate licensed to practice law in the District of Columbia; and Xander Nabavi-Noori, an O’Melveny associate licensed to practice law in the District of Columbia, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2026 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, 1301 Avenue of the Americas, Suite 1700, New York, NY, 10019, T: +1 212 326 2000.