Colorado SB 26-189 is a state law that requires businesses using AI to make or influence consequential decisions to disclose that AI is being used, explain adverse outcomes, give consumers access to their data, and allow them to request human review. For debt collection agencies, this applies to any AI system that influences which consumers to contact, in what order, with what frequency, or with what treatment. The law takes effect in 2027, and enforcement includes a 60-day cure window for first-time violations.
Collections agencies often already know how to think about conduct risk. They monitor scripts, disclosures, contact cadence, and complaint patterns. SB 26-189 introduces a new question: when AI influences treatment, can the agency explain that fact, explain the result, surface the relevant data, and let a person review the decision in a meaningful way? That question cuts across compliance, operations, engineering, and client service.
This guide keeps the law in plain English. It does not try to turn a statutory framework into a generic AI policy speech. Instead, it maps the law to the places where agencies actually use automation: segmentation, scoring, prioritization, suppression, review routing, and AI-assisted outreach. If those workflows touch Colorado consumers, the agency should know how the law changes its process design.
On this page
What SB 26-189 is
At a practical level, SB 26-189 is Colorado's attempt to govern how organizations use automated decision-making technology in decisions that have meaningful effects on people. For debt collection agencies, the important point is that the law is about process and accountability, not just model documentation. If AI influences a covered decision, the agency has to be able to tell a consumer that AI was involved, explain an adverse result, provide access to relevant data, and route the matter for human review.
The law therefore reaches beyond the familiar collections playbook. It does not replace FDCPA, state collection law, or dialing rules. It adds a separate layer about the use of AI in decision-making. Agencies should read it as a workflow law as much as a disclosure law. The hard part is not only writing language. The hard part is building the systems that support the language.
Who it applies to
The law matters to any debt collection agency, servicer, or partner using covered AI systems in ways that affect Colorado consumers. That can include agencies based in Colorado and agencies located elsewhere that still collect from Colorado residents. The geographic question should be reviewed carefully, but from an operations perspective the best assumption is that consumer location and decision effect matter more than the mailing address of your headquarters.
Agencies should also think beyond their direct employees. If a vendor provides the scoring engine, prioritization logic, or AI workflow that materially influences treatment, the agency may still be the party that must answer for how that system is used in practice. Vendor language is not enough on its own. You need a local understanding of which workflows are covered and what records you can actually retrieve when someone asks questions later.
What “automated decision-making technology” covers
Automated decision-making technology is broader than a voice bot or chat interface. In a collections environment, it can include a model that ranks accounts by urgency, an engine that decides which queue should handle a consumer, a rule-plus-model system that recommends treatment intensity, or a classifier that decides whether an account gets human review. The system may be predictive, generative, rules-based with model signals, or some combination. What matters is whether it materially influences a consequential decision.
This breadth is why inventory work comes first. Agencies should list each AI-assisted workflow, what decision it influences, what data it uses, where the output is stored, whether a human can override it, and whether the consumer could be materially affected by the result. That creates the map needed for later notice, explanation, and review design.
Get the SB 26-189 compliance checklist for debt collection agencies.
What consequential decisions mean for debt collectors
For debt collectors, a consequential decision can arise when AI influences who gets contacted, when they get contacted, how often they get contacted, how they are routed, or what kind of treatment they receive. A ranking model that pushes some consumers to the top of the queue, a suppression model that keeps others out, or an escalation model that changes whether a person gets human review can all change consumer experience in a meaningful way.
The safest approach is to map these decisions in ordinary business terms. Which AI outputs can affect contact opportunity, contact intensity, review access, or treatment path? If the answer is yes, the workflow belongs in the review set. The point is not to maximize coverage for its own sake. The point is to avoid the false comfort of believing that only a few obvious systems count.
The 4 obligations: notice, explanation, data access, human review
Most agencies can simplify the law into four duties. First, tell consumers when covered AI is used in a consequential decision. Second, explain adverse outcomes in understandable terms. Third, provide access to the relevant data used in the decision. Fourth, give consumers a path to meaningful human review. If the agency can do those four things consistently for every covered workflow, it is much closer to operational readiness.
| Obligation | Key question for agencies | What to build |
|---|---|---|
| Notice | Where will the consumer learn AI influenced the decision? | Channel-appropriate disclosure flow |
| Explanation | Can we describe the adverse result and why it occurred? | Explanation template backed by logs |
| Data access | Can we retrieve the relevant data used at decision time? | Decision audit record and data retrieval path |
| Human review | Can a person reassess and change the result? | Review queue with override authority |
These duties are operationally linked. Explanation is weak without data access. Human review is weak without explanation. Notice is weak if nobody inside the business knows which decision it applies to. That is why agencies should avoid assigning each duty to a different silo without a shared workflow map.
Timeline: when to act
The law takes effect in 2027, but implementation work should begin well before then. A realistic timeline starts with inventory and governance mapping, then moves to logging and queue design, then to notice language, explanation templates, and reviewer training. Waiting until the year of enforcement is risky because the work touches product, operations, compliance, and data infrastructure at the same time.
The 60-day cure window for first-time violations is useful but should be treated as a backstop, not a project plan. If the agency relies on cure rights to figure out its process, it will be learning under pressure rather than building with intention.
How this differs from FDCPA and TCPA
FDCPA and TCPA focus on debt collection conduct, communication limits, consent, timing, and related outreach rules. SB 26-189 focuses on AI-influenced consequential decisions. In other words, the older laws ask, “Was the outreach itself lawful?” The newer law also asks, “Was AI involved in deciding this, and can you explain and revisit that involvement?” Agencies need both frames at once.
This means a workflow can comply with communication rules and still fall short on AI governance. For example, a call may be placed within permitted hours and with proper disclosures, yet the account may still have been prioritized by a covered AI system without a ready explanation or review path. That is why SB 26-189 should be handled as a separate but connected implementation stream.
Implementation checklist
Start with an inventory of every AI-assisted workflow that can influence consumer treatment. Mark which ones affect contact priority, suppression, review access, channel, or cadence. For each, define the decision point, responsible team, source data, audit fields, consumer notice path, explanation packet, and review owner. Then test whether a reviewer can actually retrieve the necessary information and change the result.
Next, align vendors and internal teams around retention and retrieval. Decision logs are useful only if they remain accessible long enough to support the workflow. Finally, rehearse likely requests. Can the agency respond clearly when a consumer asks whether AI was used, why the outcome occurred, what data was involved, and how to get a person to review it? If not, the readiness gap is still open.
| Step | Output | Owner |
|---|---|---|
| Inventory workflows | List of covered AI-influenced decisions | Compliance + operations |
| Map decision data | Audit fields and retrieval plan | Data + engineering |
| Build review path | Human review queue with override rights | Operations |
| Draft notices and explanations | Consumer-ready language and response templates | Compliance + legal |
| Run tabletop tests | Proof the process actually works | Cross-functional team |
FAQ
What is Colorado SB 26-189?
It is a Colorado law that adds obligations when automated decision-making technology is used in consequential decisions. Those obligations include notice, explanation, relevant data access, and meaningful human review.
Does SB 26-189 apply to out-of-state debt collectors?
It can, especially when a covered workflow affects Colorado consumers. Agencies should review their customer footprint and where their AI-assisted decisions have effect, not only where their office is located.
How does Colorado's AI law interact with FDCPA?
FDCPA governs debt collection behavior and communications. SB 26-189 adds duties tied to AI-driven consequential decisions. Agencies need to satisfy both because they govern different parts of the workflow.
What is the penalty for violating SB 26-189?
The law includes a 60-day cure window for first-time violations before penalties apply, but that should be treated as a limited safety net rather than a reason to postpone implementation.
When does Colorado SB 26-189 take effect?
It takes effect in 2027. Agencies should use the lead time to inventory covered decisions, build the necessary logs and queues, and train staff on how to respond.
Need a plain-language SB 26-189 readiness review?
We can help your agency map covered workflows, define obligations, and turn the law into an implementation plan that operations can actually run.