Topics in AI
    8 min read

    Colorado Just Gutted Its Own AI Law. A Lesson for Canada

    Colorado signed a bill repealing its landmark AI Act, dropping impact assessments and sliding the start date to 2027. For Canadian small firms with no federal AI law either, the takeaway is about software.

    ByJames R. GosnellEducational content. Not legal advice.
    AICanadian LawRegulationData ResidencySmall Firms

    Colorado Just Gutted Its Own AI Law. A Lesson for Canada

    Two years ago Colorado passed the first comprehensive AI law in the United States, and every other state legislature treated it as the template. On May 14, 2026, the governor signed a bill that repealed it and rebuilt something much smaller in its place.

    What SB 26-189 Actually Changed

    SB 26-189 repeals and reenacts SB 24-205, the 2024 statute that first defined Colorado's approach to high-risk AI. The new version drops the three obligations that gave the original its teeth: mandatory risk management programs, impact assessments, and the duty of reasonable care to prevent algorithmic discrimination, which the original framed as a primary source of liability.

    The effective date moved too. The original law was set to bind deployers on June 30, 2026. The rewrite pushes that to January 1, 2027, with a 60-day window to cure violations that does not sunset until January 1, 2030.

    What remains is lighter: developers document intended uses, known risks, and training-data categories; deployers give advance notice before using AI on a consumer and disclose adverse outcomes within 30 days; consumers get correction rights and a path to human review. It is a disclosure regime where the prior law was a duty-of-care regime.

    The Most-Watched US State AI Law Just Deflated

    The substance of the change matters less than the signal it sends. Colorado was the proof of concept that a US state could regulate AI systems comprehensively, and roughly a dozen states drafted bills that borrowed its structure. When the originator repeals its own core obligations before they ever take effect, the template loses its authority.

    This is the second time in eighteen months a flagship AI statute has hollowed out before enforcement. Canada watched Bill C-27 and its Artificial Intelligence and Data Act die on the order paper when Parliament was prorogued in early 2025, and the bill has not come back. The pattern is consistent: ambitious AI legislation gets drafted, draws heavy industry pushback, and either dies or gets stripped down before anyone has to comply.

    Canada Is in the Same Waiting Room

    For a Canadian firm, the practical reality is that there is no binding federal AI statute and no near-term prospect of one. What governs AI today is the existing privacy law: PIPEDA federally, and in Quebec, Law 25, whose automated-decision and profiling rules are already in force and considerably stricter than anything Ottawa has proposed.

    So a Canadian solo or small firm choosing software in 2026 is making that decision against a moving target. The federal rules might arrive in two years or five. The provincial privacy rules are real now. And the US state rules that some vendors built their products around just got rewritten before they applied to anyone.

    Why This Is a Software Problem, Not a Legislative One

    The temptation, watching all this churn, is to wait: do not adopt AI tooling until the law settles. That is a mistake, because the law is not going to settle on a schedule that matches a firm's buying cycle, and the privacy obligations that actually bite already exist.

    The better move is to stop architecting around any single statute and instead choose tools whose defaults satisfy the strict cases regardless. Data residency in Canada. Client data isolated per tenant rather than pooled. Audit trails that exist whether or not a regulator ever asks. A vendor that bakes these in is covered under Law 25 today and under whatever Ottawa eventually ships, without a migration.

    Building the Compliance In Instead of Waiting for It

    This is the design principle behind SupaCorp, entity management software for Canadian solo and small firms handling incorporations, annual returns, minute books, and client intake across federal, Ontario, BC, Alberta, and Quebec rules. The compliance posture is structural: multi-tenant data isolation through Postgres row-level security, Canadian data residency, and audit trails on the corporate record by default.

    That posture does not depend on which AI law passes. A firm running on infrastructure that already isolates client data and keeps it in-country does not have to re-architect when Colorado rewrites its act or when Ottawa finally tables a successor to AIDA. The regulatory whiplash south of the border is a useful reminder that betting a software stack on a specific statute is the fragile choice. Betting it on strict defaults is the durable one.

    What to Watch

    Two things. First, whether any US state holds the line on a duty-of-care model now that Colorado has retreated, or whether the whole first wave collapses into disclosure regimes. Second, whether Ottawa reintroduces anything resembling AIDA before the next election, or leaves the field to the provinces and the privacy commissioners. For a small firm, neither answer changes the right move today, which is to buy software that would survive the strict version of every one of these rules.