Colorado AI Act enforcement is 10 weeks away. What does the rebuttable presumption defense actually require?
SB 24-205 enforcement starts June 30, 2026. Most of the conversation focuses on the $20k per consumer penalty but the more interesting part of the statute is the rebuttable presumption defense under Sec. 6-1-1706.
If you can demonstrate reasonable care, the burden shifts to the AG to prove you weren't compliant. That's a meaningful legal shield. But "reasonable care" isn't vague. The statute requires specific things to be in place before an incident:
Risk assessments documenting how your AI system could produce discriminatory outcomes across the protected classes listed in the statute (which includes reproductive health and limited proficiency in English, not just the usual federal list).
Consumer notices disclosing that AI is being used in consequential decisions.
AI system inventory with documented ownership.
Ongoing monitoring, not point-in-time documentation.
The key word is "before." Retroactive documentation doesn't satisfy the rebuttable presumption. If the AG comes asking and your evidence was assembled after the fact, the defense fails.
Curious what others are seeing. Are companies actively building toward the rebuttable presumption requirements or still treating June 30 as theoretical?
Free exposure audit at aguardic.com/colorado-ai-act-audit if anyone wants to scope where they stand. 10 questions, PDF with statute citations.