For most of 2025, Colorado SB 24-205, titled the Consumer Protections for Artificial Intelligence Act, was treated as the canary in the coal mine for U.S. state AI regulation. It was the first broad private-sector AI law in the country, it carried $20,000-per-violation penalties, and it was scheduled to start enforcement on June 30, 2026. Every other state legislature was watching to see what Colorado actually did.

Then, in sixteen days, the situation came undone. A federal magistrate stayed enforcement. The legislature repealed the law. The governor signed the replacement. None of this was on most observers' bingo cards a month ago, and the practical question for businesses outside Colorado is now different than it was. This article covers what happened, what the new regime looks like, what the federal court fight signals, and which North Carolina rules a service business in Moore County actually needs to be aware of right now.

The sixteen-day timeline

April 28, 2026. U.S. Magistrate Judge Cyrus Y. Chung approved a joint stipulation in xAI v. Weiser that bars Colorado Attorney General Phil Weiser from initiating enforcement actions under SB 24-205 until the fourteenth day after the court rules on xAI's pending motion for a preliminary injunction.1 The stipulation followed xAI's early-April lawsuit challenging the AI Act on First Amendment grounds, plus the U.S. Department of Justice's April 24 motion to intervene as a plaintiff alongside xAI.2

May 9, 2026. The Colorado General Assembly passed SB 26-189, Automated Decision-Making Technology, by 34-1 in the Senate and 57-6 in the House. The bill repeals SB 24-205 and replaces it with a narrower transparency-focused regime.3

May 14, 2026. Governor Jared Polis signed SB 26-189 into law. The new statute takes effect January 1, 2027.4

The June 30, 2026 enforcement date that had organized the whole state-AI-regulation conversation for the last year is now gone in two ways at once: enforcement of the old statute is stayed by court order, and the statute itself has been replaced by one that does something materially different.

What SB 26-189 actually requires

The replacement regime drops the most demanding obligations of the original law and substitutes a consumer-disclosure-and-redress framework. The shift in vocabulary is itself the tell. The old statute regulated "high-risk artificial intelligence systems" and imposed "algorithmic discrimination" duties. The new statute regulates "automated decision-making technology" (ADMT) that processes personal data to materially influence a "consequential decision."5

The categories of consequential decisions carry over from the old law: employment, housing, lending, insurance, healthcare, education, and essential government services. What changes are the obligations on the businesses making those decisions.

What was removed. The risk management policy requirement is gone. The mandate to perform an initial AI impact assessment within 90 days and annually thereafter is gone. The mandate to report reasonably foreseeable risks of algorithmic discrimination to the Attorney General is gone. The broad algorithmic discrimination duties tied to the developer-vs-deployer framework are scaled back substantially.6

What was added. When ADMT is used to materially influence a consequential decision, the deployer must give the affected person notice that the technology was used. After an adverse decision, the deployer must explain how the technology contributed and give the person the right to request correction of inaccurate underlying data and the right to meaningful human review.7

For a service business in Colorado that uses a vendor's hiring screener, underwriting tool, or pricing engine, the practical shift is significant. Three months ago the compliance picture was: write a risk management policy, run an annual impact assessment, document the developer-vs-deployer responsibility split, and stand ready to report algorithmic-discrimination risks to the AG. Now the picture is: maintain a notice template, build a process for handling correction and human-review requests, and be ready to explain in plain terms how the ADMT contributed to an adverse decision. The compliance lift is meaningfully lower. The consumer-facing surface is more visible.

The DOJ intervention is the signal worth watching

The April 28 stay is procedurally narrow. It freezes AG enforcement for a window tied to the preliminary injunction ruling. The federal litigation underneath it is the part that may reshape state AI law nationally.

xAI's argument is that designing and training an AI model is protected expressive activity under the First Amendment, similar to how video-game developers, social-media platforms, and search engines have been treated by the Supreme Court in recent expressive-speech cases. On that theory, the AI Act's required disclosures and its compelled inclusion of state-defined fairness standards compel xAI to speak in ways it would not otherwise choose.8

The DOJ joined the case on April 24, framing the intervention as the federal government's first formal litigation effort to limit state-level AI regulation.9 The DOJ's added theory is an equal-protection challenge to the law's diversity-related carveouts, arguing that the carveout structure forces AI companies to adopt state-preferred viewpoints. That intervention is itself a direct extension of the Trump administration's January 2026 executive order directing federal agencies to identify and challenge state AI laws that conflict with federal AI policy.

Whether the preliminary injunction succeeds is the immediate question. Whether the First Amendment and equal-protection theories travel to other state AI statutes is the larger one. The litigation is being briefed in district court at the same time as Texas, Illinois, California, and New York legislators are drafting their own AI bills. None of those bills will look identical to SB 24-205 or SB 26-189. They will draft against whatever the federal court produces.

What's actually live in North Carolina right now

None of the Colorado action changes the rules that are already in effect in North Carolina. The local picture has been stable for months. Most service-business owners in Moore County are not aware of the parts of it that already bind them.

The North Carolina Personal Data Privacy Act (HB 462) took effect January 1, 2026.10 The law applies to any business that conducts business in North Carolina or targets products or services to North Carolina residents and either (a) controls or processes the personal data of at least 35,000 consumers (excluding payment-only data), or (b) controls or processes the personal data of at least 10,000 consumers and derives more than 20% of gross revenue from the sale of personal data. The thresholds are real. Most 12-person service businesses do not hit them. A content site with 35,000 monthly readers does. A vendor selling lead lists hits the second threshold easily.

If you are in scope, the law gives consumers the right to confirm what data is being collected, access it, correct inaccuracies, request deletion, and opt out of targeted advertising and data sales. You must designate yourself as a data controller or processor, maintain records of processing activity, and provide a privacy notice. The North Carolina Department of Justice began public outreach about the new regulations on July 1, 2025, and has signaled enforcement priorities since well before the effective date.

Governor Stein's Executive Order No. 24, signed September 2, 2025, established the North Carolina AI Leadership Council, the NC AI Accelerator within NCDIT, and AI Oversight Teams in each state agency.11 The order primarily applies to state agencies, but the procurement reach is the part private businesses should know. If your business sells to, partners with, or supports any North Carolina state or local government entity, the AI governance, data-handling, and security requirements in EO 24 will start showing up in contract language and acquisition rules. The first wave of contract amendments is already in flight at NCDIT. If you have a state contract, expect AI-related riders in your next renewal.

Pending in the General Assembly: deepfake legislation continues to lead. The 2025 session saw an unprecedented number of AI bills introduced, none enacted before recess. The bills still in committee:

  • HB 934 (AI Regulatory Reform Act, 2025-2026 session): Would create a criminal offense for unlawful distribution of a deepfake to harass, extort, cause harm, or influence an election. Still in committee as of spring 2026.12
  • HB 375: Would create a new chapter covering AI and synthetic media, including election-related "materially deceptive media" definitions and civil enforcement.
  • HR 1177: A consumer protection AI bill of rights resolution.
  • Plus an unprecedented breadth of proposals covering healthcare AI, chatbot regulation, AI safety, workforce impacts, and education. The breadth indicates that broad AI regulation is a near-term legislative priority for the General Assembly, even if no single bill has been enacted yet.13

For Moore County and Southern Pines specifically: there is no county or municipal AI ordinance on the books or in proposal. Local regulation, if it comes, will come from Raleigh first. The existing North Carolina Unfair and Deceptive Trade Practices Act already applies to AI use that misleads consumers, regardless of whether a specific AI statute is enacted.

What a service business in NC should actually do this month

Five concrete steps. Reframed for the post-Colorado-rewrite reality.

1. Inventory what AI is making decisions about people in your business

Hiring screening, customer scoring, lead prioritization, automated quoting, pricing recommendations, fraud screening, dynamic insurance underwriting. Anything where the AI's output materially influences a decision you make about a specific person. Write down the system, the vendor, what data goes in, and what decision it informs. This is what every flavor of state AI regulation (old Colorado, new Colorado, the pending NC bills, the bills sitting in other state legislatures) is going to ask you to produce.

2. Reset expectations on Colorado

If you have Colorado customers and you were preparing for the June 30 enforcement deadline, two things changed. The deadline is gone, and the compliance regime that replaced it is lighter. You no longer need a written risk management policy or an annual impact assessment for Colorado. You do need a notice template, an explanation-of-adverse-decision process, and a path for consumers to request correction and human review. The new effective date is January 1, 2027. The vendor-questions homework you did under the old framework still applies. Most of it carries forward.

3. Check the NC HB 462 thresholds against your data

Count the number of unique North Carolina consumers whose personal data you control or process. Most service businesses are below the 35,000 threshold. Content sites, lead-gen operators, and SaaS tools cross it more often than their owners realize. If you cross either threshold (35,000 unique consumers, or 10,000 plus 20% of revenue from data sales), the privacy act has been enforceable since January 1, 2026.

4. If you sell to or contract with North Carolina government, prepare for EO 24 contract language

The next renewal cycle on any state or local government contract is going to surface AI riders. The conservative move is to have a one-page AI use policy ready to attach: which AI tools you use in delivering the contract, how data is handled, what the security posture is. Vendors that get ahead of this look professional. Vendors that wait for the procurement officer to ask read as unprepared.

5. Track the General Assembly's deepfake bills

HB 934 and HB 375 are the ones to watch. If your business does any AI-generated audio or video content (marketing voice-overs, AI-rendered explainer videos, AI-assisted social-media posts featuring identifiable people), the deepfake bills are going to define where the criminal line is. The piece on AI phone calls and TCPA liability covers the federal-and-FCC version of this same problem. The state criminal version is in the queue.

The recurring pattern after a month like the one Colorado just had: federal litigation moves faster than state legislatures, state legislatures move faster than federal regulators, and small businesses underestimate the state-level exposure because the headlines are federal. The five steps above take less than a day total. Doing them this month puts you ahead of most peers regardless of which way the litigation goes.

The honest assessment

If you are a 12-person service business in Moore County that does not sell into Colorado, does not process 35,000 NC consumers' data, and does not contract with state government, the legal exposure from these laws right now is low and just got lower. The reason to do the inventory anyway is that the NC bills working through the General Assembly will eventually define "ADMT" or "consequential decision" similarly enough to one of the live models that the work you do now carries forward.

The reverse case: if you do any work that involves AI making decisions about employment, housing, healthcare, or financial access (including for clients you serve), the exposure right now is lower than it looked a month ago, but the trajectory is unchanged. Colorado remains the leading edge of how the state AI regulation conversation evolves. The new model, narrower and transparency-focused, is what other states will draft against unless the federal court fight produces a different anchor.

The Bottom Line

  • Colorado SB 24-205, the law that was going to start enforcement June 30, was stayed by federal court on April 28, repealed and replaced by SB 26-189 on May 9, and the replacement was signed by Governor Polis on May 14. New effective date is January 1, 2027.
  • SB 26-189 drops risk management programs, annual impact assessments, and broad algorithmic discrimination duties. It substitutes consumer notice when ADMT is used in a consequential decision, post-adverse-outcome explanations, the right to correct inaccurate data, and the right to meaningful human review.
  • The DOJ's April 24 intervention in xAI v. Weiser is the first time the federal government has formally challenged a state AI law. The First Amendment and equal-protection theories being briefed will shape what other states pass.
  • North Carolina HB 462 (Personal Data Privacy Act) is unchanged, in effect since January 1, 2026. Thresholds: 35,000 NC consumers, or 10,000 plus 20% of revenue from data sales.
  • Stein's Executive Order 24 is unchanged. Expect AI riders in your next state-government contract renewal.
  • NC pending legislation (HB 934, HB 375, HR 1177) is unchanged, still in committee.
  • The five-step prep: inventory AI used in person-facing decisions, reset Colorado expectations, check NC HB 462 thresholds, prep EO 24 contract language if you sell to government, track HB 934 / HB 375 if you make AI-rendered media.

If you want a one-page inventory of where AI is making consequential decisions in your business, plus a read on which of these laws are likely to bite first, that is an hour of work I do with clients. The Colorado rewrite changed what the inventory needs to support, not whether you should have one. Connect on LinkedIn.

Keep reading: AI Phone Calls Can Cost You $1,500 Each If You Do Them Wrong covers the FCC TCPA side of automated decision-making liability. Your Small Business Is Already Running AI You Don't Know About covers the data-egress side. What "Cybersecurity" Actually Means for a Business Your Size covers the security baseline that the privacy laws expect on top.

Sources

  1. April 28, 2026 stay of enforcement. Per Colorado Politics, April 28, 2026 reporting Magistrate Judge Cyrus Y. Chung's approval of the joint stipulation in xAI v. Weiser.
  2. DOJ April 24 motion to intervene. Per Norton Rose Fulbright's case summary and Jenner & Block's client alert.
  3. SB 26-189 legislative passage, Senate 34-1 and House 57-6 on May 9, 2026. Per Nixon Peabody's alert and the Colorado General Assembly SB 26-189 bill page.
  4. Governor Polis signed SB 26-189 May 14, 2026; effective January 1, 2027. Per CBS Colorado, May 14, 2026 and Colorado Public Radio's coverage.
  5. ADMT framework replaces "high-risk AI system" framing. Per Troutman Pepper Locke's analysis and IAPP's coverage of the shift from risk to transparency.
  6. Provisions removed from the original SB 24-205. Per Ballard Spahr's Consumer Finance Monitor unpacking SB 26-189 and Clark Hill's key changes summary.
  7. New consumer-facing obligations: notice, explanation, correction, human review. Per Fisher Phillips's transparency framework guide.
  8. xAI First Amendment theory. Per HR Dive's coverage of the joint motion.
  9. DOJ intervention as first federal challenge to a state AI law. Per the Government Contractor Compliance & Regulatory Update and Baker McKenzie's Employer Report.
  10. NC HB 462 effective date January 1, 2026 and thresholds. Per the North Carolina General Assembly bill lookup and UNC SOG Legislative Reporting Service summary. NC DOJ public outreach began July 1, 2025.
  11. Executive Order 24 scope, procurement reach, and AI Council / Accelerator structure. Per the official EO 24 text, NCDIT's announcement, and PivIT Strategy's analysis of the procurement reach.
  12. HB 934 (AI Regulatory Reform Act) status and scope. Per the General Assembly bill text and TrackBill's status page.
  13. 2025 NC General Assembly AI bill activity. Per UNC School of Government's October 2025 AI law update and the Orrick AI Law Tracker for North Carolina.