On June 30, 2026 — 43 days from now — Colorado SB 24-205 becomes the first comprehensive state AI law in the United States. Five weeks after that, on August 2, the EU AI Act's full set of obligations becomes enforceable across every business that touches a European customer. Civil penalties under the Colorado law reach $20,000 per violation. Under the EU AI Act, fines run up to 7% of global annual revenue.
If you read those numbers and felt a familiar knot of "I should probably do something about this," you're not alone. According to a 2026 SBA survey, only 14% of small businesses have a written AI policy. Most are using ChatGPT, Copilot, Gemini, and dozens of unmanaged free tools with zero documentation, zero risk assessment, and zero idea whether they're a "deployer" of a "high-risk AI system" under the new rules.
Here's the good news: compliance isn't actually that hard. The bad news: there's a plot twist in Colorado that the breathless headlines aren't telling you, and the EU rules apply whether your business is in Boulder, Boise, or Brooklyn. Let's untangle it.
The 60-Second Version of What's Happening
Two laws. Two deadlines. Different scope. Here's the honest map.
| Colorado AI Act (SB 24-205) | EU AI Act | |
|---|---|---|
| Effective Date | June 30, 2026 | August 2, 2026 (full GPAI + governance rules) |
| Who It Covers | Anyone doing business in CO using "high-risk" AI for consequential decisions | Any company whose AI output is used in the EU (placement OR use) |
| Small Business Carve-Out | Partial (under 50 employees) — but easy to lose | None for "general purpose AI" deployment obligations |
| Max Penalty | $20,000 per violation (more for elderly consumers) | Up to 7% of global revenue for prohibited AI; 3% for other violations |
| Enforcer | CO Attorney General (exclusive) | EU member-state AI authorities + EU AI Office |
| Current Status | Partial enforcement freeze (see below) | Fully in force August 2 |
The Colorado Plot Twist Most Owners Haven't Heard
On April 27, 2026, a federal magistrate granted a joint motion from xAI and the Colorado Attorney General that effectively pauses enforcement against certain general-purpose AI providers while a constitutional challenge plays out. Several outlets ran with "Colorado AI law on hold" headlines. That's misleading.
The law itself is not delayed. The deadline is still June 30. What's frozen is enforcement against one specific category of plaintiff. Your business — if you're a "deployer" using AI for consequential decisions in employment, lending, housing, healthcare, education, government services, or insurance — is still on the hook. And the law explicitly says the AG can bring civil actions for violations of the Colorado Consumer Protection Act.
What Actually Counts as "High-Risk" AI for a Small Business
The phrase "high-risk AI system" sounds like something only Boeing has to worry about. It isn't. Under Colorado's rules, an AI system is high-risk if it's a substantial factor in a consequential decision. Let's translate that to plain SMB English. You're probably deploying high-risk AI if you use a tool that:
- Screens, ranks, or rejects job applicants — including any ATS plug-in or "AI resume scorer"
- Sets credit, lending, or insurance terms — including AI-assisted underwriting in mortgages, lines of credit, or commercial insurance
- Allocates housing — tenant screening tools, rental scoring
- Makes or recommends healthcare or educational placement decisions
- Influences pricing or service availability in a way tied to protected classes — intentional or not
You're not deploying high-risk AI when you use ChatGPT to draft a marketing email, summarize a meeting transcript, build a spreadsheet formula, or rewrite a job description. The line isn't "are you using AI." It's "is AI deciding something material about a specific person."
The 6-Step Compliance Sprint (You Can Do This in a Weekend)
Compliance isn't a six-figure consulting engagement. For most small businesses, it's an afternoon, a spreadsheet, and a Tuesday morning standup. Here's the sprint.
Step 1. Inventory every AI tool your team is actually using
Not the ones IT bought — the ones people are using. ChatGPT free accounts on personal logins. Claude.ai. Gemini in Workspace. AI features baked into your CRM, your scheduler, your accounting tool. Walk the office (or the Slack channels). Write them all down with name, who uses it, and what for.
Step 2. Tier each tool by risk
Three buckets: Green (drafting, summarizing, brainstorming — no decisions about specific people), Yellow (tools that touch customer or employee data but a human reviews the output), Red (tools that screen, score, price, or place real people). Anything Red is in scope for both Colorado and the EU AI Act.
Step 3. Replace consumer AI with enterprise AI for anything Yellow or Red
This is the single highest-leverage move you can make. Consumer ChatGPT, Claude, and Gemini accounts train on your data by default in many configurations. ChatGPT Business doesn't — it gives you SOC 2 Type 2, data residency options, SSO, MFA, audit logs, and a BAA on request. That's most of what both laws ask you to demonstrate.
Step 4. Write a one-page AI policy
Yes, one page. It needs four things: what tools are approved, what data can go into them, who's accountable, and what triggers a human review. Our adoption checklist has a template you can copy.
Step 5. For any Red-tier tool, document an impact assessment
Colorado requires an annual impact assessment for high-risk systems. The EU AI Act requires similar documentation for deployers. Both can be the same one-page document for an SMB: what's the system, what decisions does it make, who's affected, what testing did you do, how do consumers appeal? Write it. File it. Update it once a year.
Step 6. Add the consumer-facing notices
If you use AI to make a consequential decision about a Colorado resident or an EU citizen, you owe them a notice before the decision and an explanation if it goes against them. A two-sentence disclosure on your application page and a templated "you have the right to appeal" email covers most cases.
Why ChatGPT Business Is Specifically Built for This
I'm an authorized OpenAI partner, so take this with the appropriate grain of salt — but here's the structural reason ChatGPT Business is the path of least resistance for compliance, not just because of the brand:
- Data isolation: Your conversations and uploads are never used to train OpenAI models. That single fact eliminates the most common cross-state and cross-border data-handling question.
- SOC 2 Type 2 and CSA STAR: Both compliance regimes accept these as evidence of "reasonable care."
- SSO + MFA + audit logs: Required for any tool touching consequential decisions. Free ChatGPT doesn't have them.
- Workspace controls: Admins can disable specific features, restrict data sources, and pull a full activity log on demand — which is exactly what an impact assessment needs.
- HIPAA BAA available: Critical for any healthcare adjacent business. See our healthcare HIPAA guide.
At $25/user/month (monthly) or $20/user/month (annual), it's roughly the same price as the free-AI tools your team is already using on shadow accounts — except those shadow accounts are the actual compliance problem. Replacing them is the cheapest, fastest move on the board.
The 2026 Pattern: Compliance Is a Wedge, Not a Cost
Here's what most pundits get wrong. They treat the Colorado AI Act and the EU AI Act as costs — new red tape that drags on innovation. For a prepared small business, they're the opposite: a wedge.
The 92% of Fortune 500 companies already on ChatGPT Enterprise are way ahead of you on documentation and controls. But that's not who your customers compare you to. They compare you to the local competitor down the street — the one whose team is still pasting client data into a free ChatGPT account and whose owner has never heard of an impact assessment. When the AG opens an investigation, when a vendor questionnaire asks "do you have an AI governance policy," when a referral source asks "are you HIPAA-safe with AI," that is when your compliance work pays back.
The boring spreadsheet inventory you do this weekend is also a sales asset by next month.
What to Do This Week
- Block one hour Friday. Walk the office or DM the team. Get the actual list of every AI tool in use.
- Tier the list Green / Yellow / Red. If anything Red is on a free account, that's your top priority.
- Move Yellow and Red tools to ChatGPT Business. Start with 3-5 seats. Setup takes 15 minutes.
- Draft the one-page AI policy. Steal from our checklist. Have your team sign it.
- For any Red-tier tool, write the impact assessment. One page. File it. Calendar a reminder for next year.
- Add the consumer notice. Two sentences on the relevant application page. Done.
You can be in better shape than 90% of your competitors by next Tuesday. The deadline is real, but the work is small. The cost of doing nothing is the gamble — and that gamble keeps getting more expensive as the EU and 13+ U.S. states stack new rules behind Colorado.
Frequently Asked Questions
Possibly. The law applies to any "deployer" doing business in Colorado that uses a high-risk AI system to make consequential decisions affecting a Colorado resident. If you have Colorado customers, employees, or applicants — even if your office is elsewhere — you're in scope. The same logic applies to the EU AI Act for any EU resident.
No. A federal magistrate granted a joint motion that effectively paused enforcement against certain general-purpose AI providers (specifically xAI in that case) while a constitutional challenge proceeds. The law itself is not delayed and the June 30, 2026 effective date stands. Deployers using high-risk AI in consequential decisions remain subject to the law's duties and to potential AG enforcement.
Partially. Businesses with under 50 employees can qualify for a deployer exemption only if they meet four conditions: (1) they don't use their own data to train or fine-tune the AI, (2) they use the system only for its intended uses, (3) the system keeps learning only from non-proprietary sources, and (4) they make the developer's impact assessment available to consumers. Fine-tuning a model with proprietary customer data is the most common way SMBs accidentally lose the exemption. And even exempt deployers still owe duties of reasonable care, pre-decision notices, adverse-action explanations, consumer appeal rights, and AG notification of algorithmic discrimination.
Violations of the Colorado AI Act are treated as violations of the Colorado Consumer Protection Act, which allows civil penalties of up to $20,000 per violation — with higher penalties when the affected consumer is elderly. The Colorado AG has exclusive enforcement authority. The EU AI Act stacks higher: up to 7% of global annual revenue for prohibited AI practices, and up to 3% for most other violations, enforced by EU member-state authorities and the EU AI Office.
ChatGPT Business gives you the technical and contractual building blocks: data isolation, SOC 2 Type 2, SSO, MFA, audit logs, BAA on request, and an admin workspace your governance team can actually administrate. It doesn't replace your obligation to write an AI policy, do an impact assessment for high-risk uses, post consumer notices, and handle appeals — but it makes every one of those steps much shorter than starting from a tangle of free consumer accounts. See our full privacy and security breakdown.
43 Days Isn't Much. Spend One Hour With Us First.
ElevaIQ.com is an authorized OpenAI SMB Channel Partner. We help small businesses move from shadow AI accounts to a documented, compliant ChatGPT Business deployment — at the same $25/user/month as buying direct, with onboarding, policy templates, and a named advisor included.
Start Your Free Compliance ConsultAbout ElevaIQ.com: ElevaIQ.com is an authorized OpenAI SMB Channel Partner. We help small and medium-sized businesses implement and optimize ChatGPT Business, ChatGPT Enterprise, and the OpenAI API. This article is general guidance, not legal advice — consult counsel for decisions specific to your business.