Colorado’s landmark 2024 repair law, the Consumer Right to Repair Digital Electronic Equipment, went into effect in January 2026 and ensures access to the tools and documentation people need to modify and repair digital electronic devices such as phones, computers, and Wi-Fi routers. The new bill, SB26-090, would have created an exception to those repair protections for “critical infrastructure,” a loosely defined term that reform advocates fear could apply to almost any technology.
SB26-090 was introduced during a Colorado Senate hearing on April 2 and was supported by lobbying efforts from companies like Cisco and IBM. That session passed unanimously. The bill was then approved in the Colorado Senate on April 16. On Monday evening, the bill was debated in a long and late hearing in the Colorado House of Representatives’ State, Civil, Military and Veterans Affairs Committee. Dozens of supporters and critics made public comments. Finally, the bill was rejected by a vote of 7 to 4 and classified as postponed indefinitely.
Danny Katz, executive director of local consumer advocacy group CoPIRG, says the fight has been a team effort. A group of reform advocates from organizations such as PIRG, Repair.org, iFixit, Consumer Reports, and local businesses and environmental groups such as Blue Star Recyclers, Recycle Colorado, Environment Colorado, and GreenLatinos spoke against the bill.
“While we were making progress in reducing momentum, we were still losing,” Katz wrote in an email to WIRED after the hearing. “So, we didn’t take anything for granted, and I think the amazing testimony from a wide range of cybersecurity experts, businesses, repair advocates, recyclers, and people who want the freedom to fix their stuff has made a huge difference.”
Supporters of the bill, backed by companies like Cisco, had cited the potential for cybersecurity risks as their motivation for changing the language of the law. The theory goes that if companies are required to make repair tools available to anyone, what’s to stop bad actors from using those tools to reverse engineer critical technology like Internet routers? They assumed that blocking these tools would make them less available to hackers who might misuse them. Supporters of the bill said companies should be allowed to keep their secrets if they ensure security, although that argument begins to fall apart with little scrutiny.
At one point in the hearing, Democrat Chad Clifford, a Colorado state representative and vice chairman of the House committee who was also a lead sponsor of the bill, made what appeared to be a reference to Cloudflare’s very public use of a wall of lava lamps to help encrypt the internet indiscriminately, citing it as an example of the need for sensitive systems to be obfuscated to be secure.
“I don’t know why anyone would have to put lava lamps on the wall to keep the Chinese from getting into the network, but that’s what they came up with and it worked,” Clifford said. “How they do it, I think they should be able to keep it a secret, even in Colorado.”
The problem with this argument, as cybersecurity experts pointed out during the hearing, is that the vast majority of hacks are not carried out via spare parts or by disassembling individual devices. They are remote hacks, where the attacker makes changes in real time, and the defending people have to make changes quickly without worrying about getting permission from the company that makes the equipment.
