Colorado's progressive right-to-repair law, which took effect in January 2026, faced its first serious challenge in April 2026 when state legislators introduced a bill intended to carve out broad exceptions for so-called critical infrastructure. That bill, SB26-090, ultimately failed after a tense hearing in the Colorado House's State, Civic, Military, and Veterans Affairs Committee, where it was defeated by a 7-4 vote and classified as postponed indefinitely.
The Consumer Right to Repair Digital Electronic Equipment, passed in 2024, was celebrated by consumer advocates across the nation. It mandated that manufacturers of digital electronics—including smartphones, laptops, Wi-Fi routers, and other common devices—provide consumers and independent repair shops with access to the necessary tools, parts, and documentation to perform repairs. The law was designed to combat planned obsolescence, reduce electronic waste, and give users more control over their devices. However, from the moment it was signed, large technology companies with significant interests in Colorado began strategizing ways to weaken its provisions.
The Bill and Its Supporters
SB26-090 was introduced during a Colorado Senate hearing on April 2, 2026, with backing from prominent tech firms such as Cisco and IBM. The bill proposed an exception for devices deemed part of 'critical infrastructure.' The term was intentionally left vague, raising concerns among right-to-repair advocates that it could be applied to almost any technology—from home internet routers to medical devices. The argument put forward by supporters was straightforward: requiring companies to share repair tools and secrets with the public would create a cybersecurity risk. If malicious actors could obtain the same documentation as legitimate repair technicians, they might reverse-engineer critical systems, creating vulnerabilities that could be exploited at scale.
The bill moved quickly through the Senate. It passed a hearing on April 2 unanimously, then cleared the full Senate on April 16. At that point, it appeared destined for easy passage in the House as well. But the tide turned when the bill reached the House committee. The hearing on Monday evening (April 27) was long and contentious, delayed several hours, and featured dozens of public comments from both supporters and detractors. Representative Chad Clifford, the House committee's vice chair and a prime sponsor of the bill, repeatedly cited cybersecurity concerns. In a notable moment, he referenced Cloudflare's use of a wall of lava lamps to randomize internet encryption as an example of why some security measures must remain secret.
'I don't know why anybody has to have lava lamps on a wall to keep the Chinese from getting into a network, but it's what they came up with that worked,' Clifford said. 'How they do that, I believe they should be able to keep it secret, even in Colorado.'
The Opposition's Counterarguments
Cybersecurity experts testifying against the bill dismantled the security argument. White hat hacker Billy Rios told the committee, 'There is no time. It doesn't work that way.' He explained that the vast majority of cyberattacks are not carried out by physically tampering with hardware through replacement parts; they are remote hacks executed in real time. Defenders of networks need the ability to patch vulnerabilities rapidly, often without waiting for manufacturer approval. Restricting access to repair tools, Rios argued, would actually hamper cybersecurity by preventing independent researchers and system administrators from making necessary changes.
Repair advocates from organizations such as PIRG, Repair.org, iFixit, Consumer Reports, and local groups like Blue Star Recyclers and Environment Colorado also testified. Danny Katz, executive director of CoPIRG, called the battle a group effort. In a statement after the hearing, he wrote: 'While we were making progress at chipping away at the momentum for it, we had still been losing. So, we took nothing for granted, and I believe the incredible testimony from the broad range of cybersecurity experts, businesses, repair advocates, recyclers, and people who want the freedom to fix their stuff made a big difference.'
Economic arguments also came into play. Representative Clifford warned that large tech companies might simply stop selling certain products in Colorado if forced to comply with the existing repair law. 'They're not going to comply and give away the keys to their kingdom for the things that are securing billions of dollars of interest for their customers over the law that we passed,' he said. 'What they're going to do is just not have commerce on those items here.' But that threat did not sway the committee. Representative Naquetta Ricks, who voted no, summed up the doubt: 'What are we really trying to do here? Are we protecting just one company, or are we looking at really critical infrastructure? I'm not convinced.'
Broader Implications
The defeat of SB26-090 is a significant win for the right-to-repair movement, which has gained momentum in recent years. Colorado's law was already considered a landmark, and attempts to weaken it were seen as a bellwether for how tech companies might try to dismantle similar legislation across the United States. While the bill failed in Colorado, Nathan Proctor, senior director of US PIRG's Campaign for the Right to Repair, expects lobbying efforts to continue both in the state and nationwide. 'The fact of the matter is, unfixable stuff is everywhere,' Proctor wrote. 'This is a widespread problem, and it requires a widespread response.'
Other states have already passed or are considering repair laws. Iowa, for example, adopted its own right-to-repair legislation in early 2026, and several more states have introduced bills. The fight is far from over. Tech companies like Cisco, which has deep ties to Colorado's economy, have substantial resources to influence policy, and they are unlikely to abandon efforts to limit repair access. The cybersecurity debate will also continue, as defenders of the status quo refine their arguments. However, the Colorado committee's rejection of a broad, vaguely defined exception sets an important precedent: lawmakers are not easily swayed by security rhetoric alone, especially when independent experts refute the claims.
The hearing left many participants exhausted but hopeful. For the moment, Colorado's right-to-repair law remains intact, ensuring that consumers and small repair businesses retain access to the tools and knowledge needed to fix their own devices. The movement's supporters know they must remain vigilant, as the next attack could come in a different form—perhaps a narrower exception, a reinterpretation of the law, or a federal preemption effort. But the victory in Colorado demonstrates that grassroots advocacy, combined with credible expert testimony, can overcome deep-pocketed opposition.
Source: Ars Technica News