TL;DR: Using AI in hiring triggers multiple overlapping laws: NYC LL144 (bias audit), Illinois AIVEA (video consent), FCRA (adverse action), EEOC (disparate impact), and Colorado SB 26-189 (eff. Jan 1, 2027). EU AI Act applies if you hire EU candidates. This guide maps each law to the specific action it requires.
AI hiring tools create compliance exposure at every layer: federal, state, local, and international. Small teams assume these rules apply only to enterprises running thousands of job requisitions. They don't. If you use any AI to screen, score, or rank candidates, even a resume filter or a video interview platform that claims to "analyze" responses, multiple laws already apply to you, right now.
This guide maps every major AI hiring law to the specific obligations it creates, with links to the detailed playbook for each.
The Law Map: What Applies to You
| Law | Jurisdiction | What triggers it | Key requirement | Effective |
|---|---|---|---|---|
| EEOC Title VII guidance | US Federal | Any AI hiring tool | No disparate impact on protected classes; audit your vendors | In force |
| FCRA | US Federal | AI tool using third-party data | Adverse action notice to candidate; disclosure | In force |
| NYC Local Law 144 | New York City | AEDT in hiring/promotion decisions | Annual bias audit by independent auditor; candidate notice | Jan 1, 2023 |
| Illinois AI Video Interview Act | Illinois | AI analyzes video interviews | Notify candidate; get consent; data retention limits | Jan 1, 2020 |
| Colorado SB 26-189 | Colorado | ADMT in employment decisions | Pre-use notice; explanation of adverse outcome; human review | Jan 1, 2027 |
| EU AI Act Annex III | EU / EEA | AI for recruitment affecting EU candidates | High-risk classification; fundamental rights impact assessment; human oversight | Dec 2, 2027 |
Most small teams are exposed to at least three of these simultaneously. A startup in Austin that posts remote jobs, uses an AI resume screener, and conducts video interviews with an AI-scoring feature is likely subject to EEOC, FCRA, NYC LL144 (if any candidate is NYC-based), and Illinois AIVEA (if any candidate is in Illinois), all at once.
EEOC Guidance: The Baseline That Applies to Everyone
The Equal Employment Opportunity Commission published guidance in 2023 making clear that Title VII applies to AI-powered hiring tools the same way it applies to human decisions. An AI tool that produces disparate impact on candidates based on race, sex, national origin, religion, or disability is illegal, regardless of whether the discrimination was intentional.
The critical employer responsibility: you are accountable for the tools your vendors build. If an AI resume screener systematically ranks women lower for engineering roles, the EEOC will look at the employer who deployed it, not just the software company that built it.
What this means in practice: before deploying any AI hiring tool, request the vendor's bias testing results. Ask which demographic groups were tested, what the adverse impact ratios were, and when the last audit was conducted. If a vendor can't produce this, that's your answer.
Full checklist: EEOC AI Hiring Guidance: Employer Checklist 2026
FCRA: When AI Pulls External Data
The Fair Credit Reporting Act applies whenever an AI hiring tool incorporates data from a third-party consumer reporting agency. Background check integrations, credit history pulls, social media screening tools that aggregate external data: all of these trigger FCRA obligations.
Under FCRA, if an AI-assisted decision produces an adverse action (rejection, withdrawal of offer, reduced role), the employer must:
- Provide the candidate a pre-adverse action notice with a copy of the consumer report
- Give the candidate time to dispute inaccuracies (typically 5 business days)
- Send a final adverse action notice after the waiting period
AI tools that automate this process end-to-end can also automate the compliance steps, but only if configured to do so. Out-of-the-box AI screening tools often skip the adverse action workflow unless specifically enabled.
Full checklist: FCRA and AI Hiring: The Disclosure Requirements Most Companies Miss
NYC Local Law 144: Bias Audits Are Now Mandatory
New York City's Local Law 144, effective January 1, 2023, requires employers and employment agencies to conduct an annual bias audit of any automated employment decision tool (AEDT) before deploying it for candidates or employees in New York City. The audit must be conducted by an independent third party (not the vendor), and the results must be published on the employer's website.
Key details that trip up small teams:
- Scope: Applies to any employer using an AEDT to "substantially assist or replace discretionary decision-making." This includes resume scoring, candidate ranking, and video analysis tools.
- Geography: Applies if you are making hiring decisions for NYC-based roles or have NYC-based employees being evaluated for promotions. Remote-first companies with NYC employees are covered.
- Candidate notice: Candidates must be notified at least 10 business days before the AEDT is used to evaluate them. They must be offered an alternative, non-AI process upon request.
- Penalties: $375/day for a first violation, $1,500/day for subsequent violations, with a 30-day cure period after notice.
The biggest practical problem: most bias audit vendors serve large enterprise clients. Small teams often can't get an audit done independently, they have to rely on the audit the tool vendor commissioned and published. Verify the auditor is truly independent (not a sister company or contracted consultant).
Full guide: NYC Local Law 144 AI Bias Audit: Employer Guide 2026
Illinois AI Video Interview Act: Consent Before Analysis
Illinois passed its AI Video Interview Act (AIVEA) effective January 1, 2020, making it one of the earliest AI-specific employment laws in the US. It applies when any employer uses an AI system to analyze video interviews of candidates.
Three requirements, all mandatory before the AI runs:
- Notice: Inform candidates before the interview that AI will analyze their video responses.
- Consent: Obtain explicit consent from the candidate. If the candidate refuses, the employer cannot use the AI analysis but can still conduct the interview without AI scoring.
- Data deletion: Destroy the video and any AI-generated analysis within 30 days of a candidate request, or within 30 days of the employer's final hiring decision for the role.
The law applies based on where the candidate is located, not where the employer is. Any Illinois resident interviewing for any role, remote or in-person, with an Illinois or non-Illinois employer, gets these protections.
Full guide: Illinois AI Employment Disclosure Law 2026
Colorado SB 26-189: The Next Major Deadline
Colorado Governor Polis signed SB 26-189 on May 14, 2026. It takes effect January 1, 2027, replacing Colorado's earlier AI law (SB24-205) with a narrower but clearer statute focused on automated decision-making technology (ADMT) in consequential decisions.
Employment decisions (hiring, firing, promotion, and compensation determinations) fall squarely within the law's scope. Employers who deploy ADMT for these decisions must:
- Pre-use notice: Tell employees and applicants that ADMT is being used before the decision is made
- Explanation on request: Provide a meaningful explanation of any adverse outcome within 30 days of a candidate request
- Human review path: Ensure candidates can request a human review of decisions made using ADMT
- Developer documentation: If you are using a third-party tool, obtain the developer's technical documentation showing how the system works and what populations it was tested on
The January 1, 2027 deadline gives teams roughly six months from publication of this guide to get compliant. For teams hiring in Colorado, this is the most urgent upcoming change.
Full guide: Colorado SB 26-189 AI Law: Employer Guide 2027
EU AI Act: The International Layer
If your hiring process reaches EU-based candidates, the EU AI Act's Annex III classification applies. AI systems used for recruitment, selection, and promotion decisions are explicitly listed as high-risk AI systems.
As an employer using a third-party AI hiring tool, you are the "deployer" under the EU AI Act. Deployer obligations for high-risk AI systems include:
- Conducting a fundamental rights impact assessment before deployment
- Implementing human oversight mechanisms
- Maintaining logs of system use
- Providing transparency to affected individuals
The effective date for high-risk AI system obligations is December 2, 2027. That gives teams roughly 18 months, but the assessment and documentation work takes longer than most teams expect.
Full guide: EU AI Act Compliance for Small Teams
Vendor Liability: The Workday Warning
The ongoing class action Mobley v. Workday (filed 2023) alleges that Workday's AI screening tools discriminate against older workers, Black applicants, and disabled applicants. The case names Workday as a defendant but also creates pressure on the employers who deployed those tools.
The legal theory matters for small teams: using a vendor's AI hiring tool does not fully transfer liability to the vendor. Courts and regulators increasingly treat the deploying employer as jointly responsible, particularly if the employer did not conduct due diligence on bias testing or failed to maintain a human oversight mechanism.
Before deploying any AI hiring tool: request bias audit reports, review the DPA and indemnification terms, and document your due diligence process. If the vendor can't produce third-party audit results, that documentation gap becomes your liability gap.
Vendor vetting checklist: AI Vendor Due Diligence Checklist 2026
What Small Teams Must Do Now
-
Map your AI touchpoints: List every tool in your hiring funnel that uses AI: ATS ranking, resume scoring, video analysis, skills assessments, reference check tools. Most teams discover they have more AI exposure than they realized.
-
Check NYC exposure: If any open role could be filled by a NYC-based candidate, or if any current NYC employees are evaluated by AI for promotions, NYC LL144 applies. Commission or obtain a bias audit before the next use.
-
Check Illinois video exposure: If any video interview platform you use scores or analyzes responses using AI, Illinois AIVEA notice and consent requirements apply to all Illinois candidates immediately.
-
Request vendor documentation: For every AI hiring tool, request (a) bias audit results from an independent auditor, (b) the Data Processing Agreement, and (c) an explanation of which demographic groups were tested. Log the date and what you received.
-
Start Colorado prep: If you hire Colorado candidates, build your SB 26-189 compliance process now. The January 1, 2027 deadline is close enough to require action in Q3 2026. Focus on pre-use notices and the adverse-outcome explanation mechanism first.
-
Flag EU candidate exposure: If your hiring process is open to EU residents, schedule a fundamental rights impact assessment for any AI hiring tools. December 2, 2027 is the hard deadline, but the assessment itself needs 3-6 months of lead time for most teams.
Related Reading
- EEOC AI Hiring Guidance: Employer Checklist 2026
- FCRA and AI Hiring: Disclosure Requirements
- NYC Local Law 144 AI Bias Audit: Employer Guide
- Illinois AI Employment Disclosure Law 2026
- Colorado SB 26-189 AI Law: Employer Guide
- Workday AI Lawsuit: HR Screening Checklist
- BIPA and AI Hiring: Biometric Data Rules
- AI Vendor Due Diligence Checklist 2026
- EU AI Act Compliance for Small Teams
- Meta MCI Keystroke Tracking: What Employee AI Monitoring Policies Must Say
