If you used an AI resume screener, automated video interview platform, or algorithmic skills test to filter a single New York City job applicant in the past twelve months — and you cannot point to an independent bias audit, a public audit summary on your website, and a ten-business-day candidate notice — you are out of compliance. Until recently, that was a paper risk. After a stinging December 2025 audit of the New York City Department of Consumer and Worker Protection's enforcement record, it is becoming a real one.
Local Law 144 has been on the books since January 2023. For three years it was widely viewed as toothless: the NYC State Comptroller found that only one violation was identified across a sample of thirty-two surveyed companies during the July 2023 through June 2025 enforcement window, while the Comptroller's own auditors flagged at least seventeen potential violations across the same employers. That mismatch is now driving the DCWP toward a more rigorous 2026 enforcement posture — and it lands on top of a fast-spreading patchwork of state hiring AI laws that took effect on January 1, 2026.
This guide walks through what Local Law 144 actually requires, what changed in the enforcement landscape this year, and how to coordinate compliance across New York City, Illinois, California, Colorado, and Maryland without rebuilding your applicant tracking system from scratch.
What Counts as an Automated Employment Decision Tool
Local Law 144 applies to any "automated employment decision tool" — abbreviated AEDT — that an employer or employment agency uses to substantially assist or replace discretionary decision-making for hiring or promotion of a New York City resident.
The definition is broader than most employers initially assume. The DCWP rules cover:
- Resume parsers and ATS scoring engines that rank, score, or filter candidates above or below a threshold
- Algorithmic video interview platforms that score body language, tone, or word choice
- Personality and cognitive assessments that produce a quantitative score used to advance or reject candidates
- Predictive skills tests that benchmark candidates against a model of high performers
- Chatbots and screening agents that triage candidates into "qualified" and "not qualified" buckets
A tool counts as "substantially assisting" decision-making if it produces a score, classification, or recommendation that an employer relies on more heavily than any other criterion, or if it is the only input in a particular step of the funnel. A human still being in the loop does not exempt the tool — the question is whether the AEDT output meaningfully shapes the human's decision.
If you are running any of these tools for candidates who live or work in New York City, you are within scope regardless of where your company is headquartered. Remote-first and out-of-state employers are not exempt.
The Three Core Compliance Obligations
The law has three pillars. Skip any one and you are in violation.
1. An Independent Bias Audit Within the Last Twelve Months
Before you use an AEDT — and at least once every twelve months thereafter — an independent auditor must conduct a bias audit. The auditor cannot be the vendor that built the tool, cannot have a financial interest in continued use of the tool, and cannot have been involved in developing or operating the AEDT for your company.
The audit must calculate two metrics:
- Selection rate — the percentage of candidates in a demographic category who were selected, advanced, or scored above a threshold
- Scoring rate — the percentage of candidates in a demographic category who received a score above the sample median
For each metric, the auditor calculates an impact ratio by dividing each category's rate by the highest-scoring category's rate. An impact ratio below 0.80 — the EEOC's long-standing "four-fifths rule" for adverse impact — is a red flag that the tool may produce a discriminatory outcome.
The audit must cover three dimensions at minimum:
- Sex categories
- Race and ethnicity categories
- Intersectional categories combining sex with race or ethnicity
If the data available for a category is statistically insufficient, the auditor must say so explicitly in the report rather than omit the category. "Unknown" or "missing demographic data" is not a get-out-of-jail-free card — auditors are expected to document the gap.
2. A Public Summary of the Bias Audit Results
You must publish a summary of the most recent bias audit on the public-facing section of your employment website. The summary must include:
- The date of the audit
- The date the AEDT was first used (or when you first sourced it)
- The selection or scoring rates and impact ratios for each demographic category covered
- A distinctive, direct link to the audit summary that a candidate can find without logging in
A buried PDF on a careers FAQ does not satisfy the law. The DCWP expects the link to be conspicuous enough that a candidate can reasonably find it before applying. If you use multiple AEDTs across different roles, you may need multiple audit summaries.
3. Ten Business Days of Candidate Notice
For every individual candidate who lives in New York City, you must provide at least ten business days of advance notice before the AEDT is used to evaluate them. The notice must include:
- An explicit statement that an automated tool will be used
- A description of the job qualifications and characteristics the tool will evaluate
- Instructions for requesting an alternative selection process or a reasonable accommodation
- A clear path for the candidate to request information about the data the tool collects, its source, and the data retention policy (which you must provide within thirty days of a written request, if not already on your website)
The notice can be embedded in the job posting, sent by email after the candidate applies, or included in a separate written communication — as long as it precedes the AEDT evaluation by ten business days. A notice attached to a rejection email after the tool already ran is not compliant.
What Changed in 2026: Enforcement Just Got Teeth
For most of 2023 through 2025, the DCWP enforced Local Law 144 almost entirely through complaint-driven action. With only two complaints received during the entire two-year audit window, almost no penalties were issued. Many employers — and many AEDT vendors — concluded that the law could be safely ignored.
The December 2, 2025 New York State Comptroller's audit changed that calculation. The audit findings, in plain terms:
- Seventy-five percent of test calls to NYC's 311 hotline about AEDT issues were misrouted and never reached the DCWP
- The DCWP surveyed thirty-two companies and identified only one instance of non-compliance, while the Comptroller's own auditors reviewing the same companies identified at least seventeen potential violations
- The DCWP's reviews of publicly posted bias audits were "superficial" and did not follow formal procedures developed jointly with the NYC Office of Technology and Innovation
- The DCWP had not undertaken proactive, market-sweep enforcement against employers known to use AEDTs
The DCWP's response was to commit to a more rigorous enforcement program for 2026. Expect:
- Routine sweeps of high-profile employer career pages to verify posted bias audit summaries
- Proactive notice-of-violation letters when public summaries are absent or stale
- More aggressive use of statutory penalties — $500 for an initial violation, and $1,500 per day for each continuing violation, with each candidate evaluation potentially counted as a separate violation
For a company running an AEDT for thirty days without a current bias audit, exposure can easily reach $15,000 to $45,000 per tool, per month, before per-candidate multipliers kick in. For high-volume employers with multiple AEDTs, the cumulative number can run into six figures quickly.
Documenting an Audit-Defensible Compliance Program
The DCWP's 2026 enforcement posture is making employers focus on what an audit-defensible compliance program actually looks like. The core elements:
An AEDT inventory. Maintain a written list of every algorithmic tool used in any hiring or promotion decision, including the vendor, the version, the date of deployment, the role categories covered, and the date of the most recent bias audit. Update it quarterly. If the DCWP requests records, this list should be available within twenty-four hours.
A vendor management process. Bake AEDT compliance into your procurement contracts. Require vendors to provide annual bias audit reports, indemnify you against vendor non-compliance, and notify you when they materially change the underlying model. If a vendor cannot or will not provide audit data, that is a procurement-stage signal that the relationship is not viable.
Independent auditor selection. The auditor cannot be the vendor, an affiliate of the vendor, or a firm that derives any portion of its revenue from designing or operating AEDTs for your company. Many employers use industrial-organizational psychology firms, specialized algorithmic audit firms, or large public accounting firms with dedicated practices. Document the independence determination in writing.
Candidate notice mechanics. Standardize the notice text across job postings and ensure it is sent automatically when a candidate applies. The notice should be timestamped and stored in your ATS or audit log. If a candidate requests an alternative process or accommodation, document the request and response.
Bias audit summary publication. Post each audit summary in a consistent, discoverable location on your careers page. Many employers create a dedicated /careers/ai-bias-audits/ directory. Include the audit date, the AEDT vendor and version, the demographic categories analyzed, and the impact ratios. A clean, transparent posting is itself a deterrent against complaint-driven enforcement.
Audit cadence and renewal. Set calendar reminders for ninety days before the twelve-month audit anniversary. The audit takes longer than most employers expect — typically four to eight weeks once the auditor has the demographic and outcome data — and last-minute scrambling is a common failure mode.
The Spreading State Patchwork
Local Law 144 is no longer the only AI hiring law that matters. As of January 1, 2026, multi-state employers face a layered compliance landscape:
Illinois HB 3773 — Effective January 1, 2026
Illinois made it a civil rights violation under the Illinois Human Rights Act for an employer to use AI in a manner that produces a discriminatory effect on the basis of any protected characteristic. The law applies to recruitment, hiring, promotion, discipline, discharge, and the terms and conditions of employment. Employers must also provide advance written notice when AI is used for any of these purposes.
The Illinois Department of Human Rights has issued draft rules clarifying the notice requirements, including the content elements and the time before AI use that the notice must be delivered. The earlier 2019 Illinois AI Video Interview Act remains in force — it requires applicant consent before AI is used to evaluate video interviews and imposes demographic reporting obligations on employers that rely solely on AI scoring to advance candidates.
California ADMT Regulations — Effective January 1, 2026
The California Privacy Protection Agency's Automated Decision-Making Technology regulations took effect on January 1, 2026 under the CCPA framework. Employers using ADMT for "significant decisions" — which include hiring, promotion, termination, and compensation — must provide pre-use notice, conduct risk assessments, and offer access and opt-out rights. California's amended Fair Employment and Housing Act also elevates anti-bias testing and proactive monitoring as central evidence in discrimination investigations.
Colorado SB24-205 — Effective February 1, 2026 (Originally), Amended by HB25-1709
Colorado's Artificial Intelligence Act requires deployers and developers of "high-risk" AI systems — including those used to make consequential decisions about employment — to use reasonable care to avoid algorithmic discrimination. Employers must conduct annual impact assessments, provide pre-decision notice, and provide a right to correct and appeal adverse decisions. The 2025 amendments adjusted scope and timing but did not eliminate the core obligations.
Maryland HB 1202
Maryland prohibits employers from using facial recognition technology in job interviews without the applicant's written consent. This is narrower than the NYC, Illinois, or California regimes but creates a separate documentation obligation for any video-based interview platform with facial analysis features.
EEOC Title VII Technical Assistance
In May 2023, the EEOC published a Technical Assistance Document on the application of Title VII to AI in employment selection procedures. The TAD adopts the same four-fifths rule used in Local Law 144 and confirms that disparate impact liability applies to algorithmic tools just as it applies to traditional selection procedures. Federal disparate impact claims do not require any state or local AEDT statute as a hook — they can be brought directly under Title VII.
How to Operationalize the Patchwork Without Going Insane
Most mid-size employers cannot maintain five separate AEDT compliance programs. The practical approach is to design a single program around the strictest standard and then document the jurisdiction-specific deltas:
-
Use NYC Local Law 144 as the baseline. Its bias audit, public summary, and candidate notice requirements are the most prescriptive, and complying with them generally satisfies the Illinois notice rule and California's ADMT pre-use notice requirement.
-
Add Colorado's risk assessment language. Even if you do not have Colorado applicants, the impact assessment framework — purpose, intended outputs, data sources, and risk mitigation — is a strong defensive document for Title VII disparate impact claims.
-
Layer Illinois AI Video Interview Act consent on top of any video tool. If you use HireVue, Modern Hire, or any platform that scores recorded video, get explicit applicant consent and follow the demographic reporting rules.
-
Carve out Maryland facial recognition. Disable facial recognition features in video interview tools for Maryland candidates, or capture written consent before the interview.
-
Treat the EEOC TAD as your federal floor. Whatever AEDT you use, run a four-fifths-rule analysis on your own data periodically. State and local laws will come and go; Title VII will not.
Why Bookkeeping and Recordkeeping Matter Here
The thread connecting every one of these laws is documentation. Bias audits are documentation. Candidate notices are documentation. Risk assessments are documentation. Vendor independence determinations are documentation. When the DCWP, the Illinois Department of Human Rights, or the EEOC comes knocking, the question is never whether the tool was perfect — it is whether you can produce a clean, dated, version-controlled record of your compliance choices.
Many employers underestimate the bookkeeping overhead of running an AEDT compliance program. The candidate notice log alone — timestamped per-applicant records of notice delivery, accommodation requests, and responses — can grow into the tens of thousands of records per year for a mid-size employer. The bias audit data set, the vendor contracts, the audit reports, and the public summary versions all need a retention and version history that survives staff turnover. Treating AEDT compliance documentation with the same rigor you apply to financial recordkeeping is no longer optional.
Keep Your Compliance Records as Auditable as Your Books
The same discipline that keeps your financial records audit-ready — clear versioning, plain-text formats that anyone can read without a vendor login, and a history you can replay decision by decision — is exactly what an AEDT compliance program needs. Beancount.io provides plain-text accounting that gives you complete transparency and control over your financial data, with no black boxes and no vendor lock-in. Get started for free and see why developers, finance professionals, and compliance-conscious operators are switching to plain-text accounting that they can verify themselves.