Admin Log In Let's Talk

AI in Hiring: 5 Employment Laws Every HR Team Should Know in 2027

  • Photo of Ethena Team
    Ethena Team

TL;DR

  • Five state and local laws now actively regulate AI in employment decisions, with more coming in 2027.
  • California (CCRC and CPPA), Illinois, NYC, and Texas have requirements in effect today. Colorado's new law (SB 26-189) takes effect January 1, 2027.
  • The December 2025 federal executive order pushes for state-law preemption but doesn't override state requirements on its own.
  • Coming next: The EU AI Act's August 2, 2026 high-risk system deadline, Connecticut SB 5's phased rollout, and pending bills in New York, California, and Massachusetts.

AI is showing up in more parts of the employment lifecycle every quarter, from resume screening and skills assessments to scheduling and performance reviews. The rules around these tools have shifted just as quickly. Several state laws have taken effect, Texas has a broad-scope AI law on the books, Colorado replaced its original AI law with a scaled-back version, and the federal government has begun pushing to preempt state regulation.

If you're in HR, Compliance, or People Ops, here's where things stand heading into the back half of 2026 and what you need to know to keep your company ahead of the curve (and out of hot water).

Quick Reference: State and Local AI Hiring Laws at a Glance

JurisdictionLawEffectiveKey Employer Requirements
California (CCRC)FEHA ADS RegulationsOct 1, 2025Anti-discrimination, third-party liability, 4-year recordkeeping
California (CPPA)ADMT RegulationsJan 1, 2026 / Apr 1, 2027 (phased)Risk assessments, pre-use notice, opt-out, human appeal
ColoradoColorado AI Act (SB 26-189)Jan 1, 2027Pre-use notice, 30-day adverse action notice, human review, 3-year recordkeeping
IllinoisHB 3773Jan 1, 2026Anti-discrimination, ZIP-code ban, employee notice
New York CityLocal Law 144Jul 5, 2023Annual bias audits, 10-day advance notice, public posting of audit results
TexasTRAIGAJan 1, 2026Intent-based prohibitions, 60-day cure period, NIST RMF safe harbor

Use this table to map your jurisdictional obligations. Then read the section that applies to you for the requirements in detail.

1. California: Two Regulations You Need to Track

California now has two separate sets of rules governing AI in employment decisions, each from a different agency with different timelines.

A. California Civil Rights Council AI Employment Regulations (CCRC)

Effective Date: October 1, 2025 (in effect)

What is it?

The CCRC regulations update California's Fair Employment and Housing Act (FEHA) to directly address how artificial intelligence (AI) and automated decision systems (ADS) are used in employment. They make employers responsible for the impact of any AI or algorithmic tools used in hiring, promotion, or other job decisions, even if those tools come from a third-party vendor. The regulations reinforce that "the AI did it" is not a defense if bias occurs.

Who's Covered?

Any employer with five or more employees in California using AI or automated tools for employment decisions, including those using third-party vendors.

What's Required?

  • Anti-discrimination: It's unlawful to use AI or ADS that discriminates against applicants or employees based on protected characteristics (disability, race, gender, etc.), even if the bias is unintentional.
  • Third-party liability: Employers are responsible for the actions of vendors and agents who use AI on their behalf.
  • Recordkeeping: Employers must keep detailed records of how AI tools are used and the data they process for at least four years.
  • Definition of ADS: Covers application screening tools, performance evaluation analytics, individual productivity monitoring software, and any system that influences employment decisions (hiring, promotion, discipline, scheduling, compensation, or termination).

B. California Privacy Protection Agency ADMT Regulations (CPPA)

Effective: Risk assessments required as of January 1, 2026. Consumer opt-out and pre-use notice obligations phase in April 1, 2027.

What is it?

A separate set of regulations issued by the California Privacy Protection Agency under the California Consumer Privacy Act (CCPA) framework. These rules govern the use of automated decisionmaking technology (ADMT) for "significant decisions" about consumers, which expressly includes employees, job applicants, and independent contractors.

What's Required?

  • Risk assessments (effective January 1, 2026): Businesses must conduct and document a risk assessment before using ADMT to make a significant decision affecting employees and applicants, or where the use otherwise presents a significant risk (such as inferring intelligence, ability, aptitude, or work performance).
  • Pre-use notice (effective April 1, 2027): Businesses using ADMT to make a significant decision must give consumers (including employees and applicants) a notice describing the use of ADMT and their rights to opt out and access.
  • Opt-out and human appeal (effective April 1, 2027): Employees and applicants must be able to opt out of ADMT for significant decisions, subject to certain exceptions, with a human appeal option.
  • Access (effective April 1, 2027): Workers can request information about how ADMT is used, including the purpose and the logic involved.

Recommended Action:

  • Audit current and planned AI tools for bias and document the results.
  • Complete and document the CPPA risk assessment for any ADMT already in use.
  • Update vendor contracts to clarify compliance responsibilities under both regulations.
  • Train HR and hiring managers on the new rules and recordkeeping requirements.
  • Start building a pre-use notice and opt-out workflow now to meet the April 1, 2027 CPPA deadline.

2. Colorado AI Act (SB 26-189): A New Framework Effective January 1, 2027

Effective Date: January 1, 2027

What's happening?

Colorado's AI law has had one of the most eventful regulatory journeys of any state AI law to date. Governor Polis signed the original Colorado AI Act (SB 24-205) in 2024 with a February 1, 2026 effective date. The legislature later pushed that date to June 30, 2026 during a 2025 special session. In April 2026, a federal magistrate judge stayed enforcement after xAI filed a constitutional challenge that the U.S. Department of Justice joined.

In May 2026, Governor Polis signed SB 26-189, which repeals the original law and replaces it with a significantly scaled-back framework. The new Colorado AI Act takes effect January 1, 2027.

Who's Covered?

Employers using AI to make or materially influence consequential decisions about Colorado residents, individuals with access to or eligibility for an opportunity in Colorado, or those evaluated by someone doing business in Colorado.

What's Required?

  • Pre-use notice: Employers must give clear notice before deploying a covered AI tool that will materially influence a consequential employment decision.
  • Adverse action notice (30 days): If a covered AI tool materially influences a decision that leads to an adverse outcome, the employer must provide notice within 30 days describing the AI tool's role, along with other required disclosures.
  • Human review process: Structured human review and appeal rights for affected individuals.
  • Recordkeeping (3 years): Retain compliance documentation for at least three years, including ADMT version identifiers, changelogs, and documentation of material mitigation changes.
  • Enforcement: Only the Colorado Attorney General can enforce the law. No private right of action.
  • Liability allocation: Liability is split between AI developers and employer-deployers. Certain indemnification clauses are voided by statute.

What's next:

The Colorado AG must promulgate implementing regulations by January 1, 2027. Those regulations will shape what compliance actually looks like in practice, so watch the rulemaking process closely.

Recommended Action:

  • Map your AI tools and engage with vendors now to clarify which role each plays under the new law.
  • Build a pre-use notice template and an adverse-action workflow that meets the 30-day requirement.
  • Set up the three-year recordkeeping process for compliance documents.
  • Review vendor contracts for indemnification clauses that may be voided by the new law.
  • Watch the AG rulemaking process. Those regulations will define what compliance actually looks like.

3. Illinois HB 3773: AI Employment Discrimination Law

Effective Date: January 1, 2026 (in effect)

What is it?

Illinois HB 3773 amended the state's Human Rights Act to specifically address discrimination from AI in employment. It prohibits employers from using AI in ways that could discriminate against protected groups and requires transparency when AI is used in hiring, promotion, or other employment decisions. It also bans the use of ZIP codes as a proxy for protected characteristics.

Who's Covered?

All employers in Illinois using AI for recruitment, hiring, promotion, or other employment decisions.

What's Required?

  • Anti-discrimination: Employers can't use AI in ways that result in discrimination against any protected class (intentional or unintentional).
  • No "digital redlining": Employers can't use ZIP codes as a proxy for protected characteristics.
  • Notice: Employers must notify employees and candidates when AI is used in employment decisions, including the specific purposes.
  • Complaints: Individuals can file complaints with the Illinois Department of Human Rights.

What's new in 2026:

In December 2025, the Illinois Department of Human Rights (IDHR) released draft rules ("Subpart J: Use of Artificial Intelligence in Employment") that clarify the notice and recordkeeping requirements. The draft rules define "use" of AI broadly to include any instance in which the output of an AI system influences or facilitates a covered employment decision. They also extend obligations to recruiters and other third-party agents acting on the employer's behalf.

The draft rules are still subject to formal public comment, but they give employers a much more concrete roadmap for compliance than the statutory text alone.

Recommended Action:

  • Review your AI tools for potential bias, especially in screening criteria.
  • Update candidate and employee communications to include the required notices.
  • Avoid using location data (like ZIP codes) as a filter in hiring algorithms.
  • Document how third-party recruiters and vendors are using AI on your behalf.

4. New York City Local Law 144 (Automated Employment Decision Tools Law)

Effective Date: July 5, 2023 (in effect, with stepped-up enforcement in 2026)

What is it?

NYC Local Law 144 was the first local law in the U.S. to regulate the use of Automated Employment Decision Tools (AEDTs) in hiring and promotion. An AEDT is any computational process (using machine learning, statistical modeling, data analytics, or AI) that issues a simplified output like a score, classification, or recommendation, and is used to substantially assist or replace discretionary decision-making for employment decisions in NYC.

Who's Covered?

Any employer or employment agency using AI-driven tools to make employment decisions about candidates or employees in New York City, even if the company is based elsewhere.

What's Required?

  • Annual bias audits: AEDTs must undergo an independent bias audit each year covering race and gender individually and combined, using specified testing. Results must be posted publicly on the employer's website.
  • Advance notice: Candidates and employees must be notified at least 10 business days before being assessed by an AEDT.
  • Data transparency: Employers must disclose the type and source of data used by the AEDT and their data retention policy on request.
  • Penalties: Non-compliance can result in fines of $500 to $1,500 per day, with each use of a non-compliant AEDT potentially counted as a separate violation.

What's new in 2026:

In December 2025, the New York State Comptroller's Office published an audit of how the NYC Department of Consumer and Worker Protection (DCWP) has enforced Local Law 144 from July 2023 through June 2025. The audit found significant shortcomings: inconsistent complaint intake, incomplete documentation, limited proactive enforcement, and inadequate bias audit reviews. DCWP committed to adopting most of the audit's recommendations.

The practical implication for employers: the "enforcement-light" period that characterized the first two years of Local Law 144 is ending. Employers using AEDTs in NYC should expect more rigorous oversight, more proactive enforcement, and more documentation review starting this year.

Recommended Action:

  • Inventory all AI tools used in hiring and promotion for NYC roles.
  • Confirm that your bias audits are current (within the last 12 months) and posted publicly.
  • Prepare clear, accessible notices for candidates and employees.
  • Document your data retention policies and be ready to share them on request.

5. Texas Responsible Artificial Intelligence Governance Act (TRAIGA)

Effective Date: January 1, 2026 (in effect)

What is it?

Texas became the third state with a broad-scope AI law when TRAIGA took effect at the start of 2026. The original draft borrowed heavily from the Colorado AI Act, but the version that ultimately passed is significantly narrower and uses an intent-based liability framework rather than an impact-based one.

Who's Covered?

TRAIGA applies broadly to any entity that conducts business in Texas, produces a product or service used by Texas residents, or develops or deploys an AI system in the state. Even employers headquartered outside Texas may be in scope if their AI systems touch Texas residents.

What's Required?

  • Prohibited uses: Developing or deploying AI systems with the intent to unlawfully discriminate against a protected class, manipulate human behavior in harmful ways, infringe constitutional rights, or produce certain illegal content.
  • Intent-based liability: Unlike Colorado's original law, TRAIGA generally requires proof of intentional misconduct. Disparate impact alone isn't enough.
  • No private right of action: Only the Texas Attorney General can enforce TRAIGA, and employers receive a 60-day cure period.
  • Safe harbors: Organizations that follow recognized risk management frameworks (such as NIST AI RMF) may qualify for liability protection.

Recommended Action:

  • Document the business purpose of every AI system used in employment decisions.
  • Keep testing protocols and records that show your efforts to prevent prohibited uses.
  • Consider aligning your AI governance program with the NIST AI Risk Management Framework to qualify for safe-harbor protection.

The Federal Layer: A Preemption Push to Watch

On December 11, 2025, President Trump signed an executive order titled "Ensuring a National Policy Framework for Artificial Intelligence." The order:

  • Directs the Department of Justice to establish an AI Litigation Task Force to challenge state AI laws viewed as inconsistent with federal priorities (Colorado's AI Act was specifically named as an example).
  • Conditions certain federal grant funding (including the BEAD broadband program) on states' willingness to avoid or stop enforcing AI laws that conflict with federal policy.
  • Directs the FTC and FCC to advance federal preemption through agency rulemaking and policy statements.
  • Calls for federal legislation that would preempt conflicting state AI laws.

What this means for HR teams today:

The executive order doesn't, on its own, override state AI laws. State statutes remain enforceable until a court rules otherwise or Congress passes preemptive legislation. The DOJ's involvement in the xAI suit against Colorado was the first concrete example of how the Task Force may operate. Expect more federal-state friction over the next 12 to 18 months, and expect the rules for AI in hiring to keep moving.

For now, the practical advice is to keep complying with applicable state laws while building flexible governance practices that can adapt as the federal picture clarifies.

What's Coming Next

The regulatory calendar for H2 2026 and early 2027 has several more developments worth tracking now so you can plan ahead instead of react.

EU AI Act high-risk obligations (August 2, 2026)

For employers with EU operations or employees, this is the biggest near-term deadline. The EU AI Act treats most workplace AI as "high-risk," including tools used for recruitment, candidate selection, performance evaluation, task allocation, worker monitoring, and promotion or termination decisions. The full suite of high-risk system obligations becomes enforceable on August 2, 2026, including mandatory human oversight, worker notice, logging, bias monitoring, and consultation with employee representatives.

The reach is extraterritorial: U.S. employers whose AI systems affect EU residents may be covered, even if the company has no physical EU presence. Penalties for high-risk non-compliance can reach โ‚ฌ15 million or 3% of global annual turnover.

A proposed Digital Omnibus package could push these deadlines to December 2027 or August 2028, but that proposal is still in negotiation. Treat August 2026 as binding until told otherwise.

Connecticut SB 5

Connecticut's omnibus AI law has staggered effective dates relevant to employers:

  • October 1, 2026: Developer obligations for AI tools take effect.
  • January 1, 2027: Chatbot disclosure requirements take effect, with recurring reminders every three hours.
  • October 1, 2027: Deployer (including employer) pre-decision notice requirements take effect.

The law also adds an AI disclosure requirement to Connecticut's WARN Act for layoffs partly attributable to AI.

Pending state legislation

Several states have AI employment bills under active consideration. Worth tracking:

  • New York A 768 (NY AI Consumer Protection Act): Colorado-style risk-based framework. If passed, would take effect January 1, 2027 and close gaps left by NYC Local Law 144's narrow scope.
  • California SB 947 / SB 951: Revived versions of the "No Robo Bosses" Act that Governor Newsom vetoed in October 2025. Would expand restrictions on AI use in employment decisions.
  • Massachusetts HD 396 (AI Accountability and Consumer Protection Act): Colorado-style framework with risk management programs, impact assessments, and notice requirements.

Algorithmic wage discrimination

The next regulatory wave is starting to focus on AI-driven individualized wage and compensation decisions. Colorado's HB 26-1210 passed both legislative chambers in May 2026 and is awaiting Governor Polis's signature. If signed, the law would take effect in August 2026, prohibiting employers from using algorithms that analyze surveillance data (browsing history, biometrics, behavioral signals) to set individualized wages. The bill includes a private right of action for affected workers, an enforcement mechanism Colorado's SB 26-189 lacks. Similar legislation is under consideration in several other states.

The Bottom Line

The rules for AI in hiring are more complex in H2 2026 than they were a year ago. The compliance plays that worked in 2025 aren't enough on their own. A few focused steps will help your team stay ahead:

  1. Inventory and audit your AI tools. Identify every AI tool used in employment decisions, where it operates geographically, and what it does. Assess for bias and disparate impact.
  2. Map your obligations by jurisdiction. California, Illinois, NYC, and Texas all have active requirements, with Colorado's new law taking effect January 1, 2027. Treat each jurisdiction's rules as a separate compliance lane.
  3. Update policies and vendor contracts. Clarify compliance responsibilities with third-party recruiters and AI vendors. Implement required notices and disclosures.
  4. Train your team. Educate HR, recruiters, and managers on the new requirements with focused training like AI in Hiring and AI in the Workplace. Pair these with foundational Hiring and Interviewing training for managers and recruiters. Document training and compliance efforts.
  5. Document everything. Keep records of AI use, audits, notices, impact assessments, and the business purpose of every system. Preparedness pays off if regulators come asking.
  6. Watch the federal picture. The federal government is pursuing preemption aggressively, but the executive order isn't yet operative. Build governance practices flexible enough to adapt.

Frequently Asked Questions

Q: Do these laws apply if my company isn't headquartered in California, Illinois, NYC, Colorado, or Texas?

A: Often, yes. Most state AI employment laws apply based on where the employee or applicant is located, not where the employer is headquartered. If you have remote workers, candidates, or any operations in these jurisdictions, you're likely in scope.

Q: What counts as "AI" under these laws?

A: Each law defines it slightly differently, but most cover any machine-based system that influences employment decisions, including resume screeners, video interview analytics, chatbots, scheduling tools, performance management software, and productivity monitoring. If a tool affects hiring, promotion, discipline, or compensation, assume it's in scope.

Q: Are small employers exempt?

A: California's CCRC regulations apply to employers with five or more employees. Most other state laws apply more broadly with no employee-count threshold. NYC Local Law 144 applies regardless of company size if you're using AEDTs for NYC roles.

Q: What happens if the federal government successfully preempts state AI laws?

A: For now, state laws remain enforceable. Even if some are eventually preempted or invalidated, existing federal and state anti-discrimination laws (Title VII, ADA, ADEA, state human rights acts) still apply to AI-driven decisions. Building responsible AI governance is the right call regardless of which framework ultimately controls.

Q: Do we need to provide notice every time an AI tool touches a hiring decision?

A: Most state laws require notice when AI materially influences or replaces human decision-making. Tools that perform narrow administrative tasks (like deduplicating applications) generally don't trigger notice requirements. When in doubt, err toward more notice rather than less.

Q: How should we handle vendor AI tools we didn't build ourselves?

A: Every state law that addresses third-party AI makes the employer responsible for the impact of vendor tools. Update vendor contracts to clarify compliance responsibilities, require bias testing documentation from your vendors, and document your due diligence.

How Ethena Can Help

The patchwork of state AI laws, paired with a federal preemption push, means HR teams can't afford to treat AI compliance as a one-time project. Ethena's dedicated training on AI in the Workplace and AI in Hiring helps your team build the awareness and skills they need to use AI responsibly. We also offer a full library of Hiring and Interviewing courses for managers and recruiters who want to build inclusive, bias-aware hiring practices that stand up to scrutiny.

Want to see how our training agent can help your team get ahead of the new AI rules? Let's talk.

Disclaimer: None of the content in this article constitutes legal advice, nor does it contain every detail or requirement of the applicable laws. It is provided solely for informational purposes and is not intended to be relied upon as a standalone resource. If you have questions about these laws or their implications for your organization, please consult your legal counsel.

Articles

View All
Articles

What the proposed HIPAA Security Rule changes mean for your training program

Note: This post reflects the proposed HIPAA Security Rule as published in the Federal Register on January 6, 2025. The final rule has not been published as of this writing....

6 min read
Articles

From Creator to Strategist: Reclaiming Your Role in Compliance Training

Key takeaways (TL;DR for busy leaders): For more on why static, in-house training becomes a maintenance burden, see our companion post: The Maintenance Trap: Why Your Compliance Strategy Is Quietly...

10 min read
Articles

The Top 5 Pitfalls Compliance Teams Face When Building (vs. Buying) Training

AI has made it easier than ever before to generate compliance training content. With tools like HeyGen and Synthesia, you can turn a script into a video in minutes. LLMs...

5 min read
Articles

The Maintenance Trap: Why Your Compliance Strategy Is Quietly Killing Your Budget

Key Takeaways (TL;DR for busy leaders): The bottom line: For most organizations, the answer to "build vs. buy vs. blend compliance training" is Blend: using a vendor's legally-vetted content as...

8 min read