← Blog
HR GuideMultiple Deadlines April 17, 2026 · 14 min read

AI for HR and Recruitment: Complete Compliance Requirements 2026

AI in hiring is the most heavily regulated AI use case globally. NYC Local Law 144, EU AI Act Annex III, Colorado SB 24-205, GDPR Article 22, and US federal civil rights laws all apply simultaneously. If you use AI to screen resumes, schedule interviews, score candidates, or make promotion decisions — this guide is for you.

Why HR AI Is the Highest-Risk AI Use Case

Three factors combine to make employment AI more heavily regulated than almost any other domain:

Consequential decisions with protected characteristics

Employment decisions affect income, career progression, and economic security. They also frequently involve characteristics protected by civil rights law: race, gender, age, disability, religion, national origin.

Explicit high-risk classification

Every major AI regulation — EU AI Act, Colorado SB 205, and NIST AI RMF — classifies employment AI as high-risk. This is not interpretation: it is explicitly listed.

Proven bias in practice

Multiple documented cases: Amazon's AI recruiting tool biased against women, HireVue scrutinised by EEOC, companies facing OFCCP audit based on AI-filtered applicant data. Regulators cite these cases in every enforcement action.

HR AI Compliance by Jurisdiction

NYC (Local Law 144)

In force

Covers: Automated Employment Decision Tools (AEDTs) used in hiring or promotion

Requires: Annual independent bias audit; public disclosure of audit results; candidate notice before use

Penalty: $1,500/day per violation

Deadline: In force since July 2023 — enforcement active

EU (EU AI Act Annex III)

In force August 2026

Covers: AI for recruitment, selection, promotion, task allocation, monitoring and evaluation of employment contracts

Requires: High-risk AI full requirements: conformity assessment, technical documentation, human oversight, bias testing

Penalty: Up to €15M or 3% of global turnover

Deadline: August 2, 2026 — 14 months away at publication

Colorado (SB 24-205)

In force June 2026

Covers: Consequential decisions about employment, promotion, or compensation

Requires: Impact assessment; notice to employees before use; right to appeal or request human review

Penalty: Enforcement by Colorado AG; no statutory per-violation cap published

Deadline: June 30, 2026

Illinois (AIVIA)

In force

Covers: AI that analyzes video interviews to evaluate candidates

Requires: Written consent before interview; explanation of how AI evaluates candidates; 30-day deletion on request

Penalty: Right of private action under AIVIA; statutory damages

Deadline: In force since 2020; amended 2024

GDPR (EU/EEA)

In force

Covers: Processing personal data in AI-driven recruitment or employment decisions

Requires: Legal basis for processing; DPA with AI vendors; DPIA for high-risk processing; Art.22 rights for automated decisions

Penalty: Up to €20M or 4% of global turnover

Deadline: In force — ongoing obligation

ECOA / Title VII (US)

In force

Covers: AI tools that have disparate impact on protected classes in hiring

Requires: Validation studies showing job-relatedness; adverse impact analysis (80% rule); EEOC guidance compliance

Penalty: Federal civil rights enforcement; class action liability

Deadline: EEOC issued AI hiring guidance 2024 — interpretive, not binding regulation

NYC Local Law 144 Bias Audit: What "Independent" Really Means

NYC LL144 is the most specific AI hiring regulation in force globally. Its bias audit requirement is being watched by regulators worldwide as a template. Here is what each element of the requirement actually means:

1

Scope of audit

The audit must cover the AI tool or algorithm as actually used in your hiring process — not a generic audit from the vendor. NYC LL144 specifically requires auditing the tool as used by each employer.

2

What is measured

Selection rate by race/ethnicity and gender. NYC uses the "impact ratio" metric: the selection rate of the least-selected category divided by the most-selected category. Ratios below 80% (the EEOC 4/5ths rule) indicate potential disparate impact.

3

Who conducts the audit

Must be an independent auditor — not the AI vendor who built the tool. The independent auditor must have no material relationship with the employer or vendor.

4

Publication requirement

Audit results, including the bias score for each category, must be published on the employer's website. Results must include: the date of the audit, the data used, and the impact ratios.

5

Candidate notice

Before using an AEDT on a candidate, the employer must notify the candidate: (1) that an AEDT will be used; (2) the qualifications and characteristics it uses; (3) how to request accommodation.

GDPR Article 22 in Recruitment: The Right Not to Be Decided by AI

GDPR Article 22 gives candidates the right not to be subject to solely automated decisions that produce significant legal or similarly significant effects. Rejection from a job application clearly qualifies as "significant."

What "solely automated" means

If a human meaningfully reviews the AI's recommendation before a final decision, the decision is not "solely automated" — the Art.22 absolute prohibition does not apply. However, rubber-stamp human review (human who always follows AI) does not count: the EDPB has clarified that human review must be meaningful and capable of overriding the AI.

The three exceptions to Art.22

Solely automated decisions are permitted if:

  • • Necessary for entering into a contract (e.g., automated pre-screening) — but candidate must be told and can request human review
  • • Authorised by EU or member state law — includes Applicant Tracking System automated filtering in some contexts
  • • Based on explicit consent — rarely appropriate in recruitment given the power imbalance between employer and candidate

HR AI Compliance Checklist 2026

Inventory all AI tools used in hiring, promotion, performance management, and compensation

Classify each tool by jurisdiction (NYC employer? EU-facing hiring? Colorado operations?)

Determine which tools qualify as AEDTs under NYC LL144 and high-risk under EU AI Act

Commission independent bias audits for NYC AEDT tools — before each year of use

Publish NYC bias audit results on company website

Implement candidate notice process for all jurisdictions requiring pre-use disclosure

Conduct GDPR DPIA for AI recruitment processing; ensure DPA with all AI HR vendors

Build human review mechanism: no AI tool makes final hiring/promotion decision without human review

Document appeals process: candidates can request explanation and human review of AI decisions

Train HR staff on AI limitations, bias risk, and escalation procedures

Map Your HR AI Compliance Obligations

ComplianceIQ identifies which HR AI laws apply based on your locations and AI tools — with task lists, deadlines, and evidence collection for NYC, EU, and Colorado compliance.

Run a Free Risk Assessment