AI Compliance Penalty Calculator
What is the maximum fine your business faces for non-compliance? Find the penalty structure for every major AI regulation — EU AI Act, GDPR, Colorado AI Act, NYC Local Law 144, and more.
Get my personalized fine exposure estimate — freePenalty Structure by Regulation
Penalties are always the higher of the fixed amount or the revenue percentage. Multiple violations can stack. Revenue = global annual turnover of the entire group.
EU AI Act
August 2026Using AI for real-time biometric surveillance in public spaces, social scoring, or other prohibited practices.
Deploying high-risk AI (hiring, credit, healthcare, education) without required conformity assessments.
Providing false, incomplete, or misleading information to market surveillance authorities.
Key notes:
- •Fines apply to the higher of the fixed amount OR the revenue percentage
- •SMEs may receive reduced fines at authority discretion
- •Applies to any company with EU customers or employees
- •Prohibited AI rules: February 2025. General rules: August 2026.
GDPR (Article 22 / AI Decision-Making)
Active nowUnlawful automated decision-making with legal effects, no human review, or missing transparency disclosures.
Technical violations — missing DPA notifications, inadequate documentation, processor agreement gaps.
Key notes:
- •GDPR is actively enforced — €4.5B in fines issued since 2018
- •Art. 22: individuals have right not to be subject to solely automated decisions
- •Every EU customer interaction with AI may trigger Art. 22 obligations
- •Ireland, France, and Spain are most active enforcers
UK AI / UK GDPR
Active nowSame scope as EU GDPR Article 83(5) — unlawful automated decisions, no human review.
Documentation failures, processor agreements, notification gaps.
Key notes:
- •ICO (Information Commissioner's Office) is the UK regulator
- •UK AI regulation framework expected 2025–2026 via sector regulators
- •UK GDPR mirrors EU GDPR post-Brexit
Colorado AI Act (SB 24-205)
June 30, 2026Failing to provide required disclosures, impact assessments, or appeal rights for high-risk AI decisions.
Knowing violation of consumer AI rights after receiving notice.
Key notes:
- •Enforced by Colorado Attorney General
- •Applies to developers and deployers of "high-risk AI" affecting CO residents
- •"High-risk" = AI making consequential decisions in employment, housing, credit, insurance, education, healthcare
- •2-year cure period for good-faith violations
NYC Local Law 144 (Bias Audit)
Active since Jan 2023Not conducting annual bias audit of AI hiring tools or failing to post results publicly before using the tool.
Continued use of automated employment decision tool without bias audit after receiving notice.
Key notes:
- •Applies to employment decisions about NYC candidates or employees
- •Annual bias audit must be completed by an independent auditor
- •Results must be posted on company website at least 10 days before tool use
- •Covers resume screening, interview scheduling, performance evaluation AI
Illinois AI Video Interview Act (AAIA)
Active nowUsing AI video interview analysis without prior written notice to candidates or sharing candidate data.
Key notes:
- •Illinois employees can bring private lawsuits
- •Must provide advance notice and consent before AI video interview analysis
- •Cannot share applicant videos with third parties without consent
- •Penalties include legal fees — class action risk
EU Digital Services Act (DSA)
Active now (VLOPs Feb 2024)Platforms with 45M+ EU users — recommender system transparency failures, failure to audit algorithms.
Systemic violations by Very Large Online Platforms (VLOPs) or Search Engines (VLOSEs).
Key notes:
- •Applies to platforms (marketplaces, social networks, app stores) with EU users
- •Recommender systems must offer non-profiling alternative
- •Annual independent audits required for VLOPs
- •Smaller platforms: lighter obligations under tiered framework
Example Calculations
Real-world scenarios showing how penalties are calculated. These are illustrative examples — actual enforcement varies by regulator.
SaaS startup, $2M revenue, EU customers, uses ChatGPT for automated customer triage
EU AI Act: 4% × €2M = €80,000. GDPR adds up to additional 4%.
US e-commerce, $10M revenue, uses AI for hiring decisions in NYC
$500/day × 365 days = $182,500 per year of non-compliance
Enterprise software, $500M revenue, global customers, high-risk AI in healthcare
EU AI Act: max €30M for prohibited AI. GDPR: up to €20M or 4% = €20M. Can stack.
HR tech startup, $5M revenue, CO + IL customers, AI resume screening
CO: $2K per affected consumer. With 1,000 applicants = $2M maximum exposure.
Important: About These Figures
These are maximum statutory penalties. Regulators rarely impose the maximum fine. Actual enforcement considers: severity, intent, cooperation with regulators, self-reporting, and remediation steps.
However: GDPR regulators have issued maximum fines (Meta: €1.2B, WhatsApp: €225M). The risk is real, especially for larger companies or egregious violations.
Penalties can stack across regulations if multiple laws apply. A US company with EU customers making automated hiring decisions could face EU AI Act + GDPR + NYC LL144 all at once.
This tool is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for specific compliance guidance.
Know your exact exposure
The penalty calculator shows the maximum. ComplianceIQ calculates your actual exposure based on your specific AI systems, jurisdictions, and risk factors — then generates the documents to eliminate it.
Calculate my real exposure — free