AI hiring regulation tracker

Colorado Senate Bill 26-189 repeals and reenacts elements of the state's prior 2024 AI law (SB24-205) to establish strict guidelines regarding Automated Decision-Making Technology (ADMT) in essential sectors, including employment, housing, education, and health care. The framework places clear requirements on 'developers' (vendors providing or selling technology) and 'deployers' (employers or organisations utilising the systems) to maintain transparency, enable continuous human review, and protect individuals against algorithmic discrimination.

Jurisdiction:

Colorado, United States

Live from:

1 January 2027

Connecticut Public Act No. 26-15 regulates several aspects of artificial intelligence and online safety. Notably, Sections 7 through 14 target 'automated employment-related decision technology'. From October 1, 2027, employers must disclose to applicants and employees if they are interacting with such technology. Furthermore, before an employment-related decision is made using its outputs as a substantial factor, employers must provide a written notice outlining the data processed, its sources, and the system's purpose. The act explicitly states that using an automated tool does not constitute a defense against discrimination complaints under existing state civil rights laws, though proactive anti-bias testing may be considered as evidence by courts or commissions.

Jurisdiction:

Connecticut, United States

Live from:

1 October 2026

These final regulations under the California Consumer Privacy Act (CCPA) establish binding compliance requirements for businesses using Automated Decisionmaking Technology (ADMT) or conducting high-risk data processing operations[cite: 1, 2]. Businesses utilising ADMT to make 'significant decisions'—such as employment evaluations, housing access, and financial lending—must provide prominent pre-use disclosures to consumers, accommodate requests to opt out of automated processing, and grant individuals rights of access to see the data and logic applied to them[cite: 1, 2]. Furthermore, businesses whose processing operations pose a significant risk to consumer security or privacy must complete annual independent cybersecurity audits and execute comprehensive, documented privacy risk assessments[cite: 1, 2].

Jurisdiction:

California, United States

Live from:

1 January 2026

The amendment to the Illinois Human Rights Act prohibits employers from using AI that results in discrimination against protected classes, or using zip codes as a proxy for protected characteristics in employment decisions[cite: 4, 6, 7]. It also mandates that employers notify employees and applicants when AI is used in such decisions[cite: 1, 4, 6].

Jurisdiction:

Illinois, United States

Live from:

1 January 2026

These regulations clarify how California's workplace protections under the Fair Employment and Housing Act (FEHA) apply to automated-decision systems (ADS), machine learning, and artificial intelligence[cite: 1, 2]. Deploying automated software to screen resumes, target job advertisements, rank candidates, or grade online interviews is unlawful if it generates an unjustified adverse impact against protected groups or relies on discriminatory proxy variables[cite: 1]. Furthermore, any third-party software provider or recruitment vendor acting as an 'agent' of the employer to execute traditional HR screening functions is legally classified as an employer and faces direct statutory liability[cite: 1].

Jurisdiction:

California, United States

Live from:

1 October 2025

The EU AI Act establishes a harmonised, risk-based regulatory framework for artificial intelligence across the European Single Market. Following a provisional trilogue agreement reached on 7 May 2026, the application deadline for high-risk employment systems has been postponed to 2 December 2027 to ensure necessary technical standards and guidance are fully available. The law completely prohibits certain harmful AI practices, imposes strict data governance criteria on high-risk tools, and explicitly permits processing special categories of personal data exclusively where strictly necessary to detect and correct algorithmic bias.

Jurisdiction:

European Union

Live from:

2 August 2024