AI hiring law in the USA: no federal Act, only a state patchwork

There is no federal AI law in the USA

If you are looking for "the US AI Act" the way Europe has the EU AI Act, you will not find one. There is no comprehensive federal law in the United States that regulates AI in hiring. The federal Executive Order on AI from 2023 was rescinded by a new Executive Order in January 2025. What is left at the federal level is a mix of existing equal-opportunity employment law, sector-specific agency guidance, and the Federal Trade Commission's general enforcement powers around deceptive practices.

That sounds like a regulatory vacuum. It is not. In the absence of a federal statute, the states have moved. The result is a patchwork that changes by zip code. A recruitment agency placing candidates into a New York City office, a California office, and a Colorado office is operating under three completely different sets of AI hiring rules, on three different timelines, with three different enforcement authorities. This guide walks through the three jurisdictions that matter most for hiring, in plain English.

The full picture across other countries is in the parent guide. This post focuses on the US.

New York City: Local Law 144 (live since July 2023)

NYC was the first major US jurisdiction to regulate AI in hiring. Local Law 144, also known as the Automated Employment Decision Tools (AEDT) Law, was enforced by the Department of Consumer and Worker Protection from 5 July 2023. It is the oldest active AI hiring law in the country and the one most agencies have at least heard of.

The rule has three components. First, any AEDT used to substantially assist or replace discretionary employment decisions must be subject to a bias audit conducted within the previous twelve months. Second, the employer must publish a summary of the audit results on its website. Third, candidates who reside in NYC must be given notice at least ten business days before the AEDT is used, with instructions on how to request an alternative selection process.

Penalties are not theoretical. DCWP can issue civil penalties between $500 and $1,500 per day of violation. The structure is harsh because each day an AEDT is in use without compliance is a separate violation. A non-compliant tool used across a quarter accumulates fines faster than most agencies realise.

The rule catches recruitment agencies whose tools touch NYC residents, not just NYC-based employers. If you operate from Toronto, London, or Dubai and your AI sourcing tool ranks an NYC-resident candidate for a role, you are inside the rule.

California: ADS regulations (live since 1 October 2025)

California's Civil Rights Council approved its automated-decision system (ADS) employment regulations on 27 June 2025. They took effect on 1 October 2025. California's approach is structurally different from New York's. Instead of a separate audit-and-notice regime, it extends the existing anti-discrimination framework under the Fair Employment and Housing Act (FEHA) to cover ADS.

The headline rule is that the use of an ADS may violate California law if it causes harm to applicants or employees on the basis of a protected characteristic. The framework also restricts the use of ADS that elicit information about a disability, because that can constitute an unlawful medical inquiry.

The single biggest practical obligation is record-keeping. Employers and covered entities must maintain employment records, including automated-decision data, for a minimum of four years. This is much longer than most agencies' default ATS retention policy. If your CRM is set to purge candidate decision logs after 12 or 24 months, you have a compliance gap for California-touching roles.

Enforcement runs through the Civil Rights Department. Investigation typically follows a candidate complaint. The exposure model resembles the FEHA discrimination claims many agencies are already familiar with; the additional layer is that the ADS records can be subpoenaed and examined.

Colorado: AI Act (effective 30 June 2026 after a delay)

Colorado's SB24-205, "Consumer Protections for Artificial Intelligence", is the first US state law to take a comprehensive AI-specific approach similar to the EU AI Act. Originally scheduled to take effect on 1 February 2026, the date was pushed back. Governor Polis signed SB25B-004 on 28 August 2025, which extends the effective date of the requirements of SB24-205 to 30 June 2026.

The Act covers "high-risk artificial intelligence systems" that make or are a substantial factor in making "consequential decisions concerning the consumer". Employment decisions sit inside that definition. Deployers (the recruiters using the AI) must notify a consumer when a high-risk system makes or substantially contributes to a consequential decision about them. Developers and deployers must use reasonable care to protect consumers from known or reasonably foreseeable risks of algorithmic discrimination.

Enforcement is in the hands of the Colorado Attorney General. Violations are deceptive trade practices under the Colorado Consumer Protection Act. The Attorney General has exclusive enforcement authority; there is no private right of action under SB24-205 itself.

Two things to watch. First, the 2026 legislative session may produce further amendments to SB24-205 before 30 June. The political pressure to soften the law is significant. Plan for compliance, but be ready to update your understanding as the year progresses. Second, the delay does not mean the law went away. It is still coming. The Governor's signature on the delay bill explicitly kept the core obligations intact.

What this patchwork means in practice

If you place into multiple US states, you do not get to pick the easiest rule. You comply with the strictest rule that touches each placement. The mental model is: for each placement, identify which states the candidate lives in and which state the job is in, then apply the union of all applicable rules.

In practice, this usually means the strictest rule becomes your default. If you have NYC candidates in your pipeline, you may as well run bias audits and provide notice across your whole US book; the marginal cost is small. If you place into California, the four-year retention rule effectively becomes your retention policy for all US ADS data, because you cannot reliably segregate it.

Other US states are moving too. Illinois has a disparate-impact rule in effect since December 2025. Texas, Tennessee, Connecticut, New Jersey and others have proposed or passed pieces of AI hiring legislation. The patchwork is getting denser, not simpler. Treat this guide as a snapshot; check the position quarterly.

What UK, EU and Dubai agencies often miss

Reciprocity does not apply. Just because your home jurisdiction has its own AI rules does not mean those satisfy the US ones. EU AI Act compliance does not give you NYC AEDT compliance. You comply with both, separately, for the placements that touch both.

The "where the candidate lives" test is sharper than the "where the office is" test. NYC Local Law 144 specifically protects NYC residents. A remote-first candidate in Brooklyn applying to a London-based role through your agency is still protected by NYC AEDT. You do not get to ignore it because the employer is in London.

Record-keeping is the silent killer. Agencies focused on the bias audit headline often forget the California four-year retention rule. ATS purge settings and "right to be forgotten" workflows can quietly create non-compliance for California-touching roles. Talk to your CRM vendor about how decision data is retained.

FTC powers still exist at the federal level. Even without a federal AI Act, the Federal Trade Commission has used its general deceptive-practices authority against companies whose AI claims do not match reality. If your marketing says "fair AI" and your hiring outcomes do not show it, that is potentially an FTC matter, not just a state one.

The EEOC has not gone away. Existing federal employment law still applies. Title VII, the ADEA, and the ADA all operate regardless of whether you used a human or an algorithm to make a discriminatory decision. The EEOC has been clear that AI is not a defence against a disparate impact claim. Any state-level AI compliance work you do should be additive to existing equal-opportunity discipline, not a replacement for it.

What to do this quarter

Map your US footprint. Which states do your candidates live in? Which states are your placements? Which states are your AI vendors based in? Build the matrix; the matrix tells you which rules apply.

Get a bias audit for any AEDT you operate that touches NYC residents. The audit has to be within the last twelve months. Many AI vendors offer this as part of their service or via a third-party auditor; ask.

Set your retention policy to four years for California-touching ADS data. If your ATS does not let you set state-specific retention rules, set it to four years across the US. It is easier than trying to segment.

Watch Colorado. The 30 June 2026 deadline is moving target territory. Subscribe to the Colorado AG's office updates and re-read the SB24-205 status every quarter through the first half of 2026.

Read the rest of the series. The US patchwork is the most fragmented of the regimes covered. The EU AI Act is the cleanest, the Ontario rule is the simplest, and the global view is in the parent guide. The same compliance discipline I covered in our GDPR guide applies here: get the basics right, document them, and the regulator becomes a non-issue.