AI hiring screen, entry-level (NY/CO/EU)

US — New York, US — Colorado, EUCandidates / applicants2026-05-27

In accordance with our privacy statement.

Summary

High-risk employment AI under EU AI Act and NYC LL144 with serious GDPR Art. 22 automated-decision exposure.

This launch sits squarely in the highest-scrutiny category in every jurisdiction it touches: a high-risk AI system under the EU AI Act, a covered automated employment decision tool under NYC LL144, and a covered ADMT under the Colorado AI Act. The most material single risk is GDPR Article 22: because recruiters follow the model 85% of the time and lower-scoring candidates are almost never surfaced, a regulator or court will likely view this as solely automated decision-making with legal effect, regardless of the nominal human-in-the-loop design. That finding would require a valid exception, enforceable candidate rights to contest, and explicit consent or another lawful basis that pre-contractual necessity alone will not cover. Before any of those questions are resolved, the company cannot lawfully launch for EU candidates. The NY and Colorado obligations are parallel but operationally distinct: NYC LL144 demands an independent bias audit and 10-business-day advance notice before launch, and Colorado requires documented risk management and a disparate impact analysis that doubles as the foundation for the CAIA affirmative defense.

0 dealbreakers21 obligations3 watch items

Top priorities

1Commission the NYC LL144 independent bias audit immediately, since it must be complete before launch and results must be posted publicly. without it, every NY applicant processed creates a per-violation exposure (NYC LL144, Annual Bias Audit).
2Audit EU recruiter override behavior across the full score distribution before launch to establish whether the 85% adoption rate and near-zero low-score overrides amount to solely automated decision-making under GDPR Art. 22, and design a genuine human review workflow with structured documentation if they do.
3Complete the GDPR DPIA and EU AI Act FRIA as a single coordinated workstream before EU launch, covering training data provenance, protected-characteristic feature audit, and lawful basis determination under Art. 6 for each processing activity (GDPR Arts. 35, 6. EU AI Act Art. 27).
4Build the candidate-facing AI disclosure into job postings and application flows for NY (10 business days before processing), CO, and EU simultaneously, and pair it with the Art. 86 explainability endpoint so recruiters can deliver applicant-specific reasons on request (NYC LL144 Notice. AI Act Arts. 50, 86).
5Conduct a pre-launch disparate impact analysis of the in-house model by race, gender, age, and disability status across all three jurisdictions, document findings and any remediation in a technical file, and establish a formal recruiter-feedback and retraining trigger process to anchor the Colorado CAIA affirmative defense (CAIA C.R.S. 6-1-1706. Colorado AI Act Deployer Risk Management. AI Act Art. 16).

Biggest open question

Whether the 85% recruiter adoption rate, combined with the practical invisibility of low-scored candidates, is sufficient to characterize this system as solely automated decision-making under GDPR Art. 22, which would require a lawful exception and fundamentally restructure the EU deployment model.

AI laws that may apply

21 surfaced across 6 lenses

Grouped by legal lens. Click any provision to see how it applies to this launch specifically.

AI-specific

Human oversight (AI Act Art.14)Settled rule, unsettled applicationVerified 2026-05-25
High-risk AI systems must include human oversight measures to minimize risks to health, safety or fundamental rights.
Accuracy, robustness, security (AI Act Art.15)Settled rule, unsettled applicationVerified 2026-05-25
High-risk AI systems must achieve and maintain a high level of accuracy, robustness and cybersecurity, with continuous testing to prevent malfunctions.
Provider obligations for high-risk AI (AI Act Art.16)Settled rule, unsettled applicationVerified 2026-05-25
Providers of high-risk AI must ensure system compliance, affix CE mark, maintain quality management and documentation, and handle logging, conformity assessment, and corrective actions.
Disclosure of AI interaction (AI Act Art.50(1))Settled rule, unsettled applicationVerified 2026-05-25
Providers must design AI systems interacting with people so that users are informed they are interacting with AI (not a human).
Explanation of high-risk decisions (AI Act Art.86)Settled rule, unsettled applicationVerified 2026-05-25
Individuals subject to high-risk AI decisions that significantly affect them have the right to obtain a clear, meaningful explanation of the AI system role and the main decision elements.
Colorado AI Act: Definition of covered ADMTSettled rule, unsettled applicationVerified 2026-05-25
Colorado AI Act defines an automated decision-making technology as one that processes personal data to generate recommendations or scores used to make consequential decisions.
Colorado AI Act: Developer dutySettled rule, unsettled applicationVerified 2026-05-25
A developer of a high-risk AI system must use reasonable care to prevent known or foreseeable algorithmic discrimination.
Colorado AI Act: Deployer risk managementSettled rule, unsettled applicationVerified 2026-05-25
A deployer of a high-risk AI system must use reasonable care to address discrimination risks and implement an iterative risk management program.

Privacy

Automated decision-making prohibition (GDPR Art.22)Settled rule, unsettled applicationVerified 2026-05-25
Data subjects have a right not to be subject to solely automated decisions (including profiling) producing legal or similarly significant effects on them.
Data protection by design and by default (GDPR Art.25)Settled rule, unsettled applicationVerified 2026-05-25
Controllers must implement data-protection principles (e.g. minimization, pseudonymisation) into processing from the earliest design stages.
Security of processing (GDPR Art.32)Settled rule, unsettled applicationVerified 2026-05-25
Controllers and processors must implement appropriate technical and organizational measures to secure personal data according to the risk (e.g. encryption, resiliency).
Data Protection Impact Assessment (GDPR Art.35)Settled rule, unsettled applicationVerified 2026-05-25
Requires DPIA before processing that is likely high-risk to rights, e.g. systematic automated profiling with significant effects.
Lawfulness of processing (GDPR Art.6)Settled rule, unsettled applicationVerified 2026-05-25
Personal data processing must fit at least one lawful basis (e.g. consent, contract performance, vital interests, public task, legitimate interest).

Employment

NYC LL144: Annual bias auditSettled rule, unsettled applicationVerified 2026-05-25
NYC Local Law 144 mandates that employers using automated employment decision tools must conduct an annual bias audit of the tool and publicly post a summary of the results before use.
NYC LL144: Notice to candidatesSettled rule, unsettled applicationVerified 2026-05-25
Under NYC law, employers must notify job candidates and employees at least 10 business days before using an automated employment decision tool.

Security

CIRCIA Incident ReportingSettled rule, unsettled applicationVerified 2026-05-25
Under CIRCIA, designated critical-infrastructure companies must report covered cyber incidents to CISA within 72 hours of discovery.
New York SHIELD ActSettled rule, unsettled applicationVerified 2026-05-25
NY SHIELD Act requires entities holding private information to implement reasonable safeguards and notify affected NY residents of data breaches.

Liability

EU Revised Product Liability Directive (2024)Settled rule, unsettled applicationVerified 2026-05-25
The EU 2024 update to the Product Liability Directive extends strict liability to digital products including AI-based systems.

other

EU AI Act, Art. 27Settled rule, unsettled applicationPending · omnibus_viiVerified 2026-05-23
Requires certain deployers of high-risk AI systems to perform a Fundamental Rights Impact Assessment (FRIA) before first use. Applies to public bodies, private entities providing public services, and deployers of high-ri…
GDPR, Art. 22Settled rule, unsettled applicationVerified 2026-05-23
Grants data subjects the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects or similarly significantly affects them. Three exceptions: contract n…
CAIA, C.R.S. § 6-1-1706PendingPending · sb_25b_004_postponement_and_rulemakingVerified 2026-05-23
Establishes an affirmative defense for developers and deployers of high-risk AI systems. A defendant escapes liability if it (1) discovered and cured the violation through user-feedback channels, red-teaming, adversarial…

Worth watching

Provisions that may not strictly apply today but are close enough to the launch shape that they are worth keeping an eye on. No per-launch analysis is generated for these.

Copyright and AI Training DataRecent court guidance indicates that copying copyrighted works into AI models may infringe unless clearly tran…skadden.com ↗
NYT v. OpenAI (Training Data)The New York Times has sued OpenAI, alleging that using its copyrighted articles to train ChatGPT without perm…theverge.com ↗
AI-Related Copyright CasesCourts are grappling with AI and IP: e.g., in Thomson Reuters v. ROSS, a judge held that output of an AI model…skadden.com ↗

Other flags

employment use

Not legal advice. Structured analysis of what a thoughtful counsel would consider given the inputs above. Does not substitute for counsel review or certify compliance.