AI hiring screen, entry-level (NY/CO/EU)

US — New York, US — Colorado, EUCandidates / applicants2026-06-01

In accordance with our privacy statement.

Summary

High-risk employment AI under EU AI Act, NYC LL144, and Colorado CAIA with layered GDPR exposure.

This launch sits at the intersection of three distinct binding regimes: EU AI Act high-risk classification, NYC Local Law 144, and Colorado's CAIA, each of which independently requires pre-launch action that cannot be satisfied after go-live. The most material single risk is that the 85% recruiter follow-through rate will be read by every regulator as functional automated decision-making, which collapses the human-in-the-loop defense under GDPR Art. 22 and triggers the full Art. 14 human oversight requirements under the AI Act simultaneously. GDPR adds a DPIA obligation, a lawful-basis documentation gap, and a candidate explanation right that must be operationalized before any EU applicant data enters the model. The training data on historical hiring decisions is also a live disparate-impact liability in all three jurisdictions, not a theoretical one, because it is the foundation of every score the model will produce.

0 dealbreakers21 obligations3 watch items

Top priorities

1Commission the NYC LL144 third-party bias audit before launch, measuring disparate impact by race, gender, ethnicity, and age across the screening and ranking pipeline . this is the only pre-launch hard gate with a public-posting requirement attached (LL144).
2Initiate and complete the GDPR Art. 35 DPIA before any EU applicant data enters the model, using that process to lock down the Art. 6 lawful basis, confirm whether the 85% adoption rate triggers Art. 22 prohibition or an exception, and document data minimization decisions for every model input field (GDPR Arts. 6, 22, 25, 35).
3Conduct a disparate impact assessment on the historical training dataset across protected classes for all three jurisdictions, document findings, and implement a remediation plan before launch . this single step partially satisfies Colorado CAIA deployer risk management, EU AI Act Arts. 15 and 16, and Colorado developer duty simultaneously (C.R.S. § 6-1-1706, AI Act Art. 15).
4Build and deploy candidate-facing notices for NY applicants (LL144 notice, at least 10 days before screening) and EU applicants (Art. 86 explanation right plus Art. 22 notice), and a recruiter-facing disclosure in the screening interface confirming AI-generated scores before any shortlist is reviewed (AI Act Art. 50(1), LL144).
5Establish a quality management system with version control and a mandatory recruiter override-documentation workflow before launch, so that every accepted recommended-no and every override is logged with candidate-specific rationale . this is your primary human oversight evidence under AI Act Art. 14 and your safe-harbor record under CAIA (AI Act Arts. 14, 16, C.R.S. § 6-1-1706).

Biggest open question

Whether the 85% recruiter adoption rate, combined with the binary recommended-yes/no output, constitutes solely automated decision-making under GDPR Art. 22 such that no legitimate-interest or contract-necessity basis can save it and explicit candidate consent becomes the only lawful path for EU processing.

AI laws that may apply

21 surfaced across 6 lenses

Grouped by legal lens. Click any provision to see how it applies to this launch specifically.

AI-specific

Human oversight (AI Act Art.14)Settled rule, unsettled applicationVerified 2026-05-25
High-risk AI systems must include human oversight measures to minimize risks to health, safety or fundamental rights.
Accuracy, robustness, security (AI Act Art.15)Settled rule, unsettled applicationVerified 2026-05-25
High-risk AI systems must achieve and maintain a high level of accuracy, robustness and cybersecurity, with continuous testing to prevent malfunctions.
Provider obligations for high-risk AI (AI Act Art.16)Settled rule, unsettled applicationVerified 2026-05-25
Providers of high-risk AI must ensure system compliance, affix CE mark, maintain quality management and documentation, and handle logging, conformity assessment, and corrective actions.
Disclosure of AI interaction (AI Act Art.50(1))Settled rule, unsettled applicationVerified 2026-05-25
Providers must design AI systems interacting with people so that users are informed they are interacting with AI (not a human).
Explanation of high-risk decisions (AI Act Art.86)Settled rule, unsettled applicationVerified 2026-05-25
Individuals subject to high-risk AI decisions that significantly affect them have the right to obtain a clear, meaningful explanation of the AI system role and the main decision elements.
Colorado AI Act: Definition of covered ADMTSettled rule, unsettled applicationVerified 2026-05-25
Colorado AI Act defines an automated decision-making technology as one that processes personal data to generate recommendations or scores used to make consequential decisions.
Colorado AI Act: Developer dutySettled rule, unsettled applicationVerified 2026-05-25
A developer of a high-risk AI system must use reasonable care to prevent known or foreseeable algorithmic discrimination.
Colorado AI Act: Deployer risk managementSettled rule, unsettled applicationVerified 2026-05-25
A deployer of a high-risk AI system must use reasonable care to address discrimination risks and implement an iterative risk management program.

Privacy

Automated decision-making prohibition (GDPR Art.22)Settled rule, unsettled applicationVerified 2026-05-25
Data subjects have a right not to be subject to solely automated decisions (including profiling) producing legal or similarly significant effects on them.
Data protection by design and by default (GDPR Art.25)Settled rule, unsettled applicationVerified 2026-05-25
Controllers must implement data-protection principles (e.g. minimization, pseudonymisation) into processing from the earliest design stages.
Security of processing (GDPR Art.32)Settled rule, unsettled applicationVerified 2026-05-25
Controllers and processors must implement appropriate technical and organizational measures to secure personal data according to the risk (e.g. encryption, resiliency).
Data Protection Impact Assessment (GDPR Art.35)Settled rule, unsettled applicationVerified 2026-05-25
Requires DPIA before processing that is likely high-risk to rights, e.g. systematic automated profiling with significant effects.
Lawfulness of processing (GDPR Art.6)Settled rule, unsettled applicationVerified 2026-05-25
Personal data processing must fit at least one lawful basis (e.g. consent, contract performance, vital interests, public task, legitimate interest).

Employment

NYC LL144: Annual bias auditSettled rule, unsettled applicationVerified 2026-05-25
NYC Local Law 144 mandates that employers using automated employment decision tools must conduct an annual bias audit of the tool and publicly post a summary of the results before use.
NYC LL144: Notice to candidatesSettled rule, unsettled applicationVerified 2026-05-25
Under NYC law, employers must notify job candidates and employees at least 10 business days before using an automated employment decision tool.

Security

CIRCIA Incident ReportingSettled rule, unsettled applicationVerified 2026-05-25
Under CIRCIA, designated critical-infrastructure companies must report covered cyber incidents to CISA within 72 hours of discovery.
New York SHIELD ActSettled rule, unsettled applicationVerified 2026-05-25
NY SHIELD Act requires entities holding private information to implement reasonable safeguards and notify affected NY residents of data breaches.

Liability

EU Revised Product Liability Directive (2024)Settled rule, unsettled applicationVerified 2026-05-25
The EU 2024 update to the Product Liability Directive extends strict liability to digital products including AI-based systems.

other

EU AI Act, Art. 27Settled rule, unsettled applicationPending · omnibus_viiVerified 2026-05-23
Requires certain deployers of high-risk AI systems to perform a Fundamental Rights Impact Assessment (FRIA) before first use. Applies to public bodies, private entities providing public services, and deployers of high-ri…
GDPR, Art. 22Settled rule, unsettled applicationVerified 2026-05-23
Grants data subjects the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects or similarly significantly affects them. Three exceptions: contract n…
CAIA, C.R.S. § 6-1-1706PendingPending · sb_25b_004_postponement_and_rulemakingVerified 2026-05-23
Establishes an affirmative defense for developers and deployers of high-risk AI systems. A defendant escapes liability if it (1) discovered and cured the violation through user-feedback channels, red-teaming, adversarial…

Worth watching

Provisions that may not strictly apply today but are close enough to the launch shape that they are worth keeping an eye on. No per-launch analysis is generated for these.

Copyright and AI Training DataRecent court guidance indicates that copying copyrighted works into AI models may infringe unless clearly tran…skadden.com ↗
NYT v. OpenAI (Training Data)The New York Times has sued OpenAI, alleging that using its copyrighted articles to train ChatGPT without perm…theverge.com ↗
AI-Related Copyright CasesCourts are grappling with AI and IP: e.g., in Thomson Reuters v. ROSS, a judge held that output of an AI model…skadden.com ↗

Other flags

employment use

Not legal advice. Structured analysis of what a thoughtful counsel would consider given the inputs above. Does not substitute for counsel review or certify compliance.