Most of the recently enacted state-level consumer data privacy statutes have added a focus on automated decisions that “produce legal or similarly significant effects” concerning an individual. Most of the statutes simply allow consumers to opt out of such automated decision-making processes. But some of the data protection statutes go further.

For example, the Minnesota Consumer Data Privacy Act (“MCDPA”) has provisions that address the issue of automated decision-making based on the profiling of a consumer’s personal data. The MCDPA has a standard set of rights granted to consumers, such as the right to know what personal data is collected, with whom the data is shared, the right to a copy of the data, the right to opt out of certain data processing, etc. But there are additional rights related to automated data decision-making. In terms of a real-world example, consider the use of automated and computer-based data to make a decision about issuing credit. Under the MCDPA, consumers can opt out of having their personal data profiled in this manner, but there are other options.

In particular, controllers and processors must establish procedures to inform consumers:

• About the automated decision-making process — that it exists, how it works, what factors are considered, etc.
• Information about why the particular decision was made and/or what factors led to the decision
• What the consumer could change to obtain a different result, and
• Information about and the right to obtain a reevaluation based on changed/updated data

For consumer advocates, the animating principles here are potential bias in the use of automated decision-making and the lack of any human oversight.

These are the same animating principles for those who are concerned about the use of automated employment decision tools (“AEDT”). AEDTs are computer and AI modules and programs used for hiring and employment promotion decisions. Examples of AEDTs include programs or AI modules that evaluate resumes, rate and evaluate video job interviews based on responses, body language ,and behaviors, software that screens and filters applications based on keywords, etc. For those who oppose these new technologies, bias is a large concern, along with the absence of human involvement.

Interestingly enough, opponents of the use of AEDT may find some value in reviewing how the data privacy statutes are being drafted. Most of the data privacy statutes do not apply to employment decisions. So those statutes will not be directly useful in limiting any bias or discrimination generated by the use of AEDTs. However, at least three States have enacted statutes specific to the use of AEDTs. Those states are New York, Colorado, and Illinois. In each case, the statutes are aimed at notifying job applicants that AEDTs are being used and, except for Illinois, requiring some sort of bias impact study. Consumer advocates will probably find such statutory regimes to be underwhelming. Maybe something more in line with the rights granted by the MCDPA, as discussed above, would be more appropriate.

Contact The Consumer Data Privacy and Compliance Attorneys At Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

State Laws Targeting Automated Employment Decision Tools

Automated employment decision tools (AEDTs) — software that evaluates resumes, scores video interviews, or filters applicants based on algorithmic profiling — are increasingly common in large-scale hiring. They are also increasingly regulated. Three states have enacted specific statutes targeting AEDT use in hiring: New York City (Local Law 144), Colorado (SB 205), and Illinois (AI Video Interview Act, 820 ILCS 42). Understanding what each requires is essential for any employer that uses these tools.

New York City Local Law 144

New York City’s Local Law 144, which took effect in 2023, is the most aggressive AEDT statute currently in force. It applies to employers and employment agencies that use an AEDT to screen candidates for positions or promotions where the position is in or will be in New York City. The law requires employers to:

• Conduct or commission a bias audit of the AEDT by an independent auditor before use and at least annually thereafter
• Publish a summary of the most recent bias audit results on the employer’s website
• Notify candidates who reside in New York City that an AEDT will be used in the hiring process at least 10 business days before the tool is used
• Provide candidates with information about the AEDT’s data categories upon request

The bias audit requirement is the most technically demanding aspect of LL 144. The audit must calculate the selection rate and the impact ratio — a measure of whether the AEDT selects candidates from different demographic groups at statistically disparate rates — across sex, race, and ethnicity categories. Employers who fail to comply face civil penalties of up to $1,500 per violation per day. LL 144 is enforced by the New York City Department of Consumer and Worker Protection.

Colorado SB 205 and the Broader AI Accountability Framework

Colorado’s SB 205, enacted in 2024, takes a broader approach, regulating “high-risk artificial intelligence systems” that include employment-related tools. It imposes obligations on both developers and deployers of AI systems, including requirements to use reasonable care to protect against “algorithmic discrimination” in covered applications. The statute requires developers to provide deployers (employers) with information about the AI system’s purpose, known risks, and appropriate use. Deployers must conduct annual impact assessments and provide notice to individuals subject to a covered AI decision that results in a “consequential decision” — including a hiring or promotion outcome.

Colorado’s approach is notably influenced by the data privacy framework. Just as consumer privacy statutes give individuals the right to know about and appeal automated decisions affecting their financial status, SB 205 transplants similar rights into the employment context. The connection the original article identifies — between consumer data privacy law and AEDT regulation — is not theoretical. Colorado and other states are consciously drawing from their privacy frameworks to construct AI employment accountability rules.

Illinois AI Video Interview Act

Illinois was an early mover in this space. Its AI Video Interview Act, effective since January 2020, requires employers that use AI to analyze video interviews to: (1) notify applicants before the interview that AI will be used to evaluate their responses; (2) explain how the AI works and what characteristics it evaluates; and (3) obtain the applicant’s consent before the interview. Employers are also prohibited from sharing the video interview with anyone except those necessary to evaluate the candidate, unless the applicant consents. Critically, applicants can request deletion of their video and any associated data, and employers must comply within 30 days.

Illinois has not yet enacted a comprehensive bias audit requirement comparable to New York City’s LL 144, but the legislative landscape is evolving rapidly. Employers operating in Illinois should monitor legislative developments and ensure that their video interview vendors are compliant with the existing statute.

Federal Law: Title VII and Disparate Impact

Even absent a specific AEDT statute, federal employment discrimination law applies to algorithmic hiring tools. Title VII of the Civil Rights Act of 1964 prohibits employment practices that have a disparate impact on protected groups — regardless of the employer’s intent. An AEDT that systematically screens out female applicants, older applicants, or applicants of a particular race is vulnerable to Title VII challenge even if the algorithm itself is facially neutral. The Equal Employment Opportunity Commission (EEOC) has issued guidance making clear that employers cannot shield discriminatory outcomes behind algorithmic processes.

The Age Discrimination in Employment Act (ADEA) also applies. AEDTs that use proxies for age — years since graduation, gap years, certain keywords — can create disparate impact liability for age discrimination even if age is never directly inputted. Employers deploying these tools should conduct regular internal audits, work with vendors to obtain bias audit results, and document compliance efforts. The employment and AI compliance attorneys at Revision Legal advise businesses on navigating this rapidly evolving regulatory landscape. Contact us to discuss your AEDT compliance posture.