How should multistate employers comply with AI hiring laws?

Last verified: June 1, 2026

Answer

Multistate employers should baseline AI hiring against the strictest active regimes, then layer state specifics. That means Illinois notice, consent, non-discrimination, and DCEO reporting; Colorado's ADMT interaction notice, adverse-outcome disclosure, data correction, and meaningful human review from January 1, 2027; Minnesota profiling assessments where covered; and Texas TRAIGA limits on discriminatory and biometric AI. Build one governed workflow with vendor intake, bias monitoring, human review, and record retention.

Multistate employers should baseline AI hiring workflows against the strictest active regimes, then layer state-specific rules. In practice, that means Illinois notice, consent, non-discrimination, and reporting obligations; Colorado ADMT interaction notice, adverse-outcome disclosure, data correction, and meaningful human review for consequential employment decisions beginning January 1, 2027; Minnesota profiling and data-protection-assessment obligations where covered; and Texas TRAIGA controls for prohibited discriminatory or biometric AI uses. Texas HB-2060 should not be treated as a private-employer hiring disclosure or opt-out law; it was a state-agency AI advisory and inventory statute.

Sources checked

Scope

Sequencing guidance for employers operating across Illinois, Colorado (from 2027), Minnesota, and Texas. It prioritizes baselining against the strictest active regime, then layering state specifics. Provision-level detail lives in the individual state answers; this is the orchestration view.

Operational implication

A multistate program collapses into one governed workflow: vendor documentation intake before deployment, bias monitoring on an audit cadence, human-review routing that logs who reviewed what and when, an adverse-outcome response SLA, and record retention tied to each hiring event. State rules become parameters on that workflow, not separate compliance projects.

Applicable Regulations

HB-3773

Illinois Human Rights Act AI Amendment (Public Act 103-0804)

enacted

Amends the Illinois Human Rights Act (775 ILCS 5/) to prohibit employers from using artificial intelligence that subjects employees or applicants to discrimination based on protected classes, and from using zip codes as a proxy for protected classes. Requires employers to notify employees when AI is used in recruitment, hiring, promotion, discharge, discipline, or other terms and conditions of employment. Defines "artificial intelligence" and "generative artificial intelligence" for purposes of the Act.

Key Requirements

AI Discrimination Prohibition Cannot use AI that has the effect of subjecting employees to discrimination on the basis of protected classes identified under the Illinois Human Rights Act
Zip Code Proxy Ban Cannot use zip codes as a proxy for protected classes under the Illinois Human Rights Act
Employee Notice of AI Use Must provide notice to an employee that the employer is using AI for recruitment, hiring, promotion, discharge, discipline, or other employment-related decisions
Effective: 2026-01-01 Penalties: Enforced through the Illinois Human Rights Act framework by the Illinois Department of Human Rights (IDHR); remedies follow IHRA procedures (injunctive relief, damages, attorney's fees) rather than a specific monetary penalty schedule in the amendment itself.
SB-26-189

Colorado AI Act — Automated Decision-Making Technology (SB 26-189, repeal & reenactment of SB 24-205)

enacted

On 2026-05-14 Governor Polis signed SB 26-189, which repeals and reenacts the Colorado AI Act (originally SB 24-205). The new law abandons the risk-management / annual-impact-assessment model and replaces it with a disclosure-and-notice framework governing "automated decision-making technology" (ADMT) that makes or substantially influences "consequential decisions" (education, employment, housing, financial services, insurance, healthcare, government services). The statute formally takes effect 2026-08-12 (no safety clause), but all substantive compliance obligations — for both deployers and developers — begin 2027-01-01, which is the operative date for regulated businesses; the Attorney General's implementing rules are also due by 2027-01-01. The AG has stated he will not enforce until the mandatory rulemaking process concludes.

Key Requirements

Interaction Notice Deployers must give clear notice at the point of interaction when a consumer interacts with an automated decision-making technology (ADMT)
Adverse-Outcome Disclosure Provide a plain-language explanation within 30 days of an adverse consequential decision made or substantially influenced by an ADMT
Data Correction Right Allow consumers to request correction of factually incorrect personal data used by the ADMT
Meaningful Human Review Provide meaningful human review and reconsideration after an adverse consequential decision
Developer Documentation Developers must supply technical documentation (intended uses, known harmful uses, training-data categories, known limitations and risks, and instructions enabling meaningful human review), notify deployers of material updates, and retain compliance records for 3+ years. Like all duties under the act, these obligations begin 2027-01-01
Effective: 2027-01-01 Penalties: Enforced exclusively by the Colorado Attorney General; violations are treated as deceptive trade practices under the Colorado Consumer Protection Act. Before enforcement the AG must give 60 days' written notice and an opportunity to cure; this cure right sunsets 2030-01-01, after which enforcement may be immediate. The AG has stated no enforcement will occur until the mandatory rulemaking process concludes.
HF-4757

Minnesota Consumer Data Privacy Act (MCDPA)

enacted

Enacted May 24, 2024 as Chapter 121 of the 2024 Minnesota Session Laws, codified at Minnesota Statutes Chapter 325O. Effective July 31, 2025 with full enforcement (no cure period) from February 1, 2026. Applies to controllers and processors of personal data of Minnesota residents meeting the thresholds below. Grants consumers rights to access, correct, delete, and port personal data; to opt out of targeted advertising, data sales, and profiling; and — uniquely among state laws — to question the result of a profiling decision, receive the reason for that outcome, and request reevaluation if inaccurate data was used. Requires data protection assessments before processing personal data for targeted advertising, data sales, sensitive data, and profiling with heightened risk. Enforced exclusively by the Minnesota Attorney General; no private right of action.

Key Requirements

Core Consumer Rights Right to access, correct, delete, and obtain a portable copy of personal data. Right to know which third parties received data sales.
Opt-Out of Profiling and Targeted Advertising Consumers may opt out of processing for targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.
Profiling Challenge and Explanation Right When profiling produces legal or similarly significant effects, consumers may question the result, receive the reason for the outcome, and request reevaluation if inaccurate data was used. Covered decisions include housing, insurance, education, employment, healthcare, and financial services.
Data Protection Assessment Controllers must conduct and document data protection assessments before processing for targeted advertising, data sales, sensitive data, profiling with heightened risk, and other high-risk processing activities.
Privacy Notice Requirements Controllers must provide a privacy notice with a hyperlink labeled 'Your Privacy Rights' disclosing data categories, purposes, third-party disclosures, and opt-out mechanisms.
Attorney General Enforcement Only the Minnesota AG may enforce. A 30-day cure period applied through January 31, 2026; from February 1, 2026, no cure period — violations subject to immediate civil penalty action.
Effective: 2025-07-31 Penalties: Civil penalties of up to $7,500 per violation, enforceable by the Minnesota Attorney General. No private right of action. Court may also award injunctive relief and litigation costs. The 30-day cure period expired January 31, 2026; full enforcement without cure rights began February 1, 2026.
HB-149

Texas Responsible Artificial Intelligence Governance Act (TRAIGA)

enacted

Signed June 22, 2025; effective January 1, 2026. TRAIGA is Texas's primary comprehensive AI governance law from the 89th Legislature. It establishes prohibited AI practices applying to all entities that promote, advertise, or conduct business in Texas, produce products or services for Texas residents, or develop/deploy AI systems in the state. Key prohibitions cover behavioral manipulation (inciting self-harm, violence, or criminal activity), government social scoring, unlawful discrimination, government biometric identification from public sources without consent, and constitutional rights infringement via AI. Government agencies must disclose to consumers when they are interacting with an AI system, using clear and conspicuous language free of dark patterns; healthcare-provider AI disclosure to patients is governed separately by Texas SB 1188. Enforcement is exclusively by the Texas Attorney General; no private right of action exists. A 36-month regulatory sandbox program allows companies to test AI systems with certain requirements waived. The law also establishes the Texas Artificial Intelligence Council (seven members) to advise on ethical, privacy, and public safety implications — though the Council cannot adopt binding rules.

Key Requirements

Prohibition on Behavioral Manipulation Cannot develop or deploy AI systems intentionally designed to incite or encourage a person to commit physical self-harm (including suicide), harm another person, or engage in criminal activity
Government Social Scoring Ban Government entities cannot use AI to assign detrimental categorical scores to individuals based on their behavior or personal characteristics
Biometric Identification Prohibition (Government Entities) Government entities cannot use AI with publicly available images or data to uniquely identify individuals via biometric identifiers without consent (law enforcement and fraud prevention excepted). This prohibition does not apply to private-sector employers; their biometric consent obligations for AI tools — such as video-interview face or voice capture — are governed by Texas's CUBI statute (Tex. Bus. & Com. Code §503.001), which TRAIGA amended effective January 1, 2026
Unlawful Discrimination Prohibition Cannot intentionally deploy AI to discriminate against protected classes under state and federal law; note that disparate impact alone is insufficient to prove intent
Constitutional Rights Protection Cannot develop or deploy AI systems designed to infringe constitutional rights or target individuals based on constitutionally protected characteristics
AI Interaction Disclosure Government agencies must disclose to consumers, before or at the time of interaction, that they are interacting with an AI system; disclosures must be clear and conspicuous with no dark patterns. Healthcare-provider AI disclosure to patients is governed separately by Texas SB 1188 (effective September 1, 2025), not by TRAIGA
Effective: 2026-01-01 Penalties: Civil penalties enforced exclusively by the Texas Attorney General. Curable violations: up to $12,000 per violation. Uncurable violations: up to $200,000 per violation. Continuing violations: up to $40,000 per day. A 60-day written cure period is provided before enforcement action for curable violations. State agencies may also impose additional sanctions including license suspension or revocation up to $100,000.

Industry Context

HR & Recruiting Firms

Staffing agencies, recruiting firms, and HR technology providers that use AI for candidate sourcing, resume screening, interview analysis, and employment decision support. These firms face heightened regulatory scrutiny because AI in hiring directly affects individuals' economic opportunities.

Typical Compliance Gaps

No bias audit or disparate impact testing of hiring AI tools
No applicant notification that AI is used in screening or scoring
Lack of documentation linking AI outputs to adverse employment decisions
Unaware of AI exclusion endorsements in EPL or E&O policies

Full State Analysis

Illinois AI Regulations Colorado AI Regulations Minnesota AI Regulations Texas AI Regulations

Where this lands operationally

Gridex turns the compliance or coverage question into operated workflow controls: intake, review points, audit trails, and the places a person stays in the decision.

Governed AI DeploymentRun AI inside real work with audit trails, human review points, and the operating controls underwriters and regulators expect.Managed Intake & QualificationCapture, qualify, and route incoming work with disclosure, consent, and human review built into the intake step.

Discuss a Governed Hiring Workflow

Design the single governed hiring workflow behind all four states with Gridex's governed AI deployment service (/services/governed-ai-deployment/); scope it via a hiring compliance review (/services/ai-hiring-compliance-review/).

Discuss a Governed Hiring Workflow

Related Questions

  • Can I use AI for hiring in Illinois? Yes, but two distinct Illinois laws apply. HB-3773 (effective January 1, 2026) amended the Illinois Human Rights Act to prohibit employers from using AI that discriminates against protected classes or uses zip codes as a proxy, and it requires notice to employees that AI is being used in employment decisions (recruitment, hiring, promotion, discipline, tenure, or terms and conditions). Separately, the Illinois Artificial Intelligence Video Interview Act (PA 101-0260, 820 ILCS 42), in effect since 2020, applies specifically when AI analyzes applicant video interviews: employers must notify the applicant, explain how the AI works, obtain written consent, limit video sharing to necessary evaluators, delete videos within 30 days of an applicant's request, and — per the 2022 amendment (PA 102-47) — report applicant racial/ethnicity data annually to DCEO. If AI hiring tools also capture biometric identifiers (e.g., facial geometry from video), the separate Illinois Biometric Information Privacy Act (BIPA) creates additional consent and liability obligations. Illinois employers using AI for any form of employment decision should map their process against all three regimes.
  • What AI rules apply to hiring in Texas? Texas does not currently have a private-sector AI hiring disclosure or candidate opt-out law comparable to Illinois, Colorado, or NYC Local Law 144. Texas HB-2060 was a state-agency AI advisory and inventory law, not an employer hiring rule. The main Texas AI law for private employers is HB-149 (TRAIGA), effective January 1, 2026: for hiring AI it matters mainly if the system is intentionally deployed to discriminate against protected classes or otherwise falls into TRAIGA's prohibited-practice categories. TRAIGA's biometric-identification and social-scoring prohibitions apply to government entities only — biometric consent for private-sector AI tools, such as video-interview face or voice capture, is governed by Texas's CUBI statute (Tex. Bus. & Com. Code §503.001), not TRAIGA. Employers using AI in Texas should still document the tool, human review points, bias controls, and any biometric consent process.
  • Does Colorado require AI impact assessments? No longer. SB 26-189 (signed 2026-05-14) repealed and reenacted Colorado's AI Act, eliminating the impact-assessment requirement entirely. Colorado now instead requires deployers of automated decision-making technology (ADMT) to: give consumers clear interaction notice, disclose adverse consequential decisions within 30 days, allow correction of incorrect personal data, and provide meaningful human review and reconsideration. The statute formally takes effect 2026-08-12, but all compliance obligations — for deployers and developers alike — begin 2027-01-01.
  • Which states have AI hiring laws? Illinois and Colorado have the most direct state-level AI hiring rules. Illinois HB-3773 and the AI Video Interview Act cover notice, consent, non-discrimination, video-interview limits, and reporting. Colorado's AI Act (SB 26-189, with obligations beginning January 1, 2027) covers ADMT used for consequential employment decisions through interaction notice, adverse-outcome disclosure, data correction, and meaningful human review. Minnesota HF-4757 can reach employment profiling through privacy and data-protection-assessment obligations. Texas should be tracked for TRAIGA (HB-149) prohibited practices, especially intentional discrimination and biometric identification, but HB-2060 is not a private-employer AI hiring disclosure law.
  • Which states require disclosure when AI screens resumes? Illinois and Colorado are the clearest state-level disclosure regimes for AI-assisted employment screening. Illinois requires notice for AI use in employment decisions under HB-3773, and written consent plus an explanation before AI analyzes video interviews under the Illinois Artificial Intelligence Video Interview Act. Colorado's reenacted AI Act (SB 26-189) requires interaction notice, adverse-outcome disclosure, data correction, and meaningful human review when ADMT makes or substantially influences consequential employment decisions, with obligations beginning January 1, 2027. Texas does not currently impose a private-sector candidate disclosure rule for resume screening; HB-2060 was a state-agency inventory law, while TRAIGA (HB-149) can still matter for discriminatory or biometric AI uses.
Disclaimer: This content is provided for informational purposes only and does not constitute legal advice. AI regulations and insurance policy terms change frequently. Consult with a qualified attorney or insurance professional for advice specific to your situation. Gridex makes no warranties regarding the accuracy or completeness of this information.