28 May
Three years ago, almost nobody asked who’s legally responsible if your resume screener turned out to be biased. Now there’s a court ruling on it, five state laws addressing it, and a federal enforcement plan built around it. That’s how fast this moved.
Most agencies didn’t plan to become heavy users of AI in hiring. A screener got added because it cut down resume volume. A chatbot picked up the application overflow. Somebody liked a video interview tool at a conference and rolled it out. None of it felt like a strategic bet; it was just operations, one tool at a time.
Here’s the part that’s changed: regulators have stopped treating the vendor as the responsible party. If your agency uses any of these tools to screen, score, or rank candidates, you’re the one on the hook. Not Workday. Not Eightfold. You. If you’re trying to figure out where your own staffing compliance software stands against what the law now actually requires, this is the rundown.
Why Staffing Agencies Specifically Are in the Crosshairs
On June 4, 2026, the EEOC signed its National Enforcement Plan for FY 2025–2029. Buried in there is a line that matters more than its placement suggests: algorithmic fairness in selection procedures is now a named enforcement priority.
That’s a meaningful shift from “we’ll look into it if someone complains.” This is the EEOC saying, in writing, that they’re going to go looking.
The legal standard is disparate impact, which is a fancy way of saying intent doesn’t matter. Nobody must prove your screening tool is meant to discriminate. Under the federal four-fifths rule, if your tool selects candidates from a protected group at a rate below 80% of whatever the top group’s rate is, that’s enough to trigger scrutiny. At that point, the burden shifts to you to prove the criteria were job-related and necessary. Saying the vendor tested it and called it fine isn’t going to cut it.
There’s also a newer wrinkle worth flagging: the EEOC’s November 2025 guidance specifically calls out agencies whose automated workflows quietly deprioritize U.S. workers in favor of visa-holding candidates, usually for cost reasons. I’ve talked to agencies that genuinely didn’t realize their scoring weights were doing this. It happens. It’s also now explicitly something regulators are watching for, and “it was cheaper” isn’t a defense. For more on how AI is reshaping the screening side of this, we covered candidate matching shifts here.
Mobley v. Workday Closed the “Blame the Vendor” Door
For a long time, the working assumption in staffing was simple: if the AI tool screwed up, that was the vendor’s problem to deal with. Mobley v. Workday is the case that ended that assumption.
A candidate applied to over 100 jobs through Workday’s platform and alleged the screening algorithm consistently filtered out Black, older, and disabled applicants. In July 2024, the court ruled that a software provider can be held directly liable as an agent under Title VII, the ADEA, and the ADA specifically because the AI was actively scoring, ranking, and rejecting people on behalf of employers, not just suggesting options for a human to review. By March 2026, the court went further and confirmed that job applicants get the same disparate impact protection as people already employed.
In practice, once your platform filters candidates, you have effectively delegated hiring authority to it. Most enterprise software contracts cap vendor liability at about twelve months of subscription fees, but a class action can cost far more. Your agency may be responsible for the gap.
One more thing worth tracking in January 2026: a class action was filed against Eightfold AI under the Fair Credit Reporting Act. The argument is that AI platforms generating candidate scores are functioning like consumer reporting agencies, which would mean a whole new set of data accuracy and disclosure rules on top of the civil rights stuff. It hasn’t been decided yet. But if it goes in that direction, this gets more complicated, not less.
The State Laws Already on the Books
There’s no single federal AI hiring law. What you’ve got instead is five-plus states moving at different speeds with different requirements, and agencies operating in more than one of them must track all of it at once.
|
State / Law |
Live As Of |
What It Requires |
Penalty |
|
Colorado (CAIA) |
June 30, 2026 |
Annual impact assessments, candidate notice before AI use, appeal rights, report bias to AG within 90 days |
$20,000 per affected decision |
|
California (CRC + CPPA) |
Oct 2025 / Jan 2026 |
4-year data retention, joint liability for vendor tools, candidate opt-out right, logic disclosure |
FEHA civil suits + CPPA audits |
|
Connecticut (CART Act) |
Core rules: Oct 1, 2027 |
10-day pre-deployment notice, disclosing AI in WARN filings, proactive bias testing |
State AG enforcement, no vendor-delegation defense |
|
Illinois (Video Interview Act) |
Active |
Notice of grading criteria, candidate consent, and deletion of recordings within 30 days on request |
Dept. of Human Rights + civil action |
|
Utah (UAIP Act) |
Active |
Disclose clearly when candidates interact with generative AI, including chatbots |
Up to $2,500 per violation |
Colorado is the one to pay closest attention to. Fully in effect June 30, 2026, it requires annual impact assessments for every high-risk system you’ve got running, with documentation on purpose, data, known limitations, the works. Reject a candidate through one of these systems, and you owe them an explanation of what the AI weighed, what data went in, and how to ask for a human to look at it instead. Find out your system has a bias problem, and the clock starts: 90 days to tell the Attorney General.
California adds a four-year retention requirement on top of everything else. Connecticut’s newer CART Act throws in something most agencies haven’t thought about yet: disclosing AI involvement in WARN Act filings if a mass layoff connects back to an algorithm somehow.
Running across three or four of these states at once isn’t a policy problem you solve once. It’s something that needs a person to check on regularly.
How Staffing Compliance Software Supports Bias Audits
New York City’s Local Law 144 was the first law to require independent bias audits on these tools, and even outside New York, its math has basically become the industry standard everyone references.
The setup: someone with zero financial or employment ties to your agency or your vendor must evaluate every active screening tool, and they need to do it within 12 months before the tool gets used. They’re calculating selection rates and impact ratios across protected groups, including 14 intersectional combinations of sex and race or ethnicity. It’s more granular than most agencies expect the first time they go through it.
For tools with a simple pass/fail outcome, they compare each group’s selection rate to whichever group scored highest. For tools that produce a numeric score, they check who landed at or above the median. Anything under a 0.80 ratio means you either document a real business reason for it or fix the tool. And the results audit date, how many applicants, and where the data came from go on your public website. Not buried in a PDF nobody finds. Public.
The New York State Comptroller looked at this closely in December 2025 and found something uncomfortable: the city had reviewed 32 companies and found one compliance issue. The Comptroller reviewed the same 32 companies and found seventeen. Same companies, same data, wildly different results because the companies that weren’t compliant hadn’t published anything, and nobody was checking. That’s changing. Passive enforcement is on its way out.
How to Strengthen Your Staffing Compliance Software Strategy
1. Start with an inventory.
Write down every tool that touches a candidate’s decision vendor, data in, data out, where it sits in the pipeline. Tedious, but it’s the first thing any regulator asks for. Most agencies are surprised how many tools they’re actually running. A platform with end-to-end workflow visibility makes this far less painful.
2. Get bias audits done every 12 months.
Third-party, no ties to you or the vendor. They calculate selection rates and impact ratios across protected groups. Below 0.80, fix it or justify it in writing, then publish the results.
3. Renegotiate your vendor contracts.
Most were signed before any of this existed. Push for training data documentation, known limitations, and the vendor’s own audit history. Don’t accept standard liability caps twelve months of subscription fees won’t cover what’s at stake. Get a 90-day bias-disclosure clause too; it lines up with Colorado’s own deadline anyway.
4. Sort out your data retention.
Four years for candidate inputs, scores, and rankings that’s California’s bar, and the highest one, so just build to it. Impact assessments need three years under Colorado. And if Illinois requires deleting a video interview on request, that needs to happen immediately, not eventually.
5. Put a real human back in the loop.
No screening process should run fully automated with nobody able to override it. California and Colorado both lean hard into this. Every rejected candidate needs an actual way to ask for a second look not a contact email nobody checks. Worth checking your broader workforce management setup too, since the same blind spots tend to show up elsewhere.
Why Staffing Compliance Software Matters More in 2026
Here’s the honest read on all of this: regulators decided that if your system is the one filtering people out of jobs, you’re the one who answers for what it does. That’s not an unreasonable place to land, even if it’s inconvenient.
None of the five things above is complicated on its own. An inventory. Annual audits. Better contracts. Retention policy. A human checkpoint. What makes it hard is doing all five consistently, across every tool, in every state you operate in, without it becoming someone’s part-time job that gets deprioritized the second hiring volume spikes.
Agencies still running unaudited tools or operating off contracts from three years ago are sitting on real exposure right now. Not theoretically, Colorado’s law is live this month. The agencies that get ahead
Your Platform Should Make This Easier, Not Harder
The agencies that handle 2026 without constant fire drills aren’t necessarily the ones with the biggest legal departments. They’re the ones whose everyday platform already captures most of what compliance asks for clean records, structured data, and a process that holds up if someone asks to see it.
That’s the thinking behind how Zenople is built. If you’re already running on it, a good chunk of what’s described above is closer to doing than you’d expect. If you’re not, and some of the gaps in this article sounded a little too familiar, it’s worth seeing what the platform does day to day.
