# State laws on employer AI monitoring[^about] State rules for employer AI monitoring, including California ADMT governance, New York notice laws, Delaware consent, and Illinois BIPA risk. ## Which state laws apply when employers use AI to monitor workers? {#which-state-laws-apply-to-ai-worker-monitoring} **Short answer.** It depends, because states regulate different layers of the same monitoring stack. The practical map is notice law, biometric privacy, and employment-decision governance. The cleanest way to see the patchwork is in three layers. Some states regulate monitoring as monitoring: New York, Connecticut, and Delaware mainly require notice before employers monitor communications or activity. [^n-y-civ-rights-law-52-c][^conn-gen-stat-31-48d][^19-del-c-705] Some states regulate the data layer: Illinois is still the outlier because biometrics pull monitoring into BIPA's notice, retention, release, and private-action regime. [^740-ilcs-14-biometric-information-privacy-act][^rosenbach-v-six-flags-ent-corp-2019-il-123186] And a smaller group regulates employment decisions themselves. California now treats certain AI-assisted workplace decisions as ADMT-regulated significant decisions, Illinois prohibits discriminatory AI use in covered employment decisions and requires notice to employees, and Colorado has enacted a similar consequential-decision regime that does not take effect until June 30, 2026. [^california-privacy-protection-agency-ccpa-regula][^775-ilcs-5-2-102][^colorado-ai-act-colo-rev-stat-title-6][^colorado-sb25b-004] So the real question is usually not whether a state has an AI monitoring law. It is which legal layer a tool activates once it starts observing people and shaping work. The law-firm commentary is mostly converging, not splitting. Baker McKenzie treats California employee monitoring as privacy law first: notice is necessary, but the deeper idea is proportionality and necessity under the CCPA framework. [^baker-mckenzie-employee-monitoring-in-the-us-and] Ogletree Deakins says the same thing from Illinois in a different register: the new Illinois employment-AI law prohibits discriminatory AI use and requires notice when AI is used for covered employment purposes. [^ogletree-deakins-illinois-steps-up-ai-regulation] Littler's broader surveys put those pieces into a patchwork map rather than a single theory. Illinois and Maryland are the direct AI-interview jurisdictions, California is moving into decision-system governance, and older monitoring statutes in the Northeast still matter because workplace tools often start as surveillance products before anyone calls them AI. [^littler-what-does-the-2025-artificial-intelligen][^littler-divergent-paths-on-regulating-artificial] The first consequence is category drift. The same software can be a security tool in one state, a monitoring tool in another, and an employment-decision tool in a third. A keystroke logger, meeting-analysis tool, or productivity dashboard may look mundane until its output starts allocating work, setting pay, ranking people, or supporting discipline. California makes that move explicit. Colorado, once effective, will do something similar. Illinois gets there through a different route when biometrics or protected-class effects are involved. [^california-privacy-protection-agency-ccpa-regula][^colorado-ai-act-colo-rev-stat-title-6][^740-ilcs-14-biometric-information-privacy-act][^775-ilcs-5-2-102] The fourth consequence is directional rather than immediate. The enacted laws are still uneven, but the direction of travel is visible. The older statutes ask for notice. California asks for transparency plus access and contestability around significant decisions. Colorado adds impact assessment and appeal when it becomes effective. The pending California bills go further still by trying to regulate managerial reliance on automated systems directly. [^california-privacy-protection-agency-ccpa-regula][^colorado-sb25b-004][^crowell-moring-california-sb-947-no-robo-bosses] Perhaps the non-obvious point is that the law is moving less toward banning monitoring and more toward forcing a company to say what the tool is doing, why it is doing it, and whether a human can meaningfully interrupt the result. ## When does California treat employee monitoring as an AI employment decision? {#when-california-ai-monitoring-becomes-employment-decision} **Short answer.** Usually when monitoring output allocates work, pay, discipline, demotion, suspension, or termination. California now regulates that use as automated decisionmaking technology tied to employment-related significant decisions. California is now the state where employee monitoring most clearly becomes employment-decision law. The old employee-data carveout under the CCPA is gone, and the CPPA's final ADMT regulations took effect on January 1, 2026. [^california-privacy-protection-agency-ccpa-statut][^california-privacy-protection-agency-regulations] The regulations define employment-related significant decisions broadly enough to reach the practical outputs of workplace monitoring, including allocation or assignment of work ... demotion, suspension, and termination. They require a pre-use notice, access rights, and in many cases opt-out or human-appeal rights. They also give an explicit example of an employer using productivity monitoring software to determine work allocation, compensation, and which employees will be demoted. [^california-privacy-protection-agency-ccpa-regula-2] That is a different posture from ordinary surveillance notice law. It means the software becomes regulated not just because it watches people, but because it allocates work or supports adverse action. The timing point matters too: the regulations are in force now, but tools already used for significant decisions before January 1, 2027 have until that date to comply.must be in compliance ... no later than January 1, 2027 The California commentary is forward-looking in a different way. Ogletree, Crowell, and Perkins Coie all read the 2026 California bills as evidence that Sacramento is trying to move from privacy disclosure into workplace-process regulation, especially around discipline, termination, and worker notice. [^ogletree-deakins-california-workplace-ai-notice][^crowell-moring-california-sb-947-no-robo-bosses-2][^perkins-coie-navigating-the-growing-landscape-of] The important qualifier is that these are proposals. Current California law is the CPPA regime, not the bills. The line between monitoring and decisionmaking is also still moving. California has already said the quiet part out loud by using productivity monitoring as an example of ADMT in employment decisions. [^california-privacy-protection-agency-ccpa-regula-2] Other states are less explicit. New York's monitoring statute includes a systems-maintenance exception where monitoring manages the type or volume of electronic communications or internet usage and is not targeted at a particular individual. [^n-y-civ-rights-law-52-c-2] That suggests a practical line between network hygiene and person-specific supervision, but only California currently spells out the decision side in detail. ## What notice do New York, Connecticut, and Delaware require for AI monitoring? {#what-notice-required-for-ai-monitoring-in-ny-ct-delaware} **Short answer.** Usually these states require written or electronic notice before monitoring communications or activity. Those notice laws do not answer whether the same tool also triggers biometric, hiring, or employment-decision rules. New York, at the state level, is plainer than people think. The core state monitoring statute is Civil Rights Law § 52-c. It requires prior written notice on hiring, employee acknowledgment, and conspicuous posting when an employer with a place of business in New York monitors telephone conversations, email, or internet usage electronically. The notice must say those communications "may be subject to monitoring at any and all times and by any lawful means"[^n-y-civ-rights-law-52-c-3]. The Attorney General enforces the law, with penalties of $500 for a first offense, $1,000 for a second, and $3,000 for later offenses. [^n-y-civ-rights-law-52-c-3] The SHIELD Act adds the data-security layer. It requires businesses holding New York residents' private information to "develop, implement and maintain reasonable safeguards"[^n-y-gen-bus-law-899-bb], and the definition of private information includes biometric information and online credentials. [^n-y-gen-bus-law-899-bb][^n-y-gen-bus-law-899-aa][^new-york-attorney-general-shield-act-guidance] New York therefore regulates employer AI monitoring mostly as communications monitoring plus information security. The algorithmic hiring regime most people associate with New York is usually New York City Local Law 144, which is nearby and influential, but it is not the state-law answer. [^new-york-city-department-of-consumer-and-worker] Connecticut and Delaware still matter because they are old-fashioned notice statutes that many AI discussions skip. Connecticut's § 31-48d broadly defines electronic monitoring and requires prior written notice and a conspicuous posting, with a narrow covert-monitoring exception tied to suspected unlawful conduct, violations of legal rights, or hostile-work-environment misconduct. [^conn-gen-stat-31-48d-2] Delaware's § 705 requires either a one-time acknowledged notice or a daily electronic notice for monitoring of telephone conversations, email, or internet usage by or of a Delaware employee, with a $100 civil penalty per violation. [^19-del-c-705-2] Maryland belongs on the edge of the map because it specifically prohibits use of facial-recognition services to create a facial template during an applicant interview unless the applicant signs a waiver meeting statutory requirements. [^md-code-lab-empl-3-717] The useful disagreement is less about substance than about where people place New York. DLA Piper's recent New York discussion is driven by the December 2025 comptroller audit of New York City Local Law 144 and the expectation of tougher city enforcement. [^dla-piper-critical-audit-of-nyc-s-ai-hiring-law][^office-of-the-new-york-state-comptroller-enforce] That matters, but it also slightly distorts the state-law picture. At the state level, New York is still a monitoring-notice statute plus a security statute. The city is where the formal bias-audit regime lives. The second consequence is that New York, Connecticut, and Delaware can create false comfort. Their rules are real, but they are mostly notice rules. A company can satisfy those statutes and still have learned almost nothing about whether its vendor is creating Illinois biometric exposure or California ADMT obligations. State monitoring law and state employment-AI law are adjacent, not interchangeable. [^n-y-civ-rights-law-52-c-3][^conn-gen-stat-31-48d-2][^19-del-c-705-2][^740-ilcs-14-biometric-information-privacy-act-2][^california-privacy-protection-agency-ccpa-regula-3] Remote-worker geography is still the messiest issue. Connecticut's monitoring statute is framed around collection of information on an employer's premises, while Delaware speaks in terms of monitoring by or of a Delaware employee and New York speaks in terms of employers with a place of business in the state. [^conn-gen-stat-31-48d-2][^19-del-c-705-2][^n-y-civ-rights-law-52-c-3] California focuses on the use of personal information in employment-related significant decisions, and Colorado focuses on consequential decisions affecting Colorado residents. [^california-privacy-protection-agency-ccpa-regula-3][^colorado-ai-act-colo-rev-stat-title-6-2] We think the result is not a clean territorial rule but a stack of different hooks, each tied to a different statute. ## When does Illinois AI monitoring create BIPA or discrimination exposure? {#when-illinois-ai-monitoring-creates-bipa-or-discrimination-risk} **Short answer.** Usually when the tool collects biometric data or affects covered employment decisions. BIPA creates private-action exposure, while Illinois employment-AI rules add discrimination and notice risk. Illinois remains the state where monitoring is most likely to turn into plaintiff-facing litigation. BIPA still does the heavy lifting. Before collecting or storing biometric identifiers or biometric information, a private entity must provide written notice, state the purpose and duration, and obtain a "written release"[^740-ilcs-14-biometric-information-privacy-act-3]. It must also maintain a public retention-and-destruction policy, protect the data, and avoid unauthorized disclosure or profit from the data. Section 20 preserves the private right of action and liquidated damages of $1,000 for negligent violations and $5,000 for reckless or intentional ones. [^740-ilcs-14-biometric-information-privacy-act-3] Rosenbach still matters because the Illinois Supreme Court held that a person can be "aggrieved"[^rosenbach-v-six-flags-ent-corp-2019-il-123186-2] by the statutory violation itself, without separate actual injury. [^rosenbach-v-six-flags-ent-corp-2019-il-123186-2] The 2024 amendment to BIPA reduced serial-scan exposure by treating repeated collection from the same person by the same method as a single violation for notice and release purposes, but it did not turn BIPA into a minor rule. [^740-ilcs-14-biometric-information-privacy-act-3] Illinois also has two direct AI-employment statutes. The Artificial Intelligence Video Interview Act covers Illinois-based positions and says an employer must notify the applicant, explain how the AI works and what general characteristics it uses, and obtain consent before AI is used to analyze a recorded interview. The statute is blunt on the consent point: the employer "may not use artificial intelligence to evaluate applicants who have not consented"[^820-ilcs-42-artificial-intelligence-video-interv]. [^820-ilcs-42-artificial-intelligence-video-interv] Separately, the Illinois Human Rights Act now makes it a civil-rights violation to use AI in covered employment decisions if it has the effect of subjecting employees to discrimination on the basis of protected classes, and it separately requires notice to employees when AI is used for those employment purposes. [^775-ilcs-5-2-102-2] The broad point is that Illinois splits the problem in two: biometrics create BIPA exposure, and decision systems create discrimination-and-notice exposure. The Illinois commentary is slightly more mixed on mechanics. Covington's BIPA piece focuses on damages exposure and the significance of the 2024 amendment, while Ogletree stays closer to the enacted employment-AI prohibition and notice duty. [^covington-burling-seventh-circuit-holds-that-bip][^ogletree-deakins-illinois-steps-up-ai-regulation-2] Taken together, the firms are saying something fairly consistent: the hardest Illinois problems are still biometric collection and discriminatory decision use, not ordinary software procurement labels. Illinois's new employment-AI notice duty is clear at the level of principle and less clear at the edge mechanics. The statute plainly prohibits discriminatory AI use in covered employment decisions and requires notice to employees that AI is being used for those purposes. [^775-ilcs-5-2-102-2] Public commentary sometimes describes more detailed timing and content expectations than the statutory text itself. Perhaps that is where Illinois will end up, but the enacted text is firmer on the existence of the duty than on the exact shape of every notice. ## How should employers handle AI monitoring vendors as state laws expand? {#how-employers-should-handle-ai-monitoring-vendors} **Short answer.** It depends on what the vendor actually collects, monitors, and decides. Procurement labels matter less than whether the deployment creates biometric, credential, monitoring, employment-decision, appeal, or labor-law obligations. Colorado is important because it shows where state law may be going, but as of April 20, 2026 it is still future law. The Colorado AI Act defines consequential decisions to include employment or employment opportunity decisions affecting Colorado residents and requires deployers of high-risk AI systems to use reasonable care, maintain risk-management programs, perform impact assessments, provide notice, and offer correction and appeal rights, with human review "if technically feasible"[^colorado-ai-act-colo-rev-stat-title-6-3]. [^colorado-ai-act-colo-rev-stat-title-6-3] But SB25B-004 "extends the effective date of the requirements of Senate Bill 24-205 to June 30, 2026"[^colorado-sb25b-004-2]. [^colorado-sb25b-004-2] Colorado therefore belongs in current architecture conversations, but not yet in the list of operative April 2026 state obligations. The third consequence is that vendor naming conventions matter less than deployment facts. Productivity, workforce analytics, trust and safety, or engagement are not legal categories. What matters is whether the system collects biometric or credential data, whether it monitors covered channels, and whether its output materially affects employment. That is why the same product can trigger very different disclosure, retention, appeal, and enforcement consequences across states. [^california-privacy-protection-agency-ccpa-regula-4][^new-york-attorney-general-shield-act-guidance-2][^740-ilcs-14-biometric-information-privacy-act-4] Union and federal-law overlay remains a separate uncertainty. The authorities cited here do not show broad federal preemption of the state statutes discussed here. [^n-y-gen-bus-law-899-bb-2][^california-privacy-protection-agency-ccpa-statut-2] At the same time, the NLRB General Counsel's 2022 memo took the position that intrusive electronic monitoring and algorithmic management can interfere with Section 7 rights and urged disclosure of the technologies used, why they are used, and how the information is used. [^nlrb-general-counsel-memo-on-unlawful-electronic] That is not the same thing as a Board holding. But it does mean state-law notice compliance may not be the whole story for unionized or organizing-sensitive workplaces. [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-04-20. License: CC BY 4.0. Steven Obiajulu, J.D. edits this topic article for Federal + multi-state coverage. It synthesizes legal sources and is not legal advice. This article is for informational purposes only and does not create an attorney-client relationship. [^n-y-civ-rights-law-52-c]: **N.Y. Civ. Rights Law § 52-c** — "may be subject to monitoring at any and all times and by any lawful means" *N.Y. Civ. Rights Law § 52-c.* [^conn-gen-stat-31-48d]: **Conn. Gen. Stat. § 31-48d** — "No employer, including the state or any political subdivision thereof, shall condition the employment, transfer or promotion of any individual on the sterilization of such individual." *Conn. Gen. Stat. § 31-48d.* [^19-del-c-705]: **19 Del. C. § 705** — "No person, nor any agent or representative of a person, shall require, request or suggest that any employee or prospective employee take or shall cause, directly or indirectly, any employee or prospective employee to take a polygraph, lie detector or similar test or examination as a condition of employment or continuation of employment." *19 Del. C. § 705.* [^740-ilcs-14-biometric-information-privacy-act]: **740 ILCS 14, Biometric Information Privacy Act** — "written release" *740 ILCS 14, Biometric Information Privacy Act.* [^rosenbach-v-six-flags-ent-corp-2019-il-123186]: **Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186** — "an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act." *Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186.* [^california-privacy-protection-agency-ccpa-regula]: **California Privacy Protection Agency, CCPA Regulations effective January 1, 2026** — "A violation of these regulations shall constitute a violation of the CCPA and be subject to the remedies provided for therein." *California Privacy Protection Agency, CCPA Regulations effective January 1, 2026.* [^775-ilcs-5-2-102]: **775 ILCS 5/2-102** — "It is a civil rights violation: (A) Employers. For any employer to refuse to hire, to" *775 ILCS 5/2-102.* [^colorado-ai-act-colo-rev-stat-title-6]: **Colorado AI Act, Colo. Rev. Stat. title 6** — "if technically feasible" *Colorado AI Act, Colo. Rev. Stat. title 6.* [^colorado-sb25b-004]: **Colorado SB25B-004** — "extends the effective date of the requirements of Senate Bill 24-205 to June 30, 2026" *Colorado SB25B-004.* [^baker-mckenzie-employee-monitoring-in-the-us-and]: **Baker McKenzie commentary** — "Under the CCPA, employers are permitted to monitor employees with notice only so long as the monitoring is reasonably necessary and proportionate in the particular employment context and processing purposes are not surprising to employees." *Baker McKenzie, Employee monitoring in the US and Canada: what employers need to know.* [^ogletree-deakins-illinois-steps-up-ai-regulation]: **Ogletree Deakins, Illinois Steps Up AI Regulation in Employment: Key Takeaway...** — "Illinois’s new AI regulations under HB 3773 take effect on January 1, 2026, giving employers a limited window to prepare for compliance." *Ogletree Deakins, Illinois Steps Up AI Regulation in Employment: Key Takeaways for Employers.* [^littler-what-does-the-2025-artificial-intelligen]: **Littler commentary** — "In the absence of federal regulation, several states have either passed or are considering legislation aimed at mitigating the risk of an employer’s use of an AI system resulting in algorithmic discrimination." *Littler, What Does the 2025 Artificial Intelligence Legislative and Regulatory Landscape Look Like?.* [^littler-divergent-paths-on-regulating-artificial]: **Littler, Divergent Paths on Regulating Artificial Intelligence** — "In contrast, the United States has so far adopted a light-handed approach to regulating AI in employment decisions." *Littler, Divergent Paths on Regulating Artificial Intelligence.* [^crowell-moring-california-sb-947-no-robo-bosses]: **Crowell & Moring, California SB 947 ('No Robo Bosses Act')** — "The proposed legislation prohibits employers from relying solely on an ADS to make disciplinary or termination decisions. It requires employers to apply human review and independent corroboration before acting on the output of an ADS for these purposes." *Crowell & Moring, California SB 947 ('No Robo Bosses Act').* [^california-privacy-protection-agency-ccpa-statut]: **California Privacy Protection Agency, CCPA statute** — "A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5." *California Privacy Protection Agency, CCPA statute.* [^california-privacy-protection-agency-regulations]: **California Privacy Protection Agency, Regulations page** — "CalPrivacy is responsible for implementing and enforcing the CCPA as well as the Delete Act" *California Privacy Protection Agency, Regulations page.* [^california-privacy-protection-agency-ccpa-regula-2]: **California Privacy Protection Agency, CCPA Regulations effective January 1, 2026** — "A violation of these regulations shall constitute a violation of the CCPA and be subject to the remedies provided for therein." *California Privacy Protection Agency, CCPA Regulations effective January 1, 2026.* [^ogletree-deakins-california-workplace-ai-notice]: **Ogletree Deakins, California Workplace AI Notice and Disclosure Bill Would Impose Hefty Penalties** — "California Assembly Bill (AB) 1898 would impose significant new notice and transparency obligations on California employers using AI-powered tools for employment-related decisions." *Ogletree Deakins, California Workplace AI Notice and Disclosure Bill Would Impose Hefty Penalties.* [^crowell-moring-california-sb-947-no-robo-bosses-2]: **Crowell & Moring, California SB 947 ('No Robo Bosses Act')** — "The proposed legislation prohibits employers from relying solely on an ADS to make disciplinary or termination decisions. It requires employers to apply human review and independent corroboration before acting on the output of an ADS for these purposes." *Crowell & Moring, California SB 947 ('No Robo Bosses Act').* [^perkins-coie-navigating-the-growing-landscape-of]: **Perkins Coie commentary** — "The regulations prohibit employers from using ADS or selection criteria that discriminate against applicants or employees based on protected characteristics under FEHA." *Perkins Coie, Navigating the Growing Landscape of State AI Employment Bills and Laws: What Employers Need to Know.* [^n-y-civ-rights-law-52-c-2]: **N.Y. Civ. Rights Law § 52-c** — "may be subject to monitoring at any and all times and by any lawful means" *N.Y. Civ. Rights Law § 52-c.* [^n-y-civ-rights-law-52-c-3]: **N.Y. Civ. Rights Law § 52-c** — "may be subject to monitoring at any and all times and by any lawful means" *N.Y. Civ. Rights Law § 52-c.* [^n-y-gen-bus-law-899-bb]: **N.Y. Gen. Bus. Law § 899-bb** — "develop, implement and maintain reasonable safeguards" *N.Y. Gen. Bus. Law § 899-bb.* [^n-y-gen-bus-law-899-aa]: **N.Y. Gen. Bus. Law § 899-aa** — "Any person or business which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state" *N.Y. Gen. Bus. Law § 899-aa.* [^new-york-attorney-general-shield-act-guidance]: **New York Attorney General, SHIELD Act guidance** — "The SHIELD Act requires any person or business that maintains private information to adopt administrative, technical, and physical safeguards." *New York Attorney General, SHIELD Act guidance.* [^new-york-city-department-of-consumer-and-worker]: **New York City Department of Consumer and Worker Protection, AEDT page** — "prohibits employers and employment agencies from using an automated employment decision tool unless the tool has been subject to a bias audit within one year of the use of the tool, information about the bias audit is publicly available, and certain notices have been provided to employees or job candidates." *New York City Department of Consumer and Worker Protection, AEDT page.* [^conn-gen-stat-31-48d-2]: **Conn. Gen. Stat. § 31-48d** — "No employer, including the state or any political subdivision thereof, shall condition the employment, transfer or promotion of any individual on the sterilization of such individual." *Conn. Gen. Stat. § 31-48d.* [^19-del-c-705-2]: **19 Del. C. § 705** — "No person, nor any agent or representative of a person, shall require, request or suggest that any employee or prospective employee take or shall cause, directly or indirectly, any employee or prospective employee to take a polygraph, lie detector or similar test or examination as a condition of employment or continuation of employment." *19 Del. C. § 705.* [^md-code-lab-empl-3-717]: **Md. Code, Lab. & Empl. § 3-717** — "An employer may not use a facial recognition service for the purpose of creating a facial template during an applicant’s interview for employment unless an applicant consents under subsection (c) of this section." *Md. Code, Lab. & Empl. § 3-717.* [^dla-piper-critical-audit-of-nyc-s-ai-hiring-law]: **DLA Piper commentary** — "The New York State Comptroller’s December 2025 audit evaluated the New York City Department of Consumer and Worker Protection’s (DCWP) enforcement of Local Law 144, which regulates the use of automated employment decision tools (AEDTs) in hiring and promotion." *DLA Piper, Critical audit of NYC's AI hiring law signals increased risk for employers.* [^office-of-the-new-york-state-comptroller-enforce]: **Office of the New York State Comptroller, Enforcement of Local Law 144: Autom...** — "DCWP is tasked with enforcing LL144 and can impose civil penalties between $500 and $1,500 per day for violations." *Office of the New York State Comptroller, Enforcement of Local Law 144: Automated Employment Decision Tools.* [^740-ilcs-14-biometric-information-privacy-act-2]: **740 ILCS 14, Biometric Information Privacy Act** — "written release" *740 ILCS 14, Biometric Information Privacy Act.* [^california-privacy-protection-agency-ccpa-regula-3]: **California Privacy Protection Agency, CCPA Regulations effective January 1, 2026** — "A violation of these regulations shall constitute a violation of the CCPA and be subject to the remedies provided for therein." *California Privacy Protection Agency, CCPA Regulations effective January 1, 2026.* [^colorado-ai-act-colo-rev-stat-title-6-2]: **Colorado AI Act, Colo. Rev. Stat. title 6** — "if technically feasible" *Colorado AI Act, Colo. Rev. Stat. title 6.* [^740-ilcs-14-biometric-information-privacy-act-3]: **740 ILCS 14, Biometric Information Privacy Act** — "written release" *740 ILCS 14, Biometric Information Privacy Act.* [^rosenbach-v-six-flags-ent-corp-2019-il-123186-2]: **Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186** — "an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act." *Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186.* [^820-ilcs-42-artificial-intelligence-video-interv]: **820 ILCS 42, Artificial Intelligence Video Interview Act** — "may not use artificial intelligence to evaluate applicants who have not consented" *820 ILCS 42, Artificial Intelligence Video Interview Act.* [^775-ilcs-5-2-102-2]: **775 ILCS 5/2-102** — "It is a civil rights violation: (A) Employers. For any employer to refuse to hire, to" *775 ILCS 5/2-102.* [^covington-burling-seventh-circuit-holds-that-bip]: **Covington & Burling, Seventh Circuit Holds that BIPA Amendment Applies Retroactively** — "the Seventh Circuit in Clay v. Union Pacific Railroad Company held that an amendment to the Illinois Biometric Information Privacy Act (BIPA), limiting damages to a per-person basis, applies retroactively to cases pending when the amendment was enacted in 2024." *Covington & Burling, Seventh Circuit Holds that BIPA Amendment Applies Retroactively.* [^ogletree-deakins-illinois-steps-up-ai-regulation-2]: **Ogletree Deakins, Illinois Steps Up AI Regulation in Employment: Key Takeaway...** — "Illinois’s new AI regulations under HB 3773 take effect on January 1, 2026, giving employers a limited window to prepare for compliance." *Ogletree Deakins, Illinois Steps Up AI Regulation in Employment: Key Takeaways for Employers.* [^colorado-ai-act-colo-rev-stat-title-6-3]: **Colorado AI Act, Colo. Rev. Stat. title 6** — "if technically feasible" *Colorado AI Act, Colo. Rev. Stat. title 6.* [^colorado-sb25b-004-2]: **Colorado SB25B-004** — "extends the effective date of the requirements of Senate Bill 24-205 to June 30, 2026" *Colorado SB25B-004.* [^california-privacy-protection-agency-ccpa-regula-4]: **California Privacy Protection Agency, CCPA Regulations effective January 1, 2026** — "A violation of these regulations shall constitute a violation of the CCPA and be subject to the remedies provided for therein." *California Privacy Protection Agency, CCPA Regulations effective January 1, 2026.* [^new-york-attorney-general-shield-act-guidance-2]: **New York Attorney General, SHIELD Act guidance** — "The SHIELD Act requires any person or business that maintains private information to adopt administrative, technical, and physical safeguards." *New York Attorney General, SHIELD Act guidance.* [^740-ilcs-14-biometric-information-privacy-act-4]: **740 ILCS 14, Biometric Information Privacy Act** — "written release" *740 ILCS 14, Biometric Information Privacy Act.* [^n-y-gen-bus-law-899-bb-2]: **N.Y. Gen. Bus. Law § 899-bb** — "develop, implement and maintain reasonable safeguards" *N.Y. Gen. Bus. Law § 899-bb.* [^california-privacy-protection-agency-ccpa-statut-2]: **California Privacy Protection Agency, CCPA statute** — "A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5." *California Privacy Protection Agency, CCPA statute.* [^nlrb-general-counsel-memo-on-unlawful-electronic]: **NLRB, General Counsel memo on unlawful electronic surveillance and automated management** — "I plan to urge the Board, to the greatest extent possible, to apply the Act to protect employees from intrusive or abusive electronic monitoring and automated management practices that would have a tendency to interfere with Section 7 rights." *NLRB, General Counsel memo on unlawful electronic surveillance and automated management.*