State laws on employer AI monitoring

Which state laws apply when employers use AI to monitor workers?

It depends, because states regulate different layers of the same monitoring stack. The practical map is notice law, biometric privacy, and employment-decision governance.

The cleanest way to see the patchwork is in three layers. Some states regulate monitoring as monitoring: New York, Connecticut, and Delaware mainly require notice before employers monitor communications or activity. Some states regulate the data layer: Illinois is still the outlier because biometrics pull monitoring into BIPA's notice, retention, release, and private-action regime. And a smaller group regulates employment decisions themselves. California now treats certain AI-assisted workplace decisions as ADMT-regulated significant decisions, Illinois prohibits discriminatory AI use in covered employment decisions and requires notice to employees, and Colorado has enacted a similar consequential-decision regime that does not take effect until June 30, 2026. So the real question is usually not whether a state has an AI monitoring law. It is which legal layer a tool activates once it starts observing people and shaping work.

The law-firm commentary is mostly converging, not splitting. Baker McKenzie treats California employee monitoring as privacy law first: notice is necessary, but the deeper idea is proportionality and necessity under the CCPA framework. Ogletree Deakins says the same thing from Illinois in a different register: the new Illinois employment-AI law prohibits discriminatory AI use and requires notice when AI is used for covered employment purposes. Littler's broader surveys put those pieces into a patchwork map rather than a single theory. Illinois and Maryland are the direct AI-interview jurisdictions, California is moving into decision-system governance, and older monitoring statutes in the Northeast still matter because workplace tools often start as surveillance products before anyone calls them AI.

The first consequence is category drift. The same software can be a security tool in one state, a monitoring tool in another, and an employment-decision tool in a third. A keystroke logger, meeting-analysis tool, or productivity dashboard may look mundane until its output starts allocating work, setting pay, ranking people, or supporting discipline. California makes that move explicit. Colorado, once effective, will do something similar. Illinois gets there through a different route when biometrics or protected-class effects are involved.

The fourth consequence is directional rather than immediate. The enacted laws are still uneven, but the direction of travel is visible. The older statutes ask for notice. California asks for transparency plus access and contestability around significant decisions. Colorado adds impact assessment and appeal when it becomes effective. The pending California bills go further still by trying to regulate managerial reliance on automated systems directly. Perhaps the non-obvious point is that the law is moving less toward banning monitoring and more toward forcing a company to say what the tool is doing, why it is doing it, and whether a human can meaningfully interrupt the result.

Sources for this answer

Primary law

A.1 N.Y. Civ. Rights Law § 52-c

Supports the cited proposition. (N.Y. Civ. Rights Law § 52-c)

may be subject to monitoring at any and all times and by any lawful means

See N.Y. Civ. Rights Law § 52-c.

Primary law

A.2 Conn. Gen. Stat. § 31-48d

Connecticut law prohibits employers from conditioning employment on sterilization and provides employees with a private right of action for violations of workplace rights regarding toxic substances and reproductive health.

No employer, including the state or any political subdivision thereof, shall condition the employment, transfer or promotion of any individual on the sterilization of such individual.

See Conn. Gen. Stat. § 31-48d.

Primary law

A.3 19 Del. C. § 705PDF

Delaware law prohibits employers from requiring or requesting that employees or prospective employees submit to polygraph or lie detector tests as a condition of employment, subject to specific exceptions for law enforcement agencies.

No person, nor any agent or representative of a person, shall require, request or suggest that any employee or prospective employee take or shall cause, directly or indirectly, any employee or prospective employee to take a polygraph, lie detector or similar test or examination as a condition of employment or continuation of employment.

See 19 Del. C. § 705.

Primary law

A.4 740 ILCS 14, Biometric Information Privacy Act

Supports the cited proposition. (740 ILCS 14, Biometric Information Privacy Act)

written release

See 740 ILCS 14, Biometric Information Privacy Act.

Case law

A.5 Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186PDF

Under the Illinois Biometric Information Privacy Act, a plaintiff qualifies as an aggrieved person entitled to seek statutory damages and injunctive relief upon a violation of the Act's requirements without needing to allege actual injury or adverse effect beyond the statutory violation itself.

an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.

See Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186.

Primary law

A.6 California Privacy Protection Agency, CCPA Regulations effective January 1, 2026PDF

The California Consumer Privacy Act Regulations establish mandatory requirements for businesses regarding consumer privacy notices, the handling of consumer requests, and the implementation of opt-out mechanisms.

A violation of these regulations shall constitute a violation of the CCPA and be subject to the remedies provided for therein.

See California Privacy Protection Agency, CCPA Regulations effective January 1, 2026.

Primary law

A.7 775 ILCS 5/2-102

Section 2-102 of the Illinois Human Rights Act defines specific actions by employers, employment agencies, and labor organizations that constitute civil rights violations in the workplace.

It is a civil rights violation: (A) Employers. For any employer to refuse to hire, to

See 775 ILCS 5/2-102.

Primary law

A.8 Colorado AI Act, Colo. Rev. Stat. title 6PDF

Supports the cited proposition. (Colorado AI Act, Colo. Rev. Stat. title 6)

if technically feasible

See Colorado AI Act, Colo. Rev. Stat. title 6.

Primary law

A.9 Colorado SB25B-004

Supports the cited proposition. (Colorado SB25B-004)

extends the effective date of the requirements of Senate Bill 24-205 to June 30, 2026

See Colorado SB25B-004.

Law-firm commentary

A.10 Baker McKenzie commentary

Employers in the U.S. and Canada must balance operational monitoring needs with legal requirements for transparency, proportionality, and data minimization, often necessitating clear written policies and employee notice.

Under the CCPA, employers are permitted to monitor employees with notice only so long as the monitoring is reasonably necessary and proportionate in the particular employment context and processing purposes are not surprising to employees.

See Baker McKenzie, Employee monitoring in the US and Canada: what employers need to know.

Primary law

A.11 Ogletree Deakins, Illinois Steps Up AI Regulation in Employment: Key Takeaway...

Illinois HB 3773 amends the Illinois Human Rights Act to prohibit the use of artificial intelligence in employment decisions that results in unlawful discrimination against protected classes, effective January 1, 2026.

Illinois’s new AI regulations under HB 3773 take effect on January 1, 2026, giving employers a limited window to prepare for compliance.

See Ogletree Deakins, Illinois Steps Up AI Regulation in Employment: Key Takeaways for Employers.

Law-firm commentary

A.12 Littler commentary

In the absence of comprehensive federal regulation, state and local jurisdictions are increasingly enacting legislation that imposes duties of reasonable care, transparency, and bias auditing on employers using artificial intelligence in employment decisions.

In the absence of federal regulation, several states have either passed or are considering legislation aimed at mitigating the risk of an employer’s use of an AI system resulting in algorithmic discrimination.

See Littler, What Does the 2025 Artificial Intelligence Legislative and Regulatory Landscape Look Like?.

Law-firm commentary

A.13 Littler, Divergent Paths on Regulating Artificial Intelligence

The regulatory landscape for artificial intelligence in the workplace is characterized by a rigorous, comprehensive approach in the European Union and a more decentralized, light-handed approach in the United States, where regulation is increasingly occurring at the state and local levels.

In contrast, the United States has so far adopted a light-handed approach to regulating AI in employment decisions.

See Littler, Divergent Paths on Regulating Artificial Intelligence.

Primary law

A.14 Crowell & Moring, California SB 947 ('No Robo Bosses Act')

California SB 947 proposes a regulatory framework for automated decision systems in the workplace, mandating human review for disciplinary actions and establishing enforcement mechanisms including a private right of action.

The proposed legislation prohibits employers from relying solely on an ADS to make disciplinary or termination decisions. It requires employers to apply human review and independent corroboration before acting on the output of an ADS for these purposes.

See Crowell & Moring, California SB 947 ('No Robo Bosses Act').

When does California treat employee monitoring as an AI employment decision?

Usually when monitoring output allocates work, pay, discipline, demotion, suspension, or termination. California now regulates that use as automated decisionmaking technology tied to employment-related significant decisions.

California is now the state where employee monitoring most clearly becomes employment-decision law. The old employee-data carveout under the CCPA is gone, and the CPPA's final ADMT regulations took effect on January 1, 2026. The regulations define employment-related significant decisions broadly enough to reach the practical outputs of workplace monitoring, including allocation or assignment of work ... demotion, suspension, and termination. They require a pre-use notice, access rights, and in many cases opt-out or human-appeal rights. They also give an explicit example of an employer using productivity monitoring software to determine work allocation, compensation, and which employees will be demoted. That is a different posture from ordinary surveillance notice law. It means the software becomes regulated not just because it watches people, but because it allocates work or supports adverse action. The timing point matters too: the regulations are in force now, but tools already used for significant decisions before January 1, 2027 have until that date to comply.must be in compliance ... no later than January 1, 2027

The California commentary is forward-looking in a different way. Ogletree, Crowell, and Perkins Coie all read the 2026 California bills as evidence that Sacramento is trying to move from privacy disclosure into workplace-process regulation, especially around discipline, termination, and worker notice. The important qualifier is that these are proposals. Current California law is the CPPA regime, not the bills.

The line between monitoring and decisionmaking is also still moving. California has already said the quiet part out loud by using productivity monitoring as an example of ADMT in employment decisions. Other states are less explicit. New York's monitoring statute includes a systems-maintenance exception where monitoring manages the type or volume of electronic communications or internet usage and is not targeted at a particular individual. That suggests a practical line between network hygiene and person-specific supervision, but only California currently spells out the decision side in detail.

Sources for this answer

Primary law

B.1 California Privacy Protection Agency, CCPA statutePDF

The California Consumer Privacy Act establishes fundamental consumer rights regarding the collection, deletion, correction, and sale of personal information, while imposing affirmative duties on businesses to maintain reasonable security and provide transparency.

A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.

See California Privacy Protection Agency, CCPA statute.

Primary law

B.2 California Privacy Protection Agency, Regulations page

The California Privacy Protection Agency is the administrative body empowered to implement and enforce the California Consumer Privacy Act and the Delete Act through the formal rulemaking process.

CalPrivacy is responsible for implementing and enforcing the CCPA as well as the Delete Act

See California Privacy Protection Agency, Regulations page.

Primary law

B.3 California Privacy Protection Agency, CCPA Regulations effective January 1, 2026PDF

A violation of these regulations shall constitute a violation of the CCPA and be subject to the remedies provided for therein.

See California Privacy Protection Agency, CCPA Regulations effective January 1, 2026.

Law-firm commentary

B.4 Ogletree Deakins, California Workplace AI Notice and Disclosure Bill Would Impose Hefty Penalties

California Assembly Bill 1898 proposes comprehensive transparency and notice requirements for employers utilizing AI-powered tools, including potential civil liability and penalties for noncompliance.

California Assembly Bill (AB) 1898 would impose significant new notice and transparency obligations on California employers using AI-powered tools for employment-related decisions.

See Ogletree Deakins, California Workplace AI Notice and Disclosure Bill Would Impose Hefty Penalties.

Primary law

B.5 Crowell & Moring, California SB 947 ('No Robo Bosses Act')

The proposed legislation prohibits employers from relying solely on an ADS to make disciplinary or termination decisions. It requires employers to apply human review and independent corroboration before acting on the output of an ADS for these purposes.

See Crowell & Moring, California SB 947 ('No Robo Bosses Act').

Law-firm commentary

B.6 Perkins Coie commentary

Various state legislatures are enacting and proposing laws that regulate the use of automated decision systems and artificial intelligence in employment to prevent discrimination and mandate human oversight.

The regulations prohibit employers from using ADS or selection criteria that discriminate against applicants or employees based on protected characteristics under FEHA.

See Perkins Coie, Navigating the Growing Landscape of State AI Employment Bills and Laws: What Employers Need to Know.

Primary law

B.7 N.Y. Civ. Rights Law § 52-c

Supports the cited proposition. (N.Y. Civ. Rights Law § 52-c)

may be subject to monitoring at any and all times and by any lawful means

See N.Y. Civ. Rights Law § 52-c.

What notice do New York, Connecticut, and Delaware require for AI monitoring?

Usually these states require written or electronic notice before monitoring communications or activity. Those notice laws do not answer whether the same tool also triggers biometric, hiring, or employment-decision rules.

New York, at the state level, is plainer than people think. The core state monitoring statute is Civil Rights Law § 52-c. It requires prior written notice on hiring, employee acknowledgment, and conspicuous posting when an employer with a place of business in New York monitors telephone conversations, email, or internet usage electronically. The notice must say those communications “may be subject to monitoring at any and all times and by any lawful means”. The Attorney General enforces the law, with penalties of $500 for a first offense, $1,000 for a second, and $3,000 for later offenses. The SHIELD Act adds the data-security layer. It requires businesses holding New York residents' private information to “develop, implement and maintain reasonable safeguards”, and the definition of private information includes biometric information and online credentials. New York therefore regulates employer AI monitoring mostly as communications monitoring plus information security. The algorithmic hiring regime most people associate with New York is usually New York City Local Law 144, which is nearby and influential, but it is not the state-law answer.

Connecticut and Delaware still matter because they are old-fashioned notice statutes that many AI discussions skip. Connecticut's § 31-48d broadly defines electronic monitoring and requires prior written notice and a conspicuous posting, with a narrow covert-monitoring exception tied to suspected unlawful conduct, violations of legal rights, or hostile-work-environment misconduct. Delaware's § 705 requires either a one-time acknowledged notice or a daily electronic notice for monitoring of telephone conversations, email, or internet usage by or of a Delaware employee, with a $100 civil penalty per violation. Maryland belongs on the edge of the map because it specifically prohibits use of facial-recognition services to create a facial template during an applicant interview unless the applicant signs a waiver meeting statutory requirements.

The useful disagreement is less about substance than about where people place New York. DLA Piper's recent New York discussion is driven by the December 2025 comptroller audit of New York City Local Law 144 and the expectation of tougher city enforcement. That matters, but it also slightly distorts the state-law picture. At the state level, New York is still a monitoring-notice statute plus a security statute. The city is where the formal bias-audit regime lives.

The second consequence is that New York, Connecticut, and Delaware can create false comfort. Their rules are real, but they are mostly notice rules. A company can satisfy those statutes and still have learned almost nothing about whether its vendor is creating Illinois biometric exposure or California ADMT obligations. State monitoring law and state employment-AI law are adjacent, not interchangeable.

Remote-worker geography is still the messiest issue. Connecticut's monitoring statute is framed around collection of information on an employer's premises, while Delaware speaks in terms of monitoring by or of a Delaware employee and New York speaks in terms of employers with a place of business in the state. California focuses on the use of personal information in employment-related significant decisions, and Colorado focuses on consequential decisions affecting Colorado residents. We think the result is not a clean territorial rule but a stack of different hooks, each tied to a different statute.

Sources for this answer

Primary law

C.1 N.Y. Civ. Rights Law § 52-c

Supports the cited proposition. (N.Y. Civ. Rights Law § 52-c)

may be subject to monitoring at any and all times and by any lawful means

See N.Y. Civ. Rights Law § 52-c.

Primary law

C.2 N.Y. Gen. Bus. Law § 899-bb

Supports the cited proposition. (N.Y. Gen. Bus. Law § 899-bb)

develop, implement and maintain reasonable safeguards

See N.Y. Gen. Bus. Law § 899-bb.

Primary law

C.3 N.Y. Gen. Bus. Law § 899-aa

New York General Business Law § 899-aa mandates that businesses owning or licensing computerized data containing private information must notify affected New York residents of security breaches within thirty days of discovery, subject to specific exceptions and enforcement penalties.

Any person or business which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state

See N.Y. Gen. Bus. Law § 899-aa.

Primary law

C.4 New York Attorney General, SHIELD Act guidance

The New York SHIELD Act mandates that businesses implement reasonable data security safeguards and establishes notification requirements and penalties for security breaches involving private information.

The SHIELD Act requires any person or business that maintains private information to adopt administrative, technical, and physical safeguards.

See New York Attorney General, SHIELD Act guidance.

Primary law

C.5 New York City Department of Consumer and Worker Protection, AEDT page

Local Law 144 of 2021 mandates that employers and employment agencies conduct bias audits of automated employment decision tools and provide specific notices to candidates before using such tools.

prohibits employers and employment agencies from using an automated employment decision tool unless the tool has been subject to a bias audit within one year of the use of the tool, information about the bias audit is publicly available, and certain notices have been provided to employees or job candidates.

See New York City Department of Consumer and Worker Protection, AEDT page.

Primary law

C.6 Conn. Gen. Stat. § 31-48d

No employer, including the state or any political subdivision thereof, shall condition the employment, transfer or promotion of any individual on the sterilization of such individual.

See Conn. Gen. Stat. § 31-48d.

Primary law

C.7 19 Del. C. § 705PDF

No person, nor any agent or representative of a person, shall require, request or suggest that any employee or prospective employee take or shall cause, directly or indirectly, any employee or prospective employee to take a polygraph, lie detector or similar test or examination as a condition of employment or continuation of employment.

See 19 Del. C. § 705.

Primary law

C.8 Md. Code, Lab. & Empl. § 3-717

Maryland law prohibits employers from using facial recognition services to create facial templates during employment interviews without the applicant's written consent.

An employer may not use a facial recognition service for the purpose of creating a facial template during an applicant’s interview for employment unless an applicant consents under subsection (c) of this section.

See Md. Code, Lab. & Empl. § 3-717.

Law-firm commentary

C.9 DLA Piper commentary

A recent audit of the New York City Department of Consumer and Worker Protection indicates that enforcement of Local Law 144 regarding automated employment decision tools has been ineffective, signaling a shift toward more stringent regulatory scrutiny and potential penalties for employers.

The New York State Comptroller’s December 2025 audit evaluated the New York City Department of Consumer and Worker Protection’s (DCWP) enforcement of Local Law 144, which regulates the use of automated employment decision tools (AEDTs) in hiring and promotion.

See DLA Piper, Critical audit of NYC's AI hiring law signals increased risk for employers.

Primary law

C.10 Office of the New York State Comptroller, Enforcement of Local Law 144: Autom...

The New York City Department of Consumer and Worker Protection is the agency responsible for enforcing Local Law 144, which mandates that employers conduct bias audits of automated employment decision tools and provide notice to candidates.

DCWP is tasked with enforcing LL144 and can impose civil penalties between $500 and $1,500 per day for violations.

See Office of the New York State Comptroller, Enforcement of Local Law 144: Automated Employment Decision Tools.

Primary law

C.11 740 ILCS 14, Biometric Information Privacy Act

Supports the cited proposition. (740 ILCS 14, Biometric Information Privacy Act)

written release

See 740 ILCS 14, Biometric Information Privacy Act.

Primary law

C.12 California Privacy Protection Agency, CCPA Regulations effective January 1, 2026PDF

A violation of these regulations shall constitute a violation of the CCPA and be subject to the remedies provided for therein.

See California Privacy Protection Agency, CCPA Regulations effective January 1, 2026.

Primary law

C.13 Colorado AI Act, Colo. Rev. Stat. title 6PDF

Supports the cited proposition. (Colorado AI Act, Colo. Rev. Stat. title 6)

if technically feasible

See Colorado AI Act, Colo. Rev. Stat. title 6.

When does Illinois AI monitoring create BIPA or discrimination exposure?

Usually when the tool collects biometric data or affects covered employment decisions. BIPA creates private-action exposure, while Illinois employment-AI rules add discrimination and notice risk.

Illinois remains the state where monitoring is most likely to turn into plaintiff-facing litigation. BIPA still does the heavy lifting. Before collecting or storing biometric identifiers or biometric information, a private entity must provide written notice, state the purpose and duration, and obtain a “written release”. It must also maintain a public retention-and-destruction policy, protect the data, and avoid unauthorized disclosure or profit from the data. Section 20 preserves the private right of action and liquidated damages of $1,000 for negligent violations and $5,000 for reckless or intentional ones. Rosenbach still matters because the Illinois Supreme Court held that a person can be “aggrieved” by the statutory violation itself, without separate actual injury. The 2024 amendment to BIPA reduced serial-scan exposure by treating repeated collection from the same person by the same method as a single violation for notice and release purposes, but it did not turn BIPA into a minor rule.

Illinois also has two direct AI-employment statutes. The Artificial Intelligence Video Interview Act covers Illinois-based positions and says an employer must notify the applicant, explain how the AI works and what general characteristics it uses, and obtain consent before AI is used to analyze a recorded interview. The statute is blunt on the consent point: the employer “may not use artificial intelligence to evaluate applicants who have not consented”. Separately, the Illinois Human Rights Act now makes it a civil-rights violation to use AI in covered employment decisions if it has the effect of subjecting employees to discrimination on the basis of protected classes, and it separately requires notice to employees when AI is used for those employment purposes. The broad point is that Illinois splits the problem in two: biometrics create BIPA exposure, and decision systems create discrimination-and-notice exposure.

The Illinois commentary is slightly more mixed on mechanics. Covington's BIPA piece focuses on damages exposure and the significance of the 2024 amendment, while Ogletree stays closer to the enacted employment-AI prohibition and notice duty. Taken together, the firms are saying something fairly consistent: the hardest Illinois problems are still biometric collection and discriminatory decision use, not ordinary software procurement labels.

Illinois's new employment-AI notice duty is clear at the level of principle and less clear at the edge mechanics. The statute plainly prohibits discriminatory AI use in covered employment decisions and requires notice to employees that AI is being used for those purposes. Public commentary sometimes describes more detailed timing and content expectations than the statutory text itself. Perhaps that is where Illinois will end up, but the enacted text is firmer on the existence of the duty than on the exact shape of every notice.

Sources for this answer

Primary law

D.1 740 ILCS 14, Biometric Information Privacy Act

Supports the cited proposition. (740 ILCS 14, Biometric Information Privacy Act)

written release

See 740 ILCS 14, Biometric Information Privacy Act.

Case law

D.2 Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186PDF

an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.

See Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186.

Primary law

D.3 820 ILCS 42, Artificial Intelligence Video Interview Act

Supports the cited proposition. (820 ILCS 42, Artificial Intelligence Video Interview Act)

may not use artificial intelligence to evaluate applicants who have not consented

See 820 ILCS 42, Artificial Intelligence Video Interview Act.

Primary law

D.4 775 ILCS 5/2-102

Section 2-102 of the Illinois Human Rights Act defines specific actions by employers, employment agencies, and labor organizations that constitute civil rights violations in the workplace.

It is a civil rights violation: (A) Employers. For any employer to refuse to hire, to

See 775 ILCS 5/2-102.

Commentary

D.5 Covington & Burling, Seventh Circuit Holds that BIPA Amendment Applies Retroactively

The Seventh Circuit held in Clay v. Union Pacific Railroad Company that the 2024 BIPA amendment limiting damages to a per-person basis applies retroactively to pending cases because it is a remedial change to the law.

the Seventh Circuit in Clay v. Union Pacific Railroad Company held that an amendment to the Illinois Biometric Information Privacy Act (BIPA), limiting damages to a per-person basis, applies retroactively to cases pending when the amendment was enacted in 2024.

See Covington & Burling, Seventh Circuit Holds that BIPA Amendment Applies Retroactively.

Primary law

D.6 Ogletree Deakins, Illinois Steps Up AI Regulation in Employment: Key Takeaway...

Illinois’s new AI regulations under HB 3773 take effect on January 1, 2026, giving employers a limited window to prepare for compliance.

See Ogletree Deakins, Illinois Steps Up AI Regulation in Employment: Key Takeaways for Employers.

How should employers handle AI monitoring vendors as state laws expand?

It depends on what the vendor actually collects, monitors, and decides. Procurement labels matter less than whether the deployment creates biometric, credential, monitoring, employment-decision, appeal, or labor-law obligations.

Colorado is important because it shows where state law may be going, but as of April 20, 2026 it is still future law. The Colorado AI Act defines consequential decisions to include employment or employment opportunity decisions affecting Colorado residents and requires deployers of high-risk AI systems to use reasonable care, maintain risk-management programs, perform impact assessments, provide notice, and offer correction and appeal rights, with human review “if technically feasible”. But SB25B-004 “extends the effective date of the requirements of Senate Bill 24-205 to June 30, 2026”. Colorado therefore belongs in current architecture conversations, but not yet in the list of operative April 2026 state obligations.

The third consequence is that vendor naming conventions matter less than deployment facts. Productivity, workforce analytics, trust and safety, or engagement are not legal categories. What matters is whether the system collects biometric or credential data, whether it monitors covered channels, and whether its output materially affects employment. That is why the same product can trigger very different disclosure, retention, appeal, and enforcement consequences across states.

Union and federal-law overlay remains a separate uncertainty. The authorities cited here do not show broad federal preemption of the state statutes discussed here. At the same time, the NLRB General Counsel's 2022 memo took the position that intrusive electronic monitoring and algorithmic management can interfere with Section 7 rights and urged disclosure of the technologies used, why they are used, and how the information is used. That is not the same thing as a Board holding. But it does mean state-law notice compliance may not be the whole story for unionized or organizing-sensitive workplaces.

Sources for this answer

Primary law

E.1 Colorado AI Act, Colo. Rev. Stat. title 6PDF

Supports the cited proposition. (Colorado AI Act, Colo. Rev. Stat. title 6)

if technically feasible

See Colorado AI Act, Colo. Rev. Stat. title 6.

Primary law

E.2 Colorado SB25B-004

Supports the cited proposition. (Colorado SB25B-004)

extends the effective date of the requirements of Senate Bill 24-205 to June 30, 2026

See Colorado SB25B-004.

Primary law

E.3 California Privacy Protection Agency, CCPA Regulations effective January 1, 2026PDF

A violation of these regulations shall constitute a violation of the CCPA and be subject to the remedies provided for therein.

See California Privacy Protection Agency, CCPA Regulations effective January 1, 2026.

Primary law

E.4 New York Attorney General, SHIELD Act guidance

The SHIELD Act requires any person or business that maintains private information to adopt administrative, technical, and physical safeguards.

See New York Attorney General, SHIELD Act guidance.

Primary law

E.5 740 ILCS 14, Biometric Information Privacy Act

Supports the cited proposition. (740 ILCS 14, Biometric Information Privacy Act)

written release

See 740 ILCS 14, Biometric Information Privacy Act.

Primary law

E.6 N.Y. Gen. Bus. Law § 899-bb

Supports the cited proposition. (N.Y. Gen. Bus. Law § 899-bb)

develop, implement and maintain reasonable safeguards

See N.Y. Gen. Bus. Law § 899-bb.

Primary law

E.7 California Privacy Protection Agency, CCPA statutePDF

A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.

See California Privacy Protection Agency, CCPA statute.

Agency guidance

E.8 NLRB, General Counsel memo on unlawful electronic surveillance and automated management

The NLRB General Counsel intends to advocate for a new legal framework that treats intrusive electronic surveillance and automated management practices as presumptively unlawful under the National Labor Relations Act if they interfere with employees' Section 7 rights.

I plan to urge the Board, to the greatest extent possible, to apply the Act to protect employees from intrusive or abusive electronic monitoring and automated management practices that would have a tendency to interfere with Section 7 rights.

See NLRB, General Counsel memo on unlawful electronic surveillance and automated management.