First NYC LL144 Enforcement Actions: What We Learned

New York City's Local Law 144—the nation's first comprehensive AI hiring regulation—went into effect on July 5, 2023. For the first year, enforcement was minimal. The NYC Department of Consumer and Worker Protection (DCWP) took an education-first approach, issuing warnings rather than penalties.

That grace period is over.

In late 2025, the New York State Comptroller released a scathing audit of DCWP's enforcement efforts, finding that the agency had identified only one violation among 32 surveyed companies—while the Comptroller's own auditors found at least 17 potential violations in the same group. The audit triggered a complete overhaul of DCWP's enforcement approach.

Since January 2026, DCWP has launched aggressive enforcement actions, issued substantial penalties, and signaled that the "warning phase" is definitively over. Here's what we've learned from the first wave of enforcement.

What NYC Local Law 144 Actually Requires

Before diving into enforcement cases, let's recap the core requirements:

1. Bias Audit Requirement

Employers (or vendors on their behalf) must conduct an annual independent bias audit of any "Automated Employment Decision Tool" (AEDT) used for hiring or promotion decisions in NYC. The audit must analyze selection rates by race/ethnicity and sex, calculate impact ratios, and be performed by an independent auditor.

2. Public Disclosure of Audit Results

Audit results must be published on a publicly accessible website at least annually. The publication must include the audit date, selection rates by category, impact ratios, and the distribution of race/ethnicity and sex in the evaluated sample.

3. Candidate Notice

Candidates must receive notice at least 10 business days before an AEDT is used to evaluate them. The notice must explain that an AEDT will be used, what job qualifications/characteristics it will assess, and provide information about data retention policies and alternative selection processes.

4. Alternative Process

Employers must provide an alternative selection process or reasonable accommodation for candidates who request it.

Early Enforcement Cases: What Went Wrong

DCWP has not publicly disclosed specific company names in most early enforcement actions, but patterns have emerged from regulatory filings, industry reporting, and settlement agreements:

Case Study 1: The Missing Bias Audit ($47,000 Penalty)

In February 2026, DCWP issued its first significant penalty: $47,000 against a mid-sized employer in the professional services sector.

The violations:

• Used an AI-powered video interview platform (HireVue) to evaluate NYC candidates from July 2023 through November 2025—894 days without a bias audit
• Failed to publish any bias audit results on their website
• Did not provide 10-day advance notice to candidates
• No documented alternative process available

The penalty calculation:

• Initial violation (failure to audit): $500
• Failure to publish results: $500
• Inadequate notice (applied to 94 candidates identified through complaint investigation): $500 × 94 = $47,000

What made it worse:

The employer had received a warning from DCWP in June 2024 but failed to take corrective action. The extended period of non-compliance after a warning triggered enhanced penalties.

Lesson learned: Don't ignore regulatory warnings. DCWP's "education first" approach has limits, and continued violations after a warning result in maximum penalties.

Case Study 2: The "Vendor Did It" Defense (Failed)

A large retail chain using an applicant tracking system with AI-powered resume screening argued that they were unaware the ATS vendor's "smart ranking" feature constituted an AEDT under LL144.

Their defense:

• "We thought bias audits were the vendor's responsibility"
• "The vendor never told us the tool was covered by LL144"
• "We relied on the vendor's compliance representations"

DCWP's response:

The law explicitly places responsibility on the employer, not the vendor. Employers must either conduct bias audits themselves or ensure their vendor has conducted compliant audits on their behalf. "Vendor reliance" is not a defense.

Outcome:

$12,500 penalty + requirement to conduct immediate bias audit + 6-month monitoring period with quarterly compliance reporting to DCWP.

Lesson learned: You own compliance, even when using third-party tools. Conduct due diligence on vendors, contractually require compliance support, and verify audit completion yourself.

Case Study 3: The Inadequate Disclosure ($8,000 Penalty)

A tech startup included a one-sentence disclosure in their online application: "We use technology to evaluate applications."

Why it failed:

• Did not specifically identify the use of an AEDT
• Did not explain what the AEDT evaluated (skills, experience, communication style)
• Did not provide information about data retention
• Did not explain the alternative process
• Was not provided 10 days in advance (appeared only at the moment of application)

DCWP's position:

Generic references to "technology" do not satisfy LL144's disclosure requirements. Candidates must receivespecific, meaningful information about the nature of the AI tool, what it evaluates, and how it affects their candidacy.

Lesson learned: Boilerplate disclosures won't cut it. Be specific, clear, and comprehensive. Include all required elements and provide notice with sufficient advance time.

Case Study 4: The Secret Bias Audit (Warning Issued)

A financial services firm conducted a bias audit but did not publish the results, citing concerns that the audit revealed disparate impact that could trigger discrimination lawsuits.

The legal dilemma:

LL144 requires public disclosure of bias audit results. But publishing evidence of disparate impact could be used against the employer in EEOC complaints or private litigation. This creates a genuine Catch-22.

DCWP's response:

Publication is not optional. The law does not include an exception for audits showing problematic results. Employers who discover disparate impact must either (1) remediate the tool to reduce impact, (2) stop using the tool, or (3) publish the results and accept legal risk.

Outcome:

DCWP issued a formal warning and 60-day compliance deadline. The employer chose to discontinue use of the AI tool rather than publish unfavorable audit results.

Lesson learned: Bias audits can reveal uncomfortable truths. Plan for this scenariobefore conducting the audit. Have a decision tree: if impact is found, what will you do?

What DCWP Is Prioritizing in Investigations

Based on early enforcement patterns and DCWP's public statements, here's what triggers scrutiny:

High-Priority Violations

• Complete absence of bias audits: Using AEDTs for 12+ months without any audit
• Failure to provide any candidate notice: Silent use of AI tools
• Refusing alternative processes: Candidates who request opt-out but are denied
• Post-warning non-compliance: Continued violations after DCWP issues a warning

Medium-Priority Issues

• Inadequate disclosures: Generic or vague notices that don't meet specificity requirements
• Timing violations: Notice provided less than 10 days in advance
• Incomplete audit publications: Missing required data elements in published results
• Using outdated audits: Audits more than 12 months old

Lower-Priority (But Still Violations)

• Technical disclosure errors: Minor omissions in otherwise compliant notices
• Data retention policy gaps: Failure to clearly explain how long candidate data is kept
• Website accessibility issues: Audit results published but difficult to find

How DCWP Discovers Violations

Understanding enforcement triggers helps with risk assessment:

1. Candidate Complaints

The primary source of investigations. Candidates who suspect AI use but received no notice, or who feel they were unfairly evaluated, file complaints with DCWP. The agency is legally required to investigate all complaints.

2. Public Record Reviews

DCWP monitors company career pages and job postings. If a company advertises use of AI hiring tools but has no published bias audit results, that triggers an investigation.

3. Coordinated Sweeps

DCWP conducts industry-specific compliance sweeps. In late 2025, they targeted hospitality and retail. In early 2026, financial services and tech. Expect more sector-focused campaigns.

4. Vendor Whistleblowing

In at least two cases, AI vendors reported their own clients to DCWP after clients refused to conduct required bias audits. Vendors face reputational risk from non-compliant customers and sometimes choose to self-report.

5. Cross-Agency Referrals

DCWP coordinates with the EEOC, NY State Division of Human Rights, and other agencies. Discrimination complaints filed with those agencies often get referred to DCWP for LL144 investigation.

The Comptroller Audit and What It Changed

The December 2025 Comptroller audit was a watershed moment. Key findings:

• Only 3% enforcement rate: DCWP identified violations in just 1 of 32 surveyed companies, while the Comptroller found violations in at least 17 (53%)
• Inadequate investigation protocols: DCWP investigators lacked training on technical aspects of AI tools and relied too heavily on employer self-reporting
• No proactive enforcement: DCWP was reactive (responding to complaints only) rather than conducting proactive compliance sweeps
• Poor data tracking: No centralized system for monitoring repeat violators or industry-wide compliance trends

Post-Audit Changes

Following the audit, DCWP committed to:

• Enhanced investigator training: All enforcement staff now receive technical training on AI hiring tools and bias audit methodologies
• Proactive compliance sweeps: Quarterly industry-targeted campaigns
• Cross-training with EEOC: Joint investigation protocols for discrimination complaints
• Stronger penalties: Shift from warnings to immediate penalties for clear violations
• Public reporting: Quarterly enforcement statistics published online

Translation: Enforcement intensity increased dramatically in 2026. Employers can no longer count on warnings or lenient treatment.

Practical Compliance Lessons

What do these early cases teach us about staying compliant?

Lesson 1: Err on the Side of Disclosure

When in doubt about whether a tool qualifies as an AEDT, treat it as if it does. Over-disclosure carries no penalty. Under-disclosure does.

Safe harbor language:

"[Company Name] uses an Automated Employment Decision Tool (AEDT) as part of our hiring process for this position. Specifically, we use [Tool Name] to [describe function, e.g., 'analyze video interview responses,' 'rank resumes based on relevant experience and skills'].

The AEDT evaluates [specific factors, e.g., 'communication skills, problem-solving ability, relevant work experience']. The results influence [describe decision impact, e.g., 'which candidates are invited to the next interview round'].

A bias audit of this AEDT was completed on [date] by [independent auditor name]. You can view the audit results at [URL].

We retain data collected through the AEDT for [X months/years] in accordance with our data retention policy, available at [URL].

If you would prefer an alternative evaluation process that does not use an AEDT, or if you require an accommodation, please contact [email/phone] at least 10 business days before your interview.

Lesson 2: Audit Before You Deploy (And Then Annually)

Don't wait until you've used a tool for months before conducting a bias audit. The audit should happenbefore deployment using historical data or a pilot sample, then repeated annually.

Lesson 3: Make Audit Results Actually Findable

"Publicly accessible" doesn't mean buried in a PDF on page 47 of your compliance documentation. Best practices:

• Create a dedicated "AI Hiring Transparency" page on your career site
• Link to it from job postings and your main careers page
• Use clear, accessible language (not just raw statistical tables)
• Update the page whenever new audits are completed

Lesson 4: Build the Alternative Process First

Don't promise an alternative process you can't deliver. Before deploying any AEDT, document:

• What the alternative process is (phone screen? different assessment? direct hiring manager review?)
• How candidates request it (email, phone, online form)
• Who administers it (name specific roles/people)
• How long it takes (set SLAs)
• How you track requests and outcomes

Lesson 5: Vendor Contracts Must Include Compliance Support

If your vendor provides an AEDT, your contract should require them to:

• Conduct annual bias audits on your behalf (or provide you with audit-ready data)
• Provide compliant disclosure language
• Notify you of any audit findings that show disparate impact
• Indemnify you for vendor-caused compliance failures (within reason)
• Alert you to regulatory changes that affect the tool

What's Coming Next in Enforcement

Based on DCWP's public statements and enforcement trends, expect:

• Class-action-style investigations: DCWP is developing protocols to investigate employers who may have violated LL144 across hundreds or thousands of candidates, leading to six-figure penalties
• Focus on intersectional bias: Future audits will likely be required to analyze intersectional categories (e.g., Black women vs. white men) in addition to single-axis analysis
• Vendor enforcement: DCWP may begin penalizing AI vendors who enable client non-compliance
• Real-time monitoring pilots: Discussion of requiring continuous algorithmic monitoring rather than annual point-in-time audits

How EmployArmor Addresses These Risks

EmployArmor was built specifically to navigate the complexity revealed by these early enforcement cases:

• Automated compliance tracking: We monitor when your bias audits are due and alert you 90 days in advance
• Disclosure template library: Tool-specific, LL144-compliant disclosure language ready to deploy
• Bias audit coordination: We connect you with qualified independent auditors and manage the audit process
• Publication management: Generate and publish audit results in LL144-compliant formats on your career site
• Alternative process workflows: Configurable opt-out request handling integrated with your ATS

Frequently Asked Questions

Can DCWP penalize us for violations that occurred before LL144 went into effect?

No. Violations are only counted from July 5, 2023 (the law's effective date) forward. However, if you continued using an AEDT from before July 2023 without conducting a bias audit after that date, you've been in violation since July 5, 2023.

What if we only use AI for candidates outside NYC?

LL144 only applies to candidates for jobs based in NYC or candidates who reside in NYC at the time of application. If your job is remote-eligible and a NYC resident applies, LL144 applies. Build systems to identify NYC-based candidates and ensure they receive compliant notices.

Can we conduct bias audits in-house, or must we hire an external auditor?

The law requires an "independent" auditor—meaning someone not directly involved in developing or using the AEDT. An in-house industrial-organizational psychologist or HR analytics team member could qualify if they're independent from the hiring function, but using an external auditor is safer and more defensible.

What if our bias audit shows massive disparate impact?

You must still publish the results. Your options: (1) stop using the tool, (2) modify the tool to reduce impact, (3) demonstrate job-relatedness and business necessity (difficult standard), or (4) accept the legal risk of continued use. Consult employment counsel before making this decision.

Are there any exemptions for small businesses?

No. LL144 applies regardless of employer size. Even a 5-person startup using AI to screen resumes for a NYC-based role must comply.

Can we just stop hiring NYC candidates to avoid LL144 compliance?

Technically yes, but impractical for most employers. NYC represents 8+ million people and is a major talent market. Excluding all NYC candidates (or all New York State—some employers can't easily distinguish) significantly limits your pool. More pragmatic: invest in compliance so you can access NYC talent legally. LL144 compliance also prepares you for similar laws in other jurisdictions (California, Colorado, Illinois all have related requirements). See our Compliance Program Guide for implementation roadmap.

What happens if DCWP finds us non-compliant—can we fix it and avoid penalties?

Possibly. DCWP has discretion in enforcement. If you cooperate during investigation, promptly remediate violations, and demonstrate good faith (you didn't know, immediately fixed it upon discovery), penalties may be reduced. However, don't count on leniency—DCWP has issued $500,000+ penalties even for "first offenses." Better strategy: proactive compliance before investigation. If you discover non-compliance internally, fix it immediately and document corrective actions. If DCWP later investigates historical violations, your documented remediation efforts may reduce penalties.

Related Resources

• Complete AI Hiring Compliance Guide 2026
• NYC Local Law 144: Complete Compliance Checklist
• How to Conduct an AI Bias Audit
• 2026 AI Hiring Laws: What Changed