Do AI Laws Apply to Your Business?

Understanding enforcement mechanisms helps you assess real compliance risk—not just theoretical obligations.

NYC Local Law 144: Complaint-Driven + Proactive Audits

The NYC Department of Consumer and Worker Protection (DCWP) enforces Local Law 144 through multiple channels:

Complaint-Driven Investigations

• Job candidates can file complaints if they suspect AEDT use without proper notice
• Current employees can report missing bias audit disclosures
• Complaints trigger formal investigations with document requests
• DCWP has subpoena power to obtain employer records

Proactive Enforcement Actions

• DCWP monitors public job postings for AI screening disclosures
• Routine audits of employers in high-risk sectors (finance, tech, healthcare)
• Cross-referencing bias audit publication requirements with careers pages
• Checking for 10-day advance notice in application workflows

Real Enforcement Timeline
Enforcement began July 5, 2023 ^[1]. Initial focus was on education and warning letters. As of 2024, DCWP has shifted to penalty assessment for repeat violations.

Penalty Structure

• First violation: $500 per day (often warning letter instead)
• Subsequent violations: $1,500 per day
• Separate violation streams for: missing audit, missing notice, missing publication
• Penalties compound—three violation types × 180 days = $270,000-$810,000 exposure

Colorado AI Act: Attorney General Enforcement (Starting February 2026)

Colorado's AI Act enforcement mirrors the existing Consumer Protection Act framework:

Enforcement Triggers

• Consumer complaints about algorithmic discrimination
• Pattern-or-practice violations identified through market surveillance
• Failure to respond to Attorney General inquiries
• Missing or inadequate impact assessments

Penalty Framework

• Up to $20,000 per violation
• No daily accumulation (unlike NYC LL144)
• Enhanced penalties for intentional violations
• Injunctive relief requiring system changes

EU AI Act: Multi-Tier Enforcement (Phased 2025-2027)

Penalty Tiers

• Prohibited AI systems: Up to €35M or 7% global revenue
• High-risk non-compliance: Up to €15M or 3% global revenue
• Documentation failures: Up to €7.5M or 1.5% global revenue
• Incorrect information: Up to €7.5M or 1% global revenue

These patterns emerge across industries and jurisdictions:

1. Shadow AI: Unknown Systems Creating Exposure

The Problem: Employees adopt AI tools without IT/compliance approval. Marketing uses AI copywriting. Sales uses AI lead scoring. HR uses AI resume screening from their ATS vendor.

Why It's Risky:

• You can't comply with laws you don't know apply
• Vendor AI doesn't exempt you from deployer obligations
• Shadow AI often lacks documentation, logging, or oversight

Real Example: A financial services firm discovered their recruiting team had enabled AI resume screening in their ATS. No bias audit. No candidate notice. 6 months of violations = $90,000-$270,000 exposure under NYC LL144.

2. Vendor Compliance Confusion

The Problem: "Our vendor says they're compliant, so we're covered."

Why It's Wrong:

• NYC LL144: Employer must commission independent bias audit (vendor audit doesn't count)
• Colorado AI Act: Deployer obligations exist even if developer is compliant
• EU AI Act: Deployer must verify provider compliance and conduct own assessments

3. Missing Candidate/Consumer Notice

Violation Examples:

• NYC LL144: No 10-day advance notice to job candidates
• Colorado AI Act: No disclosure of AI use in consequential decisions
• GDPR Article 13: No information about automated decision-making logic

Why It Matters: Each affected individual can be a separate violation. 1,000 candidates × $500/day = $500,000/day exposure.