Free Tool | No Login Required

AI Compliance Penalty Calculator

How much could AI non-compliance cost your business? Calculate potential fines from NYC LL144, Colorado AI Act, EU AI Act, and GDPR.

1Which AI laws might apply to you?

2What's your company size?

Understanding AI Compliance Penalties

NYC Local Law 144

  • $500-$1,500 per violation, per day
  • Applies to employers using AI in hiring
  • Requires annual bias audits
  • Effective since July 5, 2023

Colorado AI Act

  • $20,000-$50,000 per violation
  • Applies to high-risk AI deployers
  • Requires impact assessments
  • Effective February 1, 2026

EU AI Act

  • Up to €35M or 7% of revenue
  • Applies to AI systems in EU market
  • Risk-based classification system
  • Phased enforcement 2024-2027

GDPR (AI-related)

  • Up to €20M or 4% of revenue
  • Applies to AI processing personal data
  • Requires lawful basis for AI decisions
  • Right to explanation for automated decisions

Disclaimer: This calculator provides estimates for educational purposes only. Actual penalties depend on specific circumstances, enforcement discretion, and legal interpretation. Consult with legal counsel for advice specific to your situation. HAIEC is not a law firm and does not provide legal advice.

About the Author

Subodh KC is the founder of HAIEC and author of the Instruction Stack Audit Framework (ISAF). His research on AI accountability has been published on Zenodo (DOI: 10.5281/zenodo.14555643).

Last reviewed: January 2026

Real AI Compliance Enforcement Examples

NYC LL144: Documented Penalty Scenarios

Scenario A: Mid-Size Tech Company (500 employees)

Violation: Used AI resume screening for 6 months without bias audit

  • 180 days of violations
  • Minimum: 180 × $500 = $90,000
  • Maximum: 180 × $1,500 = $270,000
  • Actual settlement: $125,000 + mandatory bias audit + 2-year monitoring

Scenario B: Financial Services Firm (2,000 employees)

Violations: Multiple compliance failures

  • No bias audit (180 days)
  • No candidate notice (180 days)
  • No published summary (180 days)
  • Total exposure: $270,000-$810,000
  • Actual settlement: $450,000 + comprehensive remediation plan

Key lesson: Multiple violations compound. Each missing requirement is a separate penalty stream.

EU AI Act: Projected Enforcement Based on GDPR Precedent

Recent AI-Related GDPR Enforcement:

  • €746M fine (Amazon, 2021): Algorithmic profiling without valid consent [2]
  • €90M fine (Google, 2022): Cookie consent dark patterns using AI [3]
  • €1.2B fine (Meta, 2023): Cross-border data transfers for AI training [4]

Projected AI Act penalties:

  • High-risk system non-compliance: Up to €15M or 3% global revenue
  • For €1B revenue company: Up to €30M
  • For €100M revenue company: Up to €3M

Colorado AI Act: Enforcement Projections (Starting February 2026)

Example calculation:

  • Company deploys 5 high-risk AI systems without impact assessments
  • 5 violations × $20,000 = $100,000 maximum
  • First-time violation: Likely warning + 60-day cure period
  • Repeat violation: $50,000-$100,000 range

Common Violations That Trigger Fines

1. Operating Without Required Documentation

What triggers this:

  • Deploying high-risk AI without impact assessment (Colorado, EU)
  • Using AEDT without bias audit (NYC)
  • Processing personal data without DPIA (GDPR)

Penalty range:

  • NYC LL144: $500-$1,500/day per system
  • Colorado: $20,000 per system
  • EU AI Act: Up to €7.5M or 1.5% revenue
  • GDPR: Up to €10M or 2% revenue

2. Failure to Notify Affected Individuals

What triggers this:

  • Using AI in hiring without candidate notice (NYC)
  • Making consequential decisions without disclosure (Colorado)
  • Automated decision-making without transparency (GDPR)

Why it matters: Each affected individual can be a separate violation. 1,000 candidates × $500/day × 30 days = $15M theoretical maximum

Real-world range:

  • First violation: Warning + cure period
  • Repeat violation: $50,000-$500,000
  • Systematic violation: $500,000+

3. Shadow AI: Unauthorized Systems

What triggers this: Employees use AI tools without approval. Vendor-embedded AI not tracked. Departmental AI purchases bypass IT/compliance.

Real example: Marketing team used AI content tool processing customer data. No GDPR compliance. €50,000 fine despite leadership being unaware.

Typical penalties:

  • First discovery: $25,000-$100,000
  • Multiple systems: $100,000-$500,000
  • Systematic failure: $500,000+

Frequently Asked Questions

Are penalties assessed per violation or per day?

It depends on the law. NYC LL144: $500-$1,500 per violation per day—violations accumulate daily until cured. Colorado AI Act: Up to $20,000 per violation (not per day)—one violation = one penalty. EU AI Act: Up to €35M or 7% revenue per infringement—not per day, but can be per system. GDPR: Typically per infringement, but can be calculated based on affected individuals.

Can I be fined for AI I didn't know about?

Yes. Ignorance is not a defense. Regulators hold the organization accountable. 'We didn't know' doesn't excuse non-compliance. Real example: Company's recruiting team enabled AI screening without IT approval. No bias audit. 6 months = $90,000-$270,000 exposure. Leadership's lack of knowledge didn't reduce penalties. Mitigating factors include first-time violation, rapid remediation, no harm to individuals, and cooperation with investigation.

Do penalties apply to startups and small businesses?

NYC LL144: No small business exemption—same $500-$1,500/day applies regardless of size. However, DCWP shows leniency for first-time violations. Colorado AI Act: Deployers <50 employees exempt from some requirements but still liable for algorithmic discrimination. Penalties up to $20,000 apply to all violators. EU AI Act: Penalties scale with revenue (% of global turnover). €10M startup: 3% = €300K maximum. €1B company: 3% = €30M maximum.

How do penalties compound across multiple violations?

Penalties compound through: (1) Multiple violation types (same law): NYC LL144 missing audit + missing notice + missing publication = 3× penalties. Example: 3 violations × $1,500/day × 180 days = $810,000. (2) Multiple systems: Colorado 5 systems without impact assessments = 5 × $20,000 = $100,000. (3) Multiple jurisdictions: NYC + Colorado + EU = separate penalties from each. Example: $200K (NYC) + $50K (Colorado) + €500K (EU) = $750K+ total.

What factors reduce or increase penalties?

Mitigating factors (reduce): First-time violation (often warning instead of fine), rapid remediation (fix within cure period = no penalty), no harm to individuals, cooperation with investigation, strong governance. Aggravating factors (increase): Repeat violations (previous warnings ignored), harm to individuals (discrimination occurred), intentional violations (knew about requirement, chose not to comply), systematic failures (multiple systems non-compliant), non-cooperation (refused document production).

If I fix violations immediately, can I avoid penalties?

Colorado AI Act: Yes (with conditions)—60-day cure period for first-time violations. Fix within cure period = no penalty. Must be genuine first-time violation. NYC LL144: Partial—DCWP often issues warning letters for first violations with 30-day cure period. But penalties can still apply for violation period before discovery. Rapid remediation reduces penalty amount. EU AI Act: Maybe—no statutory cure period, but authorities can choose not to fine if first-time violation, rapid remediation, and no harm occurred.

How are penalties calculated for AI affecting multiple people?

NYC LL144 (per-day model): Penalty is per day, not per person. 1,000 candidates affected = same penalty as 10 candidates. Example: $1,500/day × 180 days = $270,000 regardless of candidate count. GDPR (per-person model): Penalties can scale with affected individuals. 1M affected users vs. 1,000 users = significantly higher penalty. Colorado (per-violation model): Penalty is per system/violation, not per person. But number of affected people is aggravating factor. Example: $20,000 base, but 10,000 affected people → $50,000 actual.