TL;DR: If you use any algorithmic tools in hiring—résumé screeners, video-interview analyzers, assessments that “score” candidates—you’re already in scope for fast-evolving rules. This post translates the big requirements into concrete Rippling configurations: custom fields to track AEDT usage, policy + notice templates, consent capture, workflows that auto-notify NYC candidates 10 business days in advance, e-sign logs for Illinois and Maryland, data retention/erasure tasks, and bias-audit reporting scaffolding. (This is practical guidance, not legal advice.)

The regulatory landscape you must design for

• NYC Local Law 144 (AEDTs): Employers using an automated employment decision tool (AEDT) for candidates or employees must complete a bias audit within one year prior to use, give NYC residents at least 10 business days’ notice before use, and publish a public “summary of results” (including date of the audit’s distribution). The rules spell out required impact-ratio calculations across sex, race/ethnicity, and intersectional categories; the city provides detailed FAQs clarifying scope and edge cases (e.g., remote roles associated with a NYC office). NYC Government+1American Legal Publishing
• Illinois AI Video Interview Act (AIVIA): If you use AI to analyze video interviews for jobs based in Illinois, you must notify applicants in advance, explain how the AI works and the general characteristics it evaluates, obtain consent before the interview, restrict disclosure, and delete video within 30 days upon request. If you rely solely on AI to decide who gets an in-person interview, you must annually report demographic data to the state (DCEO). Illinois General AssemblyLittler Mendelson P.C.Consumer Financial Services Law MonitorDCEO
• Maryland HB1202 (facial recognition in interviews): Employers cannot use facial recognition during interviews without a signed waiver from the applicant (with specific elements). Maryland General AssemblyWorkforce BulletinDepartment of Financial Services
• Colorado AI Act (SB24-205) — effective Feb 1, 2026: Covers “high-risk” AI that is a substantial factor in “consequential decisions” (includes employment). Deployers must maintain a risk-management program, take steps to prevent algorithmic discrimination, and provide notices; compliance can create a rebuttable presumption of reasonable care. Start preparing your governance now. Colorado General AssemblyJackson LewisNAAG
• Federal guidance: The EEOC says employers can be liable if AI tools create disparate impact under Title VII, even when tools are vendor-provided. The DOL/OFCCP has emphasized that existing civil-rights and wage-hour rules apply to AI-mediated decisions. Expect enforcement attention. ACLU DataDOL

Rippling guardrails blueprint (works with Rippling Recruiter or an external ATS)

Design goal: Make compliance “default-on” using Rippling’s Employee Graph, custom fields, documents & e-sign, workflows, permissions, and reporting.

You’ll configure:

1. Data inventory (what AEDTs are in play, where, for whom).
2. Notices & consent (NYC, IL, MD templates + routing).
3. Bias-audit scaffolding (fields and reports you’ll need to publish NYC summaries and track “distribution date”).
4. RBAC + need-to-know (limit access to EEO/DEI and vendor audit artifacts).
5. Retention/erasure automations (IL 30-day deletions on request; general minimization).
6. Monitoring & review cadence (annual audits for NYC; risk-management for Colorado).

Rippling capabilities you’ll lean on: custom fields & configurable profiles, documents/e-sign, workflow automations & approval chains, role-based permissions, and analytics/EEO reporting. Rippling+6Rippling+6Rippling+6

Step-by-step: Configure Rippling for AEDT compliance

Step A — Create a system-of-record for AEDTs

1. Custom fields (Company or Job Requisition object):
   • AEDT_Used? (Yes/No)
   • AEDT_Name (picklist)
   • Vendor_Name (text)
   • Version/Model_Date (text)
   • Use_Case (picklist: resume screening, ranking, interview analysis, assessment, matching, other)
   • NYC_In_Scope? (Yes/No; auto-derive from work location/posting location)
   • NYC_Bias_Audit_Date (date)
   • NYC_Summary_URL (URL)
   • Notice_Method (posting, email, portal, other)
   • Notice_Sent_Date (date)
   • IL_Video_AI? (Yes/No)
   • IL_Consent_Captured? (Yes/No)
   • MD_FacialRec_Used? (Yes/No)
   • MD_Waiver_Signed? (Yes/No)
   Create these with Configurable Profiles / Custom Fields so they’re visible on Job, Requisition, and/or candidate-facing workflows as needed. Ripplingdeveloper.rippling.com
2. Register your tools: Populate an AEDT register (App Studio or a simple custom list) with vendor name, contact, last bias audit date, and link to the public bias audit “summary of results”. This expedites NYC posting and procurement reviews. American Legal Publishing

Step B — Build compliant notices & consent flows (templates included)

NYC Local Law 144 (10 business days’ notice):

• Create a Document Template “NYC AEDT Notice” explaining: that an AEDT will be used, the job qualifications/characteristics it evaluates, and how to request a reasonable accommodation or alternative assessment. Assign it automatically when NYC_In_Scope? = Yes. Trigger email and portal notification 10 business days before evaluation by using a workflow on requisition open or candidate stage change. Store the signed acknowledgment in the candidate/employee profile. NYC GovernmentFairly AI

Illinois (AIVIA):

• Create two docs: (1) AIVIA Notice (how AI works + characteristics evaluated), (2) AIVIA Consent (e-sign) delivered before any video interview. Add a 30-day deletion task workflow that fires when a candidate requests deletion—assign to the recruiting ops owner and automatically re-assign to any integrated video vendor via ticket/email. Illinois General AssemblyLittler Mendelson P.C.

Maryland (HB1202 facial recognition):

• Create a Maryland Facial Recognition Waiver with required elements (applicant name, interview date, explicit consent statement, acknowledgment). Gate any interview scheduling that uses such tech behind this required e-signature. Workforce Bulletin

Rippling Documents & e-Sign and Workflows handle delivery, tracking, and reminders at scale. Rippling+1

Step C — Automate routing based on location & tool usage

Use Workflow Automator rules like:

• Trigger: Requisition opened (or candidate moves to “Assessment” / “Interview”)
  If: NYC_In_Scope? = Yes AND AEDT_Used? = Yes
  Then: Send “NYC AEDT Notice,” set Notice_Sent_Date = Today, create a wait step of 10 business days, then allow advance to AEDT stage. Rippling
• Trigger: Candidate scheduled for video interview for an Illinois-based role
  Then: Send “AIVIA Notice,” require “AIVIA Consent” e-sign before confirming slot.
• Trigger: Interview uses facial recognition tech and job in Maryland
  Then: Require “MD Waiver” e-sign; block interview if missing. Rippling
• Trigger: Candidate submits deletion request (IL)
  Then: Open a “Video Deletion” task, notify vendor contact, and schedule an escalation at 20 days if unresolved. Consumer Financial Services Law Monitor

Step D — Lock down who sees what (RBAC)

Create permission profiles so only a small circle (e.g., Sr. People Ops + Legal) can view:

• EEO/DEI self-ID attributes used for bias auditing,
• AEDT vendor audits and NYC_Summary_URL,
• Consent/waiver artifacts.

Use role-based permissions with scopes by department and location; restrict actions (view vs. edit vs. approve). For approval chains (e.g., enabling a new AEDT), route to Legal/Compliance first. Rippling+2Rippling+2

Step E — Prepare bias-audit data & your public posting (NYC)

NYC’s rules require at minimum selection/scoring rates and impact ratios by sex, race/ethnicity, and intersectional pairs. Set up Rippling Custom Reports pulling from Recruiting/ATS events (e.g., advanced to onsites/offer) joined with voluntary EEO self-ID. Export clean CSVs for your independent auditor, then publish the summary of results and distribution date on your careers site. American Legal PublishingRippling

Tip: Add a field NYC_Publication_Date and a quality gate: workflows won’t move NYC candidates into any AEDT stage unless (a) NYC_Bias_Audit_Date is ≤ 365 days old and (b) NYC_Summary_URL is populated.

Step F — Retention & deletion

• Illinois: Build a “Delete within 30 days” playbook for any AI-analyzed interview video when requested. Use a Rippling workflow to (1) assign internal deletion, (2) notify relevant vendors, (3) require vendor attestation, (4) close the task with timestamp. Consumer Financial Services Law Monitor
• General: Keep only what you need for audits, with role-based access. Schedule periodic purges for stale AI assessment exports and logs via tasks in Rippling.

Step G — Colorado prep (now, not 2026)

Create an AI Risk Register (custom object or App Studio app) with fields: system, use case, data sources, fairness controls, evaluation schedule, and residual risks. Attach links to vendor system cards and your internal test plans. Map a review cadence (e.g., semi-annual) and owners. This positions you for the risk-management and notice obligations when Colorado’s law takes effect. Colorado General AssemblyJackson Lewis

“Recipes” you can copy into Rippling

Recipe 1 — NYC 10-day guardrail

• Trigger: Candidate enters any AEDT stage (e.g., “Assessment”)
• If: NYC_In_Scope? = Yes
• Actions:
  • Send “NYC AEDT Notice” (doc + email)
  • Set Notice_Sent_Date
  • Delay 10 business days
  • Then allow stage progression (else, auto-revert to “Pre-Assessment”)
• Fail-safe: If NYC_Bias_Audit_Date > 365 days, block and notify Compliance. NYC Government

Recipe 2 — IL AI video consent gate

• Trigger: Interview of type “Video” scheduled for Work_Location = IL
• Actions: Send AIVIA Notice → require AIVIA Consent before the calendar invite goes out → log consent on candidate record. Illinois General Assembly

Recipe 3 — MD facial recognition waiver

• Trigger: Interview uses any tool with facial recognition AND Work_Location = MD
• Action: Collect HB1202 Waiver; block if missing. Workforce Bulletin

Recipe 4 — Bias-audit export pack (NYC)

• Trigger: Quarterly on the 1st
• Action: Run a Custom Report that aggregates selection/scoring events by EEO categories; export CSV for the auditor; notify Legal if any category shows impact ratio < 0.8. Rippling

Recipe 5 — Vendor onboarding gate

• Trigger: New AEDT_Name is added to register
• Actions: Require upload of (a) vendor bias audit summary, (b) data sheet, (c) security questionnaire, (d) DPA; open approval chain to Legal, then HR leadership; only then allow requisitions with AEDT_Name value to move to AEDT stages. Rippling

Policy language starters (drop into your handbook / offer flows)

• NYC AEDT Notice (excerpt): “We use an automated tool to evaluate the following job-related qualifications/characteristics: [list]. If you are a NYC resident, we will not use this tool to evaluate you until 10 business days after this notice. To request accommodation or an alternative assessment, contact [email].” NYC Government
• Illinois AIVIA Disclosure (excerpt): “Before your video interview, we inform you that artificial intelligence may be used to analyze your interview and assess your fitness for the position; here is how it works and the general characteristics it evaluates. Please review and e-sign the AIVIA consent.” Illinois General Assembly
• Maryland Facial Recognition Waiver (excerpt): “By signing, you consent to the use of facial recognition technology during your interview on [date].” Workforce Bulletin

Reporting & publishing checklist (NYC-specific)

• ☐ Bias audit completed within the last year by an independent auditor.
• ☐ Summary of Results (selection/scoring rates, impact ratios) posted publicly with distribution date; link recorded in NYC_Summary_URL.
• ☐ 10 business days’ notice sent to NYC residents, including qualifications/characteristics assessed and how to request accommodation.
• ☐ Internal change log controls when AEDT versions change; re-validate audit currency. NYC Government+1

Common pitfalls (and how your Rippling setup avoids them)

• “We posted the notice once on our site; we’re done.”
  → Your workflow re-notifies when a candidate advances into any AEDT-driven stage and logs the date. NYC Government
• “Our vendor says they’re compliant, so we’re fine.”
  → EEOC guidance: you can still be liable. Keep your own audit evidence and impact-monitoring exports. ACLU Data
• “We don’t track residency vs. job location properly.”
  → Use Employee Graph attributes to compute NYC_In_Scope? (e.g., job location, agency location, or remote role tied to NYC office). NYC Government
• “We forgot to delete a video after an IL request.”
  → Your 30-day deletion workflow with escalation prevents misses. Consumer Financial Services Law Monitor

What to do this week

1. Stand up the fields in Step A and populate your AEDT register.
2. Load templates for NYC notice, IL AIVIA notice + consent, MD waiver.
3. Ship the workflows for 10-day notice gating, IL/MD consent gates, and IL 30-day deletion.
4. Lock down RBAC around EEO data and audit artifacts.
5. Draft your NYC public web posting and link it in NYC_Summary_URL.
6. Start your Colorado-ready risk register (even if you don’t operate in CO yet). Colorado General Assembly

Final note

None of this replaces legal advice. But by making these safeguards “default-on” in Rippling, you’ll reduce scramble time during an audit, improve candidate transparency, and be ready as states expand AI rules.

‍