New York City Local Law 144 is the kind of regulation that produces two completely different reactions from companies subject to it. The first reaction, when the law was new, was that it was vague, surely going to be amended, and not worth panicking over. The second reaction, after the first round of enforcement actions and the first round of plaintiff law firms taking interest, is that the law is real, the obligations are concrete, and the gap between thinking you comply and actually complying is where the trouble lives.
This is the practitioner view of what Local Law 144 actually requires of your organization, what auditors and counsel actually look for, and where the typical compliance posture falls short.
The basic shape of the obligation
Local Law 144 applies to employers and employment agencies that use an automated employment decision tool, abbreviated AEDT in the law, to substantially assist or replace discretionary decision-making for employment decisions affecting candidates or employees who reside in New York City or are applying for jobs based in New York City.
When the law applies, the employer has three principal obligations. The first is that the AEDT must be subject to a bias audit performed by an independent auditor, conducted within the year prior to use. The second is that the results of the most recent audit must be published on the employer's website in a specific format. The third is that candidates and employees must receive notice that an AEDT will be used, what categories of data will be collected, and how to request an alternative selection process or accommodation.
Each of those obligations sounds straightforward. Each of them contains specific traps that the typical compliance posture either misses or addresses superficially.
What "substantially assist or replace" really means
The most common mistake in scoping a compliance program is concluding that the law does not apply because the AEDT is "just one input" or "advisory only" to the human decision maker. The statutory definition is broader than that gloss admits, and the courts and the administering agency have interpreted it to include systems that produce a score, ranking, or recommendation that materially shapes the human decision, even when a person formally signs off.
The honest test is operational. If the human decision rarely or never deviates from the system's output, the system is substantially assisting the decision regardless of how the workflow is described. If the human deviates frequently and the deviations are documented, the system may genuinely be advisory.
The compliance position that says "we have a human in the loop, so the law does not apply" is one of the riskiest positions in the space. It is also the most common.
What an independent bias audit actually involves
The bias audit required under the law is not a theoretical exercise and not a vendor self-assessment. It is a measurement of the actual selection rates, scoring rates, or impact rates produced by the AEDT, broken down by sex category and by race-ethnicity category as required, and reported in the format specified by the law.
The audit must be performed by an independent auditor, defined in regulation as a person or organization that is not involved in using or developing the AEDT and that has no commercial relationship that would bias the results. The independence requirement is real and has been the subject of enforcement attention. Audits performed by the vendor of the AEDT or by a consultancy that helped design the AEDT are not independent.
The audit relies on data. Either historical data showing actual outcomes from the AEDT in real use, or test data sufficient to estimate disparate impact. Most organizations, when they first attempt to comply, discover that they do not have the categorical data they need, because they did not collect it. The audit cannot proceed until the data exists, which often means a quarter of careful data collection before the audit can even start.
The audit produces specific metrics that must be reported in specific ways, including selection rates, impact ratios, and scoring rates by category. The publication format is prescribed. Glossing this with a generic "audit completed" notice is not compliance.
The publication and notice obligations are not optional
The published audit results must be on the employer's website, in a public location, in the format the law specifies, and the publication must be current within twelve months. Employers who let the publication go stale beyond twelve months and continue to use the AEDT are out of compliance regardless of whether the underlying audit was sound.
The candidate notice obligation is similarly specific. Candidates must be notified at least ten business days before the AEDT is used, must be told what categories of personal data the AEDT collects, and must be informed of the right to request an alternative selection process or accommodation. The notice can be posted on the employer's careers page or in the job posting itself, but it must contain the specific elements the law calls out.
Both of these obligations are documentation obligations. Documentation is what enforcement examines. An employer who has a clean audit but does not publish it correctly, or who has a sound notice practice but cannot demonstrate it, is in the same enforcement position as one who has neither.
The traps in the typical compliance posture
Several patterns reliably produce compliance postures that look adequate from inside the organization and inadequate from the outside.
The vendor's audit is treated as the employer's audit. Many AEDT vendors offer a generic bias audit they sponsor and publish on their site. The law puts the audit obligation on the user of the tool, not the vendor. A vendor-sponsored audit may be useful supporting material, but it is not the audit the employer is required to obtain.
The audit is conducted on test data that does not match the production population. The audit's value depends on the data being representative. An audit run on synthetic candidates or on a sample that does not reflect the actual applicant pool produces results that look quantitative and are not predictive of actual disparate impact.
The notice is hidden in a lengthy privacy policy. The notice obligation is its own requirement. An obligation to inform candidates is not satisfied by a buried clause in a privacy policy nobody reads. The notice should be conspicuous in the application flow.
The compliance review treats the law as a one-time project. Each AEDT in use must be audited within twelve months of the publication date. New tools, version changes, or material model updates each trigger a fresh audit obligation. A compliance program that audits once and considers itself done is operating on borrowed time.
Each of these patterns is correctable. The cost of correction goes up sharply once an inquiry is open, so the time to address them is before there is a reason to.
What an honest compliance posture looks like
For an organization seriously trying to comply, the posture has a few visible features.
There is an explicit list of every AEDT in use, who uses it, and what employment decisions it affects. The list is current and reviewed quarterly.
Each AEDT on the list has been audited within the last twelve months by a genuinely independent auditor, with audit data drawn from real applicant pools or from representative test data, and the results have been published in the prescribed format.
Each AEDT on the list has a documented candidate notice that meets the statutory elements, and a record of when each candidate was notified.
Each AEDT on the list has an alternative selection process available to candidates who request one, and the alternative is real, not pro forma.
There is a written policy describing the program, signed off by counsel, and refreshed when the law or the regulations change.
This posture does not eliminate enforcement risk, because no posture does. It does mean that an inquiry begins from a position where the documentation tells a coherent story, the audits are defensible, and the notice obligations have been met. That is the posture worth investing in. The cheaper postures save money in the short run and produce significantly more expensive outcomes when they meet a real challenge.
The work to install the honest posture is bounded. The work to recover from a deficient one is not.