California AI Hiring Rules: FEHA ADS Compliance Guide


If your organization uses AI or algorithmic tools anywhere in hiring, promotion, or screening decisions affecting California workers, you are operating under a new set of civil rights obligations. California's FEHA automated-decision system regulations, approved by the state's Civil Rights Council, took effect October 1, 2025. Bias testing, four-year recordkeeping, and vendor accountability are enforceable requirements, not aspirational goals.

This guide covers what the regulations require, where the risk sits in screening workflows, and the checklist for a compliance program that holds up under scrutiny.

shutterstock_2648916385.jpg


What California's FEHA ADS Regulations Require

The rules apply to any employer with five or more employees and at least one worker in California. Out-of-state companies are in scope through a single California hire.

They target "automated-decision systems": any computational process that makes or helps make a decision about an employment benefit, across hiring, promotion, pay, training selection, leave, discipline, and termination. Resume screeners, candidate-ranking algorithms, video interview analyzers, personality and cognitive assessments, and automated adjudication matrices used in background screening all qualify. Basic IT tools such as word processors and spreadsheets are excluded; the line is whether the tool shapes an employment decision.

Two points trip up employers most. First, if your screening provider uses rules-based logic to flag, clear, or recommend rejection of candidates based on criminal history, credit data, or employment verification results, that logic is an ADS. Second, adding a human reviewer at the end does not take you outside the rules: if the tool produces a score, ranking, or flag that a person then acts on, it is covered. For California screening requirements beyond ADS, see our California compliance guide.


Your 10-Step FEHA ADS Compliance Checklist for 2026

  1. Inventory every ADS in your hiring workflow, including ATS filters, assessments, video scoring, and automated adjudication matrices.
  2. Classify each tool by decision type and risk. Document which decisions it touches and which protected traits it could implicate.
  3. Confirm California coverage. Any position tied to a California-based employee triggers the rules, regardless of headquarters.
  4. Implement periodic bias testing. Test annually and after major updates, and record methodology, findings, and remediation.
  5. Require human review for high-stakes ADS decisions, especially automatic exclusions based on screening results or low scores.
  6. Build four-year recordkeeping infrastructure for inputs, outputs, criteria, decisions, and testing records.
  7. Provide clear ADS notice to applicants and employees, coordinated with your background check consent forms and adverse action notices.
  8. Create accommodation procedures: documented pathways to modify or bypass automated tools for disability or religious accommodations.
  9. Re-paper vendor contracts with shared responsibilities, audit rights, data access, and indemnification.
  10. Train HR, recruiters, and compliance staff on ADS identification, recordkeeping, and escalation.

One note before the detail: FEHA overlays but does not replace FCRA and Title VII, so your analyses and documentation should work across all three frameworks. FEHA's four-year retention window is the longest, so use it as your baseline.


Where the Risk Sits: Three Paths to Liability

Disparate treatment and adverse impact. A tool that explicitly considers a protected characteristic is the obvious violation. Adverse impact is the quieter one: neutral criteria that disproportionately exclude a protected group can violate FEHA without any discriminatory intent, whether that is a screener filtering for "cultural fit" or a model trained on historically skewed hiring data.

Prohibited pre-employment inquiries. Tools that infer protected traits conduct prohibited inquiries regardless of intent: video analyzers detecting accents or religious dress, and proxies like zip codes standing in for race or graduation year for age. California's Civil Rights Department has flagged video and biometric analytics as high discrimination risk, so any video scoring in your process should be a compliance priority.

Disability and medical inquiries. Assessments that effectively measure disability, such as timed cognitive games or questionnaires probing mental health indicators, can constitute unlawful medical inquiries. What matters is what the tool measures, not what the vendor labels it. Employers also carry an affirmative accommodation duty: build pathways to modify or bypass the ADS before anyone has to ask.

An automated matrix that recommends "no-hire" based on criminal history or credit data sits inside all three categories, and inside the wider AI hiring bias and compliance landscape employers are already navigating.

shutterstock_2746888655.jpg


Bias Testing and the Four-Year Record

The regulations do not prescribe an audit methodology, but proactive bias testing is treated as central to defending a claim, and regulators will weigh the quality, scope, and recency of yours. A defensible program documents each ADS, runs adverse impact analysis annually and after major updates, reviews models and input data for embedded bias and proxies, and remediates immediately when disparities surface, with every step documented. Testing must cover both the vendor's base model and your own configurations: a vendor-validated tool can still discriminate through your scoring weights or threshold settings. Human oversight of borderline and adverse decisions remains one of the strongest safeguards, which is why human verification in background checks matters more than ever.

California's approach is part of a growing national pattern that includes five AI hiring laws that could catch your company off guard in 2026, and its recordkeeping bar is the longest of them. That bar: keep all ADS-related documentation for a minimum of four years, in six categories. Inputs (resumes, test responses, recordings, scores); outputs (rankings, pass or fail decisions, flags); selection criteria and configuration; employment decisions linked to ADS recommendations; development and customization data; and bias-testing results with corrective actions. If your screening platform uses automated rules to clear, flag, or reject candidates, those rules and records are in scope for California positions, including the logic behind your automated adverse action process. For the screening layer, ask your provider what they document and how long they keep it; KRESS retains the records behind every background check it runs, which covers that piece of your four-year obligation.


Vendor Liability: Your Screening Provider Is In Scope

FEHA's expanded "agent" definition explicitly reaches third parties that perform recruitment, screening, hiring, or promotion functions through an ADS, and that can mean joint liability. A provider whose adjudication matrix produces disparate outcomes can be directly exposed; "we just provide the tool" is not a safe position.

Contract provisions worth demanding from every ADS vendor: FEHA responsibility allocation (who tests, who documents, who keeps records), anti-discrimination warranties, defined remediation timelines, data-sharing commitments that enable your four-year retention, and indemnification where outcomes trace to the vendor's base model. Understanding when an AI hiring score becomes a consumer report is the next step where FEHA meets federal screening law.

KRESS takes these obligations seriously. Our screening is built on human verification and transparent methodology, and we document what we check and how. The hiring decision always stays with you: KRESS supplies verified data and a documented process, never the decision.


Frequently Asked Questions

Does California's FEHA ADS law apply to employers based outside California?

Yes. Five or more employees anywhere plus one California-based worker puts your California-related employment decisions in scope, wherever the ADS is hosted.

Is bias testing required under the FEHA ADS regulations?

No mandatory audit format is prescribed, but proactive bias testing is the practical standard. Courts and regulators will evaluate the quality, scope, and recency of your testing when determining liability.

What records must I keep for four years?

Six categories: ADS input data, outputs, selection criteria and configuration, employment decisions linked to ADS recommendations, development and customization data, and bias-testing results with corrective actions.

Can my company be liable for AI bias in a vendor's tool?

Yes. FEHA's expanded "agent" definition means vendors providing ADS tools for employment decisions can be jointly liable with employers for discriminatory outcomes.

Are automated background check adjudication rules considered an ADS?

Yes. Automated rules or scoring that recommends hire, flag, or reject based on criminal records, credit data, or employment history qualifies, needs bias testing, and its records must be retained for four years for California positions.

How do FEHA ADS rules interact with FCRA and Title VII?

FEHA adds to federal obligations rather than replacing them. Employers still owe FCRA adverse action procedures and Title VII disparate impact standards; harmonize your analyses across all three using FEHA's four-year retention as the baseline.


These rules are live, and the four-year record clock is already running. If you are not sure whether your screening tools qualify as an ADS, or what your screening provider documents on your behalf, talk to us. KRESS will walk through the screening side of your setup, show you exactly what we check, document, and retain, and help you get that piece of the puzzle right. The wider ADS program, from bias audits to vendor contracts, belongs with your counsel and your HR tech vendors; we will tell you plainly where our lane ends. Get in touch today.

Join our Newsletter

Sign up for our monthly roundup of HR resources and news