When employers think about HR compliance, what they most often underestimate is the state and local complexity. There are still federal requirements that belong on every checklist, but the growing interaction of laws at the state and local level has made the regulatory environment significantly harder to manage. Gridlock at the congressional level means we don't see a lot of federal laws being passed to address issues, so states and localities are driving their own rules on pay transparency, paid leave, data privacy, and more.
Add remote work to the mix, and the complexity multiplies. You may be an employer with a small geographic footprint, but if you start hiring remotely to get the best talent, you now have to account for jurisdictions you may never have had to consider before. Small compliance steps—posting a notice, adding a statement to a handbook—start to add up and multiply. And yet, according to an HBR Analytic Services survey of HR leaders, while 87% say non-compliance poses significant business risk, only 67% call compliance a high priority at their organization.
After 15 years of working on compliance at Kelly, I've watched these obligations compound. What follows is the compliance checklist I'd build from scratch for any midsize or enterprise employer, covering the areas where I see the biggest gaps and the most costly mistakes.
Wage and hour violations remain the single most common source of employment claims, and the penalties keep climbing. In FY2025, the U.S. Department of Labor recovered $259 million in back wages for nearly 177,000 workers, the highest amount since 2019. This area trips up employers more than any other because the rules vary so much by state. California alone has local jurisdictions in the Bay Area where each municipality sets a different minimum wage. Nineteen states implemented minimum wage increases effective January 1, 2026, with more expected as the year progresses.
Getting worker classification wrong is expensive. One employer recently faced a $35.8 million judgment for misclassifying employees and denying overtime. Previous studies estimate that 10–30% of employers misclassify at least some workers as independent contractors, which means those workers miss out on overtime, workers' comp, and unemployment insurance. Federal and state authorities are actively challenging these arrangements through audits and litigation.
I-9 compliance is getting renewed attention. During the Biden administration, ICE rarely issued more than 300 Notices of Inspection per year to audit employers. Under the current administration, that number has exploded. According to OutSolve's 2025 research on I-9 enforcement trends, inspection rates in early 2025 were tracking at least tenfold higher than the year before, with enforcement levels approaching the 5,000-plus annual audits seen during Trump's first term. Penalties for I-9 violations include per-violation fines, and willful violations can carry criminal penalties.
Pay transparency has moved from a niche concern to a baseline expectation. Since late 2025, 16 states plus D.C. require employers to include salary ranges in job postings, including California, New York, Colorado, Illinois, Washington, New Jersey, and Massachusetts. Non-compliance fines run from $250 to $10,000 per violation in some states. Many employers I work with have chosen to post salary ranges on all U.S. job listings for consistency rather than tracking each jurisdiction's rules individually.
Leave coordination has become one of the most operationally complicated compliance areas. FMLA, ADA, state paid family leave, local paid sick leave — these all interact with each other, and whether you can run them concurrently depends on the jurisdiction. According to the National Conference of State Legislatures, 13 states plus D.C. now have mandatory paid family and medical leave programs, 20 states plus D.C. require paid sick leave, and another 10 states have created voluntary paid leave options through private insurers. Layer in dozens of counties and cities with their own requirements, and the coordination burden adds up fast.
Equal Employment Opportunity Commission (EEOC) charge filings have climbed three years running. In FY2024, the agency received 88,531 new charges — a 9% increase over the prior year — and secured nearly $700 million in recoveries for over 21,000 workers, the highest monetary recovery in the agency's recent history. Retaliation remains the most common charge category, followed by harassment, disability discrimination, race discrimination, and sex discrimination. The Pregnant Workers Fairness Act, which took effect in 2023, now requires accommodations for pregnancy and childbirth-related conditions similar to the ADA interactive process, and the EEOC filed its first lawsuits under the act in FY2024. The EEOC also announced plans to increase focus on religious accommodations and DEI-related discrimination.
This is the area that's growing fastest and appearing least often on traditional HR checklists. Colorado's Privacy Act was amended in 2024 to extend biometric data protections to employees, with new notice and consent requirements taking effect July 1, 2025. California's CCPA/CPRA already applies to employee data, but new rules around automated decision-making technology (ADMT) took effect January 1, 2026, requiring risk assessments, advance notice, and opt-out rights for covered employers using automated tools in significant employment decisions. Additional requirements for cybersecurity compliance are set to take effect in 2027, but may require significant work in 2026. The Illinois Biometric Information Privacy Act has produced staggering litigation — more than 1,500 BIPA lawsuits have been filed since 2019, with individual settlements reaching into the hundreds of millions. Meanwhile, New York City's Local Law 144, which took effect in July 2023, requires annual bias audits of ADMT hiring tools and candidate notification about AI usage. The Texas Responsible Artificial Intelligence Governance Act (TRAIGA) creates a comprehensive regulatory framework for AI usage within the state, while a December 2025 Executive Order from President Trump sought to preempt state AI laws. As of early 2026, at least 22 states have pending AI legislation.
If you're collecting biometric data (fingerprints for time clocks, facial recognition), using AI tools for resume screening or candidate assessments, or monitoring employee productivity through software, you need to understand the legal requirements in each jurisdiction. This area of law is moving quickly, and I'd encourage any employer to add it to the top of their compliance watchlist.
OSHA conducted 34,625 workplace inspections in FY2024 and has continued to increase civil penalties. As of January 2025, a single serious violation can now cost up to $16,550, and willful or repeat violations exceed $165,514 each. Beyond fines, non-compliance can lead to operational shutdowns and, in cases where willful violations result in worker death, criminal liability.
Documentation is the thing that separates a defensible position from a losing one. When you're dealing with a state agency, they're going to expect proof. Without it, they take the employee's word. That's just how agencies operate, and it holds true in litigation as well. Having a policy on paper that isn;t consistently followed can be worse than having no policy at all; it creates an expectation that something was being done, and when it wasn't, you've already dug yourself into a hole before the claim even starts.
Consistency matters just as much. If documentation practices are strong in one location and nonexistent in another, that inconsistency can itself become evidence of discriminatory application. A 2024 survey found that 47% of small and midsize organizations have established formal HR compliance checklists, and 38% are investing more in compliance training. Those numbers should be higher.
The difference between a proactive and reactive compliance program usually becomes obvious the moment something goes wrong. In a reactive setup, you learn about a new requirement when you get an administrative claim. Someone posts a job without a required salary range in a jurisdiction that mandates it, and you find out from a complaint that could become a class action. By then, you're scrambling.
With a proactive program, you've mapped your geographic footprint. You've assessed risks based on where your employees sit and what laws apply there. You've built a monitoring cadence—whether that's law firm newsletters, paid legislative tracking services, or a dedicated compliance team—so that when a new state passes a salary transparency law, you flip it on in your talent acquisition system before anyone files a complaint.
A final note: compliance is specific to your industry, not just your headcount and geography. If you're a defense contractor, you've got International Traffic in Arms Regulations (ITAR) and Export Administration Regulation (EAR) rules layered on top of everything above. Financial services companies deal with the Financial Industry Regulatory Authority (FINRA). Healthcare employers have their own set of patient privacy and safety mandates. The checklist above covers the employment law baseline, but every employer should add an industry-specific layer.
The employers who invest in compliance on the front end are the ones who spend less on the back end responding to claims, lawsuits, and audits. There's no scenario where the work goes away, but the organizations that treat compliance as an ongoing discipline rather than a one-time project are the ones that protect their people, their reputation, and their bottom line. Build the program, staff it properly, and keep it current.