RatedWithAI

RatedWithAI

Accessibility scanner

Privacy LawJuly 16, 2026

CCPA Compliance for AI Recruiting & Resume Screening Tools 2026

The applicant-data exemption that used to shield hiring from CCPA is gone. If your company uses AI to scan resumes, score candidates, or rank applicants, every one of those inferences is personal information California job seekers have rights over.

2023
Year the employee/applicant CCPA exemption expired
Scores count
AI fit scores and rankings are covered personal information
$7,500
Per intentional violation, multiplied across every rejected applicant record

Why Recruiting Data Is Now Fully in Scope

Before 2023, CCPA carved out a temporary exemption for employee and job applicant personal information — the theory being that HR data was a different animal from consumer data. That carve-out sunset on January 1, 2023, and was never renewed.

Since then, any resume, cover letter, interview recording, background check result, or AI-generated screening output tied to a California applicant is personal information under the same rules that apply to your customers. That includes applicants you never hire — rejection doesn't end the compliance obligation.

What AI Recruiting Tools Actually Collect and Generate

IN SCOPE
Raw Applicant Submissions
Resumes, cover letters, portfolio links, video interview recordings
IN SCOPE
AI-Generated Screening Scores
Fit scores, keyword-match rankings, predicted tenure or performance ratings
IN SCOPE
Sentiment and Communication Analysis
Tone analysis from video interviews, speech pattern scoring, personality inference
IN SCOPE
Sourced and Enriched Profiles
Data pulled from LinkedIn or third-party enrichment tools and merged into a candidate profile
EXEMPT
Aggregate Hiring Funnel Statistics
De-identified pass-through rates by stage with no individual re-identification possible

The Recruiting AI Compliance Checklist

1. Applicant-Facing Disclosures
  • Disclose at the point of application that AI is used to screen or score candidates
  • Name the categories of data collected and how long each is retained
  • State whether resumes and interview data are used to train or improve the AI model
  • Provide a notice of applicant rights (access, deletion, correction) at or before collection
2. Rights Infrastructure for Applicants
  • Build a request path for applicants to access their screening data and scores
  • Support deletion requests, including AI-generated inferences, not just the raw resume
  • Offer correction for inaccurate parsed data (misread employment dates, skills, degrees)
  • Respond within CCPA's 45-day window even for applicants never hired
3. Automated Decision-Making Disclosures
  • Identify every point where AI screening output affects an employment decision
  • Disclose the logic categories used (skills match, experience match, predicted fit) in plain language
  • Offer a path to request human review of an AI-driven rejection where required
  • Log which decisions were fully automated versus human-reviewed
4. Vendor and Recruiting Platform Contracts
  • Confirm your recruiting AI vendor is a CCPA service provider, not a third party free to reuse applicant data
  • Prohibit the vendor from using your applicants' data to train models sold to other customers
  • Require contractual deletion of applicant data on your instruction, including any derived scores
  • Audit background-check and enrichment integrations for the same service-provider terms

Retention Is the Most Common Gap

Most recruiting AI compliance gaps show up in retention, not disclosure. Companies publish a reasonable-sounding privacy policy, then keep every rejected applicant's resume and AI score indefinitely — often because the recruiting platform's default setting is "keep forever" so future roles can be matched against old candidates.

That default conflicts with CCPA's purpose-limitation and disclosed-retention-period requirements unless the retention period and reuse purpose are actually disclosed to applicants at collection. Check your recruiting platform's retention settings — don't assume the vendor's default is compliant just because it's the default.

Frequently Asked Questions

We're a small startup — do CCPA's recruiting rules still apply to us?

CCPA applies once you meet one of its thresholds: over $25M in annual revenue, 100,000+ California consumers' data processed per year (this can include applicants, not just customers), or 50%+ of revenue from selling personal information. A high-volume hiring push using AI screening can push even a small company's applicant data volume toward the 100,000 threshold faster than expected.

Does using a third-party AI recruiting platform shift compliance responsibility to them?

No. As the business collecting applicant data, you remain responsible for CCPA compliance even when a vendor's AI does the screening. You need a service-provider contract with the vendor, but the disclosure, rights-request, and retention obligations to applicants stay with you.

Do we need to tell applicants specifically which AI tool we use to screen them?

CCPA doesn't require naming the specific product, but it does require disclosing that automated processing occurs and describing, in general terms, the logic involved and the categories of data used. Some emerging automated-decision-making regulations may require more detail — check current CPPA guidance before finalizing your disclosure language.

Audit Your Recruiting Stack Before Your Next Hiring Push

Recruiting AI compliance gaps compound with volume — the more resumes your AI processes, the more exposure sits in retained data and undisclosed scoring logic.

Start by pulling your recruiting platform's data retention settings and vendor contract terms. If either one says "indefinite" or is silent on service-provider status, that's the gap to close first.