Key Takeaways
- Examines how AI-driven hiring and applicant screening tools interact with the CCPA’s new risk assessment requirements.
- Identifies the CCPA risk assessment triggers most likely to apply—including automated decision-making and systematic observation of applicants.
Artificial intelligence has made significant inroads into the hiring process. Employers increasingly rely on AI-driven tools to screen resumes, analyze video interviews, administer automated assessments, and score candidates against job-fit models. These tools promise greater efficiency and, in theory, more consistent evaluation. They also collect and generate a substantial amount of personal information about job applicants—information that, under the CCPA’s updated regulations, may require a formal risk assessment before or during use.
If your organization is a “business” under the CCPA and is using AI-powered hiring or applicant screening technology, the following analysis will help you evaluate whether a risk assessment is required. If you have not yet confirmed that the CCPA applies to your organization, check out our CCPA FAQs which address this and other provisions of the CCPA.
What AI Hiring Tools Typically Do
AI-powered hiring tools span a wide range of functions. Resume parsing and ranking tools use machine learning to score applications against predefined criteria. Video interview platforms analyze candidates’ facial expressions, word choice, and vocal patterns to generate personality or culture-fit assessments. Automated chatbots conduct initial screening interviews and assess responses. Skills assessment platforms measure cognitive ability, personality traits, and job-relevant competencies through adaptive tests scored by AI. Across all of these tools, the common thread is that personal information about applicants is being processed automatically to evaluate them and, directly or indirectly, to inform hiring decisions.
CCPA Risk Assessment Triggers for Hiring AI
The updated CCPA regulations identify several processing activities that require a risk assessment. Employers using AI hiring tools should evaluate whether any of the following apply:
Automated Decision-Making Technology (ADMT). A risk assessment is required when a business uses ADMT to make or contribute substantially to “significant decisions” about consumers. The regulations expressly identify employment opportunities and compensation among the categories of significant decisions. Accordingly, an AI tool that ranks, scores, advances, or eliminates applicants may be using ADMT to contribute to significant employment decisions—a straightforward risk assessment trigger. Employers should not assume that a human reviewer at the end of the process eliminates this obligation; the regulations focus on meaningful contribution to the decision, not exclusive AI control.
Systematic Observation of Applicants. The regulations also require a risk assessment when a business profiles a consumer through systematic observation when the individual is acting in the capacity of a “job applicant.” Systematic observation expressly includes “video or audio recording or live-streaming” and “technologies that enable physical or biological identification or profiling.” The more popular AI notetaking tools, or even AI video interviewing platforms that records candidates and/or analyzes their facial expressions and speech patterns may satisfy these elements.
Sensitive Personal Information. To the extent a hiring tool processes biometric information—such as voice patterns or facial geometry—as part of its analysis, that processing independently triggers a risk assessment as processing of “sensitive personal information.” Biometric information is expressly included in the CCPA’s definition of sensitive personal information, and employers should not assume the human resources exception is broad enough to cover biometric processing in the hiring context.
Training AI on Applicant Data. A risk assessment is also required when personal information is processed to train ADMT for significant decisions, or to train facial recognition or biometric technology. Employers that allow their hiring platform vendors to use applicant data to train or refine their models should evaluate whether this use independently triggers an assessment obligation.
Other State Law Considerations
Several states have enacted laws specifically targeting AI in hiring. Illinois’s Artificial Intelligence Video Interview Act imposes consent and anti-discrimination requirements for video interview AI. New York City’s Local Law 144 requires, among other things, bias audits for automated employment decision tools used by covered employers. Maryland prohibits facial recognition in pre-employment interviews without consent. Colorado recently replaced its AI law which includes obligations to provide consumers (including job applicants) notice prior to using automated decision making technology that will materially influence a consequential decision. To help manage and comply with this growing patchwork of AI regulation, businesses using AI hiring tools should map their tools against each of these requirements, which may operate independently of the CCPA.
Next Steps for Employers
Employers should catalog each AI hiring tool in their technology stack, document the personal information each collects and processes, and assess the functionalities of these tools, such as whether they are making or contributing to significant employment decisions, conducting systematic observation of applicants, or processing biometric or other sensitive personal information. Where any of those conditions are met, a CCPA risk assessment may be required.
Part 2 of our post on CCPA risk assessments details the procedural requirements for completing the assessment, including what the risk assessment report must contain and the obligation to certify the assessment to the CPPA. The assessment must weigh the risks to consumer privacy against the benefits of the processing—a genuine balancing exercise, not a formality.