If your organisation collects data from California residents, including job applicants, the California Consumer Privacy Act applies to you. The CCPA started as a consumer-facing regulation, but a critical legal shift in 2023 ended the HR exemption that had sheltered recruiters and people teams from its full requirements.
Today, every qualifying employer that hires in California must treat candidate data with the same transparency and care it extends to any consumer. This guide explains what the CCPA is, how it applies to hiring and recruitment, what candidates can now demand of you, and how AI video interviewing platforms factor into your compliance obligations.
CCPA Definition
The California Consumer Privacy Act (CCPA) is a state privacy law that gives California residents specific rights over the personal information that businesses collect about them. Signed into law in 2018 and effective from January 2020, it was later expanded by the California Privacy Rights Act (CPRA) in 2023, which removed the employment data exemption and brought HR and recruitment data fully within scope.
The CCPA gives individuals the right to know what data is being collected, request its deletion, opt out of its sale, and not face discrimination for exercising these rights. For HR teams, this means job applicants are now treated as consumers with the same enforceable privacy rights as any of your business’s customers.
What Does CCPA Stand For and When Does It Take Effect?
CCPA stands for California Consumer Privacy Act. It took effect on January 1, 2020. The employment-data exemption, which had limited its HR applicability, expired on January 1, 2023, when the CPRA amendments took effect. Since that date, employees, contractors, and, critically, job applicants have the same privacy rights as any other California consumer under the law.
How CCPA Differs From GDPR: Key Distinctions
CCPA and GDPR share a common purpose in protecting personal data, but operate differently. GDPR applies globally to any organisation processing EU resident data and requires a lawful basis for every processing activity. CCPA is a California state law and applies only to qualifying for-profit businesses. GDPR is opt-in by design; CCPA is primarily opt-out. GDPR carries higher penalties and stricter consent requirements for sensitive data. For organisations that hire across both geographies, both laws apply, and building a CCPA-compliant process often lays the groundwork for broader compliance.
Does the CCPA Apply to HR and Recruitment?
For most of its early years, the CCPA contained an explicit exemption for employment-related data. That exemption no longer exists.
The End of the HR Exemption: What Changed in 2023
Before January 1, 2023, HR departments had limited CCPA obligations. The California Privacy Rights Act changed that permanently. As of 2023, any personal information collected from job applicants, employees, or contractors is subject to the full suite of CCPA consumer rights. This means your candidate data resumes, assessment results, interview recordings, and evaluation notes must be handled with the same transparency and responsiveness as customer data.
Which Employers Are Subject to CCPA Requirements?
The CCPA applies to for-profit businesses operating in California that meet at least one of the following thresholds:
- Annual gross revenue exceeding $25 million
- Annually buying, selling, or sharing the personal information of 100,000 or more California consumers or households
- Deriving 50% or more of annual revenue from selling or sharing personal information
If your organisation hires in California and meets any of these criteria, CCPA applies to your recruitment process regardless of where your headquarters is located.
What Counts as Personal Information Under CCPA in an HR Context
CCPA’s definition of personal information is broad. In recruitment, it includes:
- Identifiers: name, email address, phone number, IP address, social security number
- Professional and employment information: work history, education records, performance assessments
- Sensitive personal information: racial or ethnic origin, religious beliefs, biometric data, health information
- Inferences drawn from any of the above, including AI-generated candidate scores or assessments
What Rights Do Job Applicants Have Under CCPA?
Since the 2023 end of the HR exemption, California job applicants have three core rights that employers must be prepared to honour.
Right to Know What Data You’ve Collected and Why
Candidates can submit a Request to Know, asking you to disclose what categories of personal information you have collected about them, the specific pieces of data collected, and the purposes for which it was used. You must respond to verifiable requests within 45 days. This is operationally demanding for HR departments with large applicant volumes, which is why having structured data inventories and documentation in place before requests arrive is essential.
Right to Delete: Responding to Candidate Deletion Requests
Candidates can request that you delete their personal information. Unlike GDPR’s right to be forgotten, which has several exceptions, CCPA deletion requests carry significant weight. You must comply unless a specific legal exception applies, such as completing a transaction the person requested, detecting security incidents, or complying with a legal obligation. Build a clear, documented intake process for these requests with defined response timelines.
Right to Opt Out and Non-Discrimination Protections
Candidates have the right to opt out of the sale or sharing of their personal information. For most employers, this primarily matters when candidate data is shared with third-party vendors or recruitment platforms. CCPA also contains an explicit non-discrimination provision: candidates cannot be penalised, denied a role, given a less favourable process, or treated differently for exercising any of their CCPA rights.
What Must Employers Do to Stay CCPA-Compliant in Hiring?
Compliance requires action before the first application arrives, not in response to a candidate request.
Pre-Collection Notice Disclosing Data Categories Before You Collect Them
CCPA requires that you provide a pre-collection notice at or before the point you collect candidate data. This notice must specify every category of personal information you intend to collect and the purpose for which each category will be used. It must be delivered in your job postings, application forms, or career site, not buried in a privacy policy that candidates have to hunt for. Simply having a privacy policy posted somewhere is not sufficient.
Data Processing Agreements with Third-Party HR Vendors
Any third-party service provider that handles candidate data on your behalf, your ATS, your video interviewing platform, or your skills testing tool must have a written service provider agreement that limits their use of that data to providing the contracted service. CCPA prohibits service providers from retaining, using, or disclosing candidate data for any purpose outside that contract. Review your existing vendor agreements for compliance gaps, particularly for tools integrated after 2023.
Building an Intake Process for Candidate Privacy Requests
Before a candidate submits their first request to know or delete, you need a functioning process to verify their identity, locate their data across your systems, and respond within the required timeframe. Build this intake process proactively. Designate clear ownership, whether within HR, legal, or a dedicated privacy function, and test the workflow before it is needed.
How CCPA Applies to AI Video Interviewing Platforms
AI video interviewing introduces specific considerations under CCPA that go beyond standard resume handling.
Video Response and Behavioral Data as Personal Information Under CCPA
A candidate’s recorded video interview response is personal information under CCPA, it contains their likeness, voice, and name at a minimum. If your platform generates AI-based assessments from those responses, scoring communication patterns, tone, empathy signals, or role fit, the resulting data is also personal information derived from the candidate. It must be disclosed in your pre-collection notice, protected appropriately, and available for deletion on request.
Sensitive Data Considerations: Biometric and Inferred Data
CCPA’s 2023 expansion introduced specific protections for sensitive personal information, which includes biometric data and inferences drawn about a person based on their characteristics. AI video analysis that processes facial geometry, speech patterns, or emotional state may generate data that qualifies as sensitive under CCPA. If your platform does this, candidates must be informed, and you must provide a mechanism for them to limit your use of that sensitive data.
How VidHirePro Supports CCPA-Compliant Candidate Data Handling?
VidHirePro’s platform is built to support your CCPA obligations at every stage of the video interview workflow. Candidate data collection is disclosed transparently at the point of invitation. Interview response data is stored securely, retained for defined periods, and deletable on request. Our AI scoring engine uses explainable assessment logic, not opaque black-box inference so you can document and defend every scoring output. See our GDPR compliance policy for a full overview of our data protection framework, which covers CCPA obligations for US-based hiring teams.
Frequently Asked Questions About CCPA in Recruitment
Does CCPA Apply to Candidates Outside California?
CCPA applies to California residents defined as people who reside in California, regardless of where they are physically located at the time of application. If a candidate lives in California but is applying for a remote role based in another state, CCPA still governs how you handle their data. Non-California residents are not covered by CCPA, though other state privacy laws, such as Virginia’s VCDPA or Colorado’s CPA, may apply depending on location.
What Are the Penalties for CCPA Non-Compliance?
The California Attorney General can impose civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation. In high-volume hiring environments where the same non-compliant practice is applied to thousands of applicants, these per-violation figures accumulate quickly. CCPA also creates a private right of action for data security breaches, meaning candidates can sue your organisation directly if their personal information is exposed due to inadequate security measures.
CCPA compliance in recruitment is no longer optional for qualifying California employers. The HR exemption is gone, the enforcement landscape is active, and candidates have real rights over the data you collect. Build your pre-collection notices, audit your vendor agreements, and document your data flows before a request arrives, not after.
Ready to see how a compliant video interviewing platform handles California candidate data? Contact VidHirePro’s team to discuss how our platform supports your CCPA obligations.