Excerpted from a JDSUPRA Blog by Joseph Lazzorotti of Jackson Lewis P.C.
Artificial intelligence has made significant inroads into the hiring process. Employers increasingly rely on AI-driven tools to screen resumes, analyze video interviews, administer automated assessments, and score candidates against job-fit models. These tools promise greater efficiency and, in theory, more consistent evaluation. They also collect and generate a substantial amount of personal information about job applicants—information that, under the CCPA’s updated regulations, may require a formal risk assessment before or during use.
If your organization is a “business” under the CCPA and is using AI-powered hiring or applicant screening technology, the following analysis will help you evaluate whether a risk assessment is required. If you have not yet confirmed that the CCPA applies to your organization, check out our CCPA FAQs which address this and other provisions of the CCPA.
What AI Hiring Tools Typically Do
AI-powered hiring tools span a wide range of functions. Resume parsing and ranking tools use machine learning to score applications against predefined criteria. Video interview platforms analyze candidates’ facial expressions, word choice, and vocal patterns to generate personality or culture-fit assessments. Automated chatbots conduct initial screening interviews and assess responses. Skills assessment platforms measure cognitive ability, personality traits, and job-relevant competencies through adaptive tests scored by AI. Across all of these tools, the common thread is that personal information about applicants is being processed automatically to evaluate them and, directly or indirectly, to inform hiring decisions.
CCPA Risk Assessment Triggers for Hiring AI
The updated CCPA regulations identify several processing activities that require a risk assessment. Employers using AI hiring tools should evaluate whether any of the following apply:
Automated Decision-Making Technology (ADMT). A risk assessment is required when a business uses ADMT to make or contribute substantially to “significant decisions” about consumers. The regulations expressly identify employment opportunities and compensation among the categories of significant decisions. Accordingly, an AI tool that ranks, scores, advances, or eliminates applicants may be using ADMT to contribute to significant employment decisions—a straightforward risk assessment trigger. Employers should not assume that a human reviewer at the end of the process eliminates this obligation; the regulations focus on meaningful contribution to the decision, not exclusive AI control.
Systematic Observation of Applicants. The regulations also require a risk assessment when a business profiles a consumer through systematic observation when the individual is acting in the capacity of a “job applicant.” Systematic observation expressly includes “video or audio recording or live-streaming” and “technologies that enable physical or biological identification or profiling.” The more popular AI notetaking tools, or even AI video interviewing platforms that records candidates and/or analyzes their facial expressions and speech patterns may satisfy these elements.
Sensitive Personal Information. To the extent a hiring tool processes biometric information—such as voice patterns or facial geometry—as part of its analysis, that processing independently triggers a risk assessment as processing of “sensitive personal information.” Biometric information is expressly included in the CCPA’s definition of sensitive personal information, and employers should not assume the human resources exception is broad enough to cover biometric processing in the hiring context.
Next Steps for Employers
Employers should catalog each AI hiring tool in their technology stack, document the personal information each collects and processes, and assess the functionalities of these tools, such as whether they are making or contributing to significant employment decisions, conducting systematic observation of applicants, or processing biometric or other sensitive personal information. Where any of those conditions are met, a CCPA risk assessment may be required.
For the full story, please click here.