What You Need to Know in 60 Seconds

As an ICIMS or ATS administrator, here’s a scenario worth taking seriously: your company is US-based, you’ve never opened an EU office, and a compliance bill just landed in your inbox anyway. Here’s why that happens more than it should — and what to do about it.

US-based companies are not exempt from GDPR, the EU AI Act, or a growing stack of state privacy laws. The data follows the candidate, not your mailing address. Here is the short version:

• GDPR applies the moment an EU candidate’s data enters your system, regardless of where your company is headquartered.
• The EU AI Act classifies AI-assisted screening tools as high-risk, with real documentation and oversight requirements now in effect.
• CCPA applies to California residents in your ATS pipeline, not just California-based employers.
• State privacy laws in Virginia, Colorado, Texas, and eight more states add overlapping obligations that are not identical to each other.
• BIPA governs any biometric data collection in your hiring process and carries a private right of action with statutory damages per violation.
• Talent pools are one of the most legally exposed features in any ATS if consent and retention are not actively managed.
• Data retention is a configuration problem, not just a policy problem. What your system actually does is what regulators look at.
• Cross-border data transfers require a legal mechanism, not just a vendor agreement you have not read.
• Candidate rights (access, deletion, opt-out) generate real response deadlines across every major framework.
• Your vendor’s compliance is not your compliance. The configuration inside your ATS instance is your responsibility.

Bonus: GDPR compliance is a strong baseline that covers most of the landscape, but BIPA, CCPA’s opt-out structure, the EU AI Act, and OFCCP obligations for federal contractors each require separate attention.

Here’s a scenario that plays out more often than it should: a US-based company hires a few candidates in London, posts some jobs in Germany, or  a global talent pool applies to an open position through their ATS. Nobody panics. But, nobody updates the privacy policy, and nobody tells the ATS System Admin managing their system. And then, somewhere between eighteen months and three years later, a regulator, a candidate, or a class-action attorney shows up with a very expensive question.

The answer to that question, more often than not, starts with your applicant tracking system.

If you think GDPR is someone else’s problem, or that a US mailing address insulates you from international data law, this article is for you. And even if you never recruit outside the fifty states, stick around, because the US privacy law landscape has gotten complicated fast, and your ATS is sitting right in the middle of it.

Here are ten things you need to know to keep your hiring tech from becoming a liability.

1. GDPR Applies to You If You Touch EU Candidate Data, Period

The General Data Protection Regulation does not ask where your headquarters is. It asks where your candidates are. If you have an EU citizen’s resume in your database, whether they applied through a job board, a referral, or a talent pool campaign, GDPR governs how you handle that data.

This is not a loophole. It is one of the most deliberately broad jurisdictional frameworks ever written into privacy law. The rule is simple: if you process personal data of individuals in the European Union in connection with offering goods or services, or monitoring their behavior, you are covered. Recruiting is both.

The operational implication for your ATS is significant. Your consent practices must be lawful, specific, and documented. You must define a retention window for all candidate data. Candidates have the right to access, correct, and erase their records. If your ICIMS configuration is not built to support those workflows, you are already out of alignment. Working with an experienced ICIMS consultant who understands global compliance requirements is one of the fastest ways to close that gap.

What the enforcement record looks like: France’s data protection authority fined Google €50 million in 2019 for using blanket consent forms and pre-ticked boxes that did not meet GDPR’s standard for valid, specific consent. In 2023, Meta was hit with a record €1.2 billion penalty for transferring EU user data to US servers without adequate safeguards. These are not niche penalties handed down to obscure companies. They are some of the largest technology companies in the world, with entire legal departments dedicated to this, and it still cost them.

2. The EU AI Act Is Coming for Your Screening Tools

The EU Artificial Intelligence Act, now in staged rollout, classifies certain AI applications as high-risk, and AI-assisted recruitment tools sit squarely on that list. That means resume screening algorithms, automated ranking, candidate scoring, and any tool that uses AI to influence a hiring decision is subject to a new tier of regulatory scrutiny.

Under the Act, high-risk AI systems must include transparency disclosures to candidates, human oversight mechanisms, technical documentation of the model’s training data and logic, and conformity assessments. If your ATS vendor has baked AI scoring or matching into their product, and most of them have, you need to know exactly what it does and how it is governed.

This is not theoretical risk for future consideration. The first enforcement provisions took effect in 2024, and the EU continues rolling out broader application-layer requirements through 2025 and 2026. If you are using ICIMS or any ATS with AI-assisted features and you have any EU footprint at all, this belongs on your compliance roadmap now.

A cautionary tale from a US-based AI company: Clearview AI, headquartered in New York, has accumulated more than €90 million in fines across France, Italy, the Netherlands, Greece, and Austria for processing biometric data of EU residents without legal basis, without consent, and without transparency. The Dutch DPA’s most recent fine alone was €30.5 million. Clearview’s response was to argue that because it had no EU presence, the GDPR did not apply. Regulators disagreed. Processing EU residents’ data from a US address does not put you outside their reach. It just makes collection harder.

3. CCPA Is Not Just a California Problem

The California Consumer Privacy Act, and its successor CPRA, created enforceable privacy rights for California residents: the right to know what data you have collected, the right to delete it, the right to opt out of its sale, and the right to non-discrimination for exercising those rights.

The catch is that “California residents” means anyone who lives in California, not just people who applied to California-based jobs. If a candidate in San Francisco applies to your company through your careers site, your obligations follow them regardless of where your office is.

The CCPA thresholds are low enough to catch most growth-stage companies. If you do business in California and meet any one of three criteria (annual gross revenue over $25 million, buying or selling data on 100,000 or more consumers annually, or deriving 50% or more of annual revenue from selling consumer data), the law applies to you and you are legally obligated to comply. For most companies with active ATS pipelines, the data volume threshold alone is enough to trigger that obligation.

The enforcement trend is accelerating: In 2022, Sephora paid $1.2 million to settle CCPA violations for failing to disclose that it was selling consumer data and not honoring opt-out requests. In 2024, DoorDash paid $375,000 for sharing customer data through a marketing cooperative without proper notice. The California AG has since issued its largest CCPA penalty on record at $1.55 million, and regulators have explicitly signaled that enforcement sweeps are ongoing. The fines are real, and they are growing.

4. State Privacy Laws Are Multiplying and They Are Not Identical

California did not stay lonely for long. Virginia, Colorado, Connecticut, Texas, Montana, Indiana, Iowa, and Tennessee have all passed comprehensive consumer privacy legislation, with more states working through their legislative calendars every year. Each law has its own thresholds, definitions, exemptions, and rights frameworks.

This is not a copy-paste situation. Virginia’s CDPA has a different approach to sensitive data than Colorado’s CPA. Texas has no revenue threshold. The definitions of “sale of data” vary enough to require individual analysis.

For your ATS, this means your candidate data handling policies need to be flexible enough to accommodate multiple frameworks simultaneously. Consent capture, data retention schedules, and deletion request workflows need to scale across jurisdictions, not just check a box for one. ICIMS consulting engagements that include compliance architecture are increasingly focused on exactly this kind of multi-state configuration design.

5. Biometric Data Laws Have Very Little Patience

If your hiring process includes any step that collects biometric information, think video interviews with facial analysis, voice pattern assessment, or physical screening, you have a separate layer of exposure that operates independently of general privacy law.

Illinois’ Biometric Information Privacy Act (BIPA) is the most aggressive framework in the US. Employers must obtain explicit written consent before collecting biometric data, specific retention and destruction policies, and refrain from selling or profiting from that data. And it has a private right of action, meaning individual candidates can sue you directly.

The numbers are not hypothetical: Facebook settled a BIPA class action for $650 million in 2021 over its facial recognition features. White Castle faced estimated exposure exceeding $17 billion under the prior per-scan damages model before the Illinois legislature amended the law in 2024. That amendment capped liability at one recovery per person rather than one per scan, which reduced worst-case exposure significantly. But the consent and notice requirements themselves did not change. Companies still need written consent policies in place before any biometric data is collected. Texas and Washington have their own biometric statutes, and more states are following.

6. Talent Pools Are a Consent Management Minefield

The talent pool is one of the most valuable features in any modern ATS and one of the most legally exposed if it is not configured correctly. Candidates who applied for a specific role two years ago never agreed to receive indefinite marketing, outreach about unrelated positions, or ongoing retention in your system beyond the point their data serves a purpose.

Under GDPR, legitimate interest is not a blanket permission slip. While under CCPA, retention without purpose runs headlong into the right to deletion. Under multiple state frameworks, automated marketing communications to prior candidates may trigger additional notice and consent requirements.

If your talent pool strategy does not include a documented consent basis, re-consent workflows, and a defined expiration policy, you are holding a data set that is working against you. This is a core area where ICIMS managed services can help teams maintain ongoing governance rather than letting configurations drift.

Why LinkedIn’s $334 million fine matters to you: In October 2024, Ireland’s Data Protection Commission fined LinkedIn €310 million for using member data for behavioral analysis and targeted advertising without valid consent. The core finding was that the consent LinkedIn obtained was not freely given, sufficiently informed, or specific enough to satisfy GDPR. Talent pool campaigns and candidate marketing operate on the same legal logic. If your ATS is sending automated outreach to candidates without a documented, compliant consent basis, the risk framework is identical.

7. Data Retention Is a Policy AND a Configuration Problem

“We delete inactive candidates after two years” is a policy. Whether your ATS actually does that, consistently, across all requisitions, all sourcing channels, all talent pools, and all integrations, is a configuration question.

This distinction matters enormously in a compliance investigation. Regulators and plaintiffs are not interested in what your policy document says. They are interested in what your system did. If candidate data is lingering in your ATS past documented retention windows because a scheduled purge was never set up, or because a connected HRIS retained the records, or because a data export to a spreadsheet bypassed your controls entirely, the policy is not a defense.

Building retention logic into your ATS configuration is not optional compliance hygiene. It is the actual compliance work. If you are not sure whether your current setup reflects your stated policies, an ICIMS optimization review is a good place to start.

8. Cross-Border Data Transfers Require More Than Good Intentions

If you are transferring candidate data between the US and the EU, you need a legal mechanism to do it. The EU-US Data Privacy Framework, SCCs (Standard Contractual Clauses), and Binding Corporate Rules are not interchangeable options you pick based on administrative convenience. Each has specific requirements and conditions.

This matters not just for your own data handling, but for every vendor in your ATS ecosystem. Where it matters: your background check provider. Your video interview platform. Even your assessment tool. And your HRIS. If any of them receives EU candidate data and processes it in the US, the transfer mechanism applies to them too.

The Meta case is the clearest illustration of what happens when transfer mechanisms fail: Meta’s €1.2 billion fine in 2023 was specifically about transferring European user data to US servers without adequate protection under the updated Standard Contractual Clauses framework. Meta’s legal team believed its transfer mechanisms were compliant. They were not, and the gap cost over a billion dollars. If a team of that size and sophistication can miss it, the risk of a smaller organization quietly routing EU candidate data through a US-based HRIS integration without a proper Data Processing Agreement is very real.

Your ATS vendor’s DPA is worth actually reading. The default language is not always sufficient.

9. Candidates Have Rights You Are Obligated to Honor

Across every major framework discussed in this article, candidates have rights that generate operational obligations for your team. The rights are to access their data, to correct inaccurate information, to request you delete their records, to know whether automated decision-making was used, and to opt out of certain types of processing.

These are not hypothetical rights. Those rights generate actual requests, with actual response deadlines. GDPR gives you 30 days. CCPA gives you 45. Some frameworks allow extensions with notice; others do not.

If your process for handling a candidate data request is “email HR and see what happens,” you have a gap. Your ATS needs to support these workflows, and your team needs to know how to execute them before you receive the first request, not during one. This is an area where ICIMS optimization and configuration work pays dividends well beyond the initial go-live.

10. Your ATS Vendor’s Compliance Is Not the Same as Your Compliance

This is the one that catches people most off guard. Your ICIMS instance, or any ATS, is a tool. The vendor maintains the platform. You configure what it does, what it collects, who can see it, how long you retain it, and how it connects to other systems.

When a regulator investigates a data breach or a rights violation, they are not auditing your vendor’s SOC 2 report. They are auditing your configuration, your policies, your consent language, your retention schedules, and your response procedures.

Vendor compliance gives you a foundation. It does not give you a pass. The responsibility for how personal data is handled inside your ATS instance is yours.

One final data point worth sitting with: Across every enforcement case cited in this article, the common thread is not that the companies set out to violate the law. They operated with assumptions that turned out to be wrong: that their consent language was sufficient, that their transfer mechanisms were adequate, that their vendor relationship covered the gap. Assumptions are not a compliance program. Configuration, documentation, and regular review are.

A Note Before You Act on Any of This

Everything in this article is written from the perspective of an ATS configuration and HR technology consultant, not a lawyer. The frameworks, fines, and enforcement examples cited are real, but how any of them apply to your specific organization, your candidate data footprint, your vendor relationships, and your existing policies is a legal question, not a configuration one. Before making compliance decisions based on what you read here, please consult a qualified privacy attorney who can assess your actual exposure. This article is meant to help you ask better questions and have a more informed conversation with your legal counsel, not to replace that conversation.

The Shortcut That Is Not Quite a Shortcut

If you have made it this far and are feeling the weight of ten different compliance frameworks, here is a practical starting point that gets thrown around a lot in ATS consulting circles: build to GDPR, and most of the rest will follow.

There is real truth to that. GDPR is one of the most demanding privacy frameworks in existence. Its requirements around lawful basis for processing, consent specificity, data minimization, retention limits, subject access rights, and cross-border transfer mechanisms are more rigorous than CCPA, most US state laws, and most other international frameworks. If your ICIMS configuration is genuinely built to satisfy GDPR, you have done the harder work, and most other frameworks will find you in reasonable shape by comparison.

But there are four places where that shortcut runs out of road.

BIPA

BIPA is the clearest exception. GDPR treats biometric data as a special category requiring explicit consent, which sounds similar. But BIPA adds requirements GDPR does not: a publicly available written retention and destruction policy, a specific written release format before any collection occurs, and a prohibition on profiting from biometric data. GDPR-compliant biometric handling does not automatically produce a BIPA-compliant program.

CCPA

CCPA has a structural difference that matters for your ATS configuration. GDPR is an opt-in framework. You need a lawful basis before you process anything. CCPA is primarily an opt-out framework. You can process, but you must offer a functioning mechanism to stop you, including honoring the Global Privacy Control signal. If you built your consent flows around GDPR’s opt-in logic, you may still be missing the “Do Not Sell or Share My Personal Information” infrastructure that CCPA specifically requires.

EU AI Act

The EU AI Act is a parallel obligation, not an overlapping one. GDPR compliance says nothing about whether your AI-assisted screening tools are properly documented, governed, or disclosed under the AI Act’s high-risk system requirements. These are separate regimes that need to be addressed separately.

OFCCP

The most significant landmine for US federal contractors is the OFCCP conflict. US affirmative action regulations require collection of race, gender, disability status, and veteran status from applicants. GDPR’s data minimization and sensitive data processing restrictions push in exactly the opposite direction. A GDPR-first configuration that restricts or removes those fields could create OFCCP exposure.  In ICIMS specifically they handle this using data anonymization, where these pieces of data are retained, but the actual identifying information in the record is removed.  This tension does not resolve cleanly in ATS configuration, and it is one of the more common gaps that surfaces during a compliance review for organizations with federal contracts.

The practical takeaway: GDPR as a compliance baseline is a sound and defensible position for most of the privacy landscape. The shortcut is real. It just has four named exceptions, and those exceptions are exactly where liability tends to live.

The Bottom Line

You do not have to be recruiting in Berlin to have a GDPR problem, or need an EU office to be subject to the AI Act’s requirements for high-risk systems. Similarly, you do not need to have headquarters in California to owe CCPA rights to candidates in your pipeline.

The compliance map for ATS administrators has grown more complicated because candidate data has become more complicated. It crosses state lines, it crosses borders, and it flows through enough third-party systems that the idea of a clean, well-contained data environment is mostly fiction.

The good news is that a well-configured ATS can actually support compliance rather than undermine it. Consent capture, retention automation, rights management workflows, and integration governance are all solvable configuration problems. They require intentional design, not magic.

If you are not sure whether your current ICIMS configuration would hold up to scrutiny, that is the right question to be asking. And the best time to ask it is before someone else makes you answer it.

[sc name=”sai-global-cta”]

FAQ

Does GDPR apply to US companies that only occasionally hire EU candidates? Yes. GDPR jurisdiction is based on where the candidate lives, not where your company’s headquarters are. Even a single EU candidate’s data in your ATS creates GDPR obligations around consent, retention, and data rights. Occasional hiring does not reduce the requirement.

What does the EU AI Act mean for my ICIMS instance? If your ICIMS configuration uses or integrates with any AI-assisted screening, scoring, or ranking tools, those features may qualify as high-risk AI systems under the EU AI Act. That triggers requirements around transparency, human oversight, and technical documentation. An ICIMS consultant familiar with AI governance can help you assess your specific configuration.

How do I know if CCPA applies to my company? CCPA applies to for-profit businesses that do business in California and meet at least one of these thresholds: annual gross revenue over $25 million, buying or selling personal data of 100,000 or more consumers or households per year, or deriving 50% or more of annual revenue from selling personal data. Many mid-size companies with active ATS pipelines qualify on data volume alone.

What is the biggest ICIMS compliance risk most teams overlook? Data retention. Having a written retention policy and having a configured ATS that actually enforces it are two different things. Most compliance gaps are found not in the policy documents but in the system behavior, specifically data that persists past its stated window because the automation was never set up.

Can my ATS vendor handle compliance on my behalf? No. Your ATS vendor is responsible for the security and compliance posture of the platform itself. How you configure the system, what data you collect, how long you retain it, and how you handle candidate rights requests are your responsibility. ICIMS managed services can help maintain ongoing compliance governance, but the accountability stays with your organization.