Back to Blogs

ATS Compliance: GDPR, EEOC & DEI Requirements for Recruiting Software

July 7, 2026

blog-single-cta-image

Subscribe to our newsletter

Get the latest in recruiting delivered to your inbox each week.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

The regulatory landscape for recruiting software has changed drastically in the last 24 months compared to the previous decade. 

For example, the EU AI Act now classifies hiring AI as high-risk. NYC Local Law 144 requires annual bias audits for automated employment decision tools. Colorado passed the first broad AI accountability law in the US. 

Also, five more states have introduced similar legislation. GDPR enforcement against recruiting tools has intensified. And EEOC and OFCCP expectations around DEI data collection have not eased. 

The teams that treated compliance as a paperwork problem two years ago are now scrambling to retrofit their ATSs and their hiring processes to meet requirements that did not exist when they bought the tool. 

This article maps out what applies to recruiting software in 2026, what the ATS needs to do to support compliance, and how to evaluate whether your current tool actually does it.

A genuine disclaimer: This article provides a general overview of recruiting software compliance considerations. It is not legal advice. Because compliance obligations vary by jurisdiction and hiring practices, they should be reviewed with your legal and compliance teams.

The current regulatory landscape: What applies to recruiting software in 2026 

1. GDPR (EU, in force since 2018)

The General Data Protection Regulation (GDPR) governs how organizations collect, process, store, and delete the personal data of individuals in the European Union. 

Key requirements for recruiting software: Lawful basis for processing candidate data, limits on fully automated hiring decisions, candidates' right to human review, candidates' right to access and delete their data, data minimization principles, and breach notification within 72 hours. 

Fines/Penalties: Up to €20 million or 4% of global annual turnover for serious violations, and up to €10 million or 2% for less severe breaches.

2. CCPA (California, in force since 2020)

The California Consumer Privacy Act (CCPA) governs how businesses collect, use, share, and retain their personal information. 

Key requirements for recruiting software: Provide candidate notifications about data collection, the right to access and delete personal information, and limits on data sharing. 

Fines/Penalties: Up to $2,663 per unintentional violation and $7,988 per intentional violation. 

3. EU AI Act (approved March 2024)

The EU AI Act introduces a risk-based framework for AI systems and places some AI applications used in employment and recruitment in the high-risk category

Key requirements for recruiting software:  Requires human oversight, transparency in AI decisions, documented risk assessments, and safeguards against bias. 

Fines/Penalties: Up to €35 million or 7% of global annual turnover for prohibited AI practices, €15 million or 3% for violations of obligations related to high-risk AI systems, and €7.5 million or 1% for providing incorrect or misleading information to regulators. 

4. NYC Local Law 144 (in force since 2023)

New York City's Local Law 144 regulates the use of Automated Employment Decision Tools (AEDTs) in hiring and promotions. The law requires these systems not to unfairly disadvantage candidates based on protected characteristics such as race, ethnicity, or sex. 

Key requirements for recruiting software: Conduct annual bias audits, post the audit results publicly, and notify candidates that an automated tool is being used. 

Fines/Penalties: Up to $500 for a first violation and up to $1,500 for each subsequent violation. 

5. Illinois Artificial Intelligence Video Interview Act

The Illinois Artificial Intelligence Video Interview Act (AIVIA) regulates the use of AI to analyze recorded video interviews and requires employers to be transparent about how candidate interviews are analyzed and used. 

Key requirements for recruiting software: Requires employers to notify candidates when AI is used to evaluate video interviews, obtain candidate consent, and delete recordings upon request.

Fines/Penalties: Can face civil penalties of up to $5,000 per violation.

6. Colorado AI Act

Colorado's revised AI Act regulates the use of Automated Decision-Making Technology (ADMT) in high-impact decisions, including employment.  

Key requirements for recruiting software: Requires companies to evaluate AI system risks and protect candidates from algorithmic discrimination.

Fines/Penalties: Enforcement rests exclusively with the Colorado Attorney General, who can investigate violations and take enforcement action. 

7. EEOC (federal, ongoing)

The U.S. Equal Employment Opportunity Commission (EEOC) enforces federal anti-discrimination laws so that employers remain responsible for ensuring AI-powered hiring tools do not discriminate against protected groups. 

Even if an AI system is provided by a third-party vendor, employers can still be held liable for discriminatory hiring outcomes. 

Key requirements for recruiting software: Support optional collection, secure storage, and reporting of EEO demographic data for employers with federal equal employment reporting and compliance obligations. 

Fines/Penalties: The EEOC itself does not issue AI-specific fines. May face EEOC investigations, lawsuits, and other legal penalties under applicable employment laws. 

8. OFCCP (federal, ongoing)

The Office of Federal Contract Compliance Programs requires federal contractors to maintain detailed records on hiring practices, candidate flow, outreach efforts, and affirmative action activities for protected veterans and individuals with disabilities. 

Key requirements for recruiting software: Support applicant flow logs, disposition tracking, self-identification workflows, recruitment activity, and audit-ready reporting.

Fines/Penalties: OFCCP does not impose fixed statutory fines like GDPR. Instead, violations can result in compliance reviews, corrective action requirements, back-pay awards, withholding or termination of federal contracts, and debarment from future federal contracting.  

Emerging legislation worth watching

Utah AI Policy Act, Maryland HB 1202 on facial recognition in hiring, Canada's AIDA bill, and active AI hiring legislation in California, Texas, and Washington state.

The pattern across all of these: hiring AI is being treated as a high-risk category. Vendors and employers are being held accountable for transparency, bias audits, and candidate rights.

The five compliance failures recruiting teams are running into 

Failure 1: AI screening with no transparency or bias audit

The most common compliance gap is adopting AI-powered screening without understanding how hiring decisions are being made.

Many recruiting teams adopted AI resume screening, candidate scoring, and ranking tools in 2023 and 2024 to reduce manual work. But the EU AI Act and NYC Local Law 144 were introduced afterwards, which shifted expectations from simply using AI to proving that it operates fairly.

The problem with many AI recruiting tools is that they still function as black boxes. Recruiters receive scoring, but with limited visibility into how the AI arrives at its recommendations.

The system unintentionally inherits bias from the training data. Without an audit infrastructure, these errors scale before anyone notices.

One recruiting team discovered after months of using AI that the system was "quietly favoring men over women for marketing roles." Another team found their screening tool penalized non-native English speakers. 

Failure 2: DEI metrics paywalled or unavailable

Some recruiting platforms still treat diversity reporting as a premium feature.

When DEI data is gated behind a higher subscription tier, compliance becomes a budget decision instead of a process decision. This creates an unnecessary compliance gap. 

One Greenhouse customer summarized the issue:

“You have to pay extra for any advanced DEIB metrics and data. This is very disappointing, as the data is in the system regardless, and it primarily seems like a tactic to force those who have to adhere to OFCCP / EEO guidelines to pay extra. In addition, there is no ability to filter diversity data to tie back to a recruiter to evaluate performance." 

Organizations subject to EEOC or OFCCP requirements need access to applicant flow, diversity metrics, and hiring outcomes as part of their regular reporting process.

Failure 3: Inadequate audit trails

Most legacy ATSs do not maintain the audit trail granularity required by the EU AI Act and NYC Local Law 144. 

If the system cannot show how a decision was made, when, by whom, and based on what data, defending hiring decisions in an audit or legal challenge becomes nearly impossible.

Failure 4: Spreadsheet workflows persist alongside the ATS

Many teams maintain spreadsheets for sourcing notes, screening decisions, or DEI tracking within their ATS. 

Most of these basic spreadsheets and templates do not have security features for handling confidential candidate details. Also, proper access controls might be missing, and so might audit trails or even encryption mechanisms. This can present serious problems, mainly if you handle sensitive information that should comply with data protection laws like GDPR.

Spreadsheets are a compliance liability the moment candidate data is in them.

Failure 5: Data retention and deletion are not configurable.

GDPR and CCPA give candidates the right to request data deletion. Meeting these obligations is straightforward only if recruiting systems can consistently enforce retention policies.

If the ATS cannot honor a deletion request cleanly across all integrated systems, the company is exposed to legal risks.

What good ATS compliance support actually looks like 

1. Audit trails for every action

Every action performed inside the ATS should be recorded automatically.

The system must log who accessed what, when, what changes were made, what communications were sent, and what AI decisions were generated with what inputs. 

These audit trails are important for transparency and defending hiring decisions if challenged, as they are the foundational requirement under the EU AI Act and NYC Local Law 144.

2. Bias guardrails on AI

Modern ATSs should include proactive controls, not passive ones. Examples include:

  • Removing personally identifiable information before sending candidate profiles to AI models.
  • Flagging biased or exclusionary language in job descriptions.
  • Warning recruiters when search criteria may unintentionally discriminate against protected groups.
  • Identifying subjective evaluation criteria that AI cannot assess consistently.

That kind of active guardrail is the baseline now.

3. Independent bias audits

Internal testing alone is no longer enough.


NYC Local Law 144 requires annual bias audits. Even outside NYC, third-party bias audits are becoming a standard signal of vendor seriousness. 

Look for vendors that have completed audits with recognized partners such as BABL or Warden AI and publish the results.

Publicly available audit documentation shows that the vendor is willing to validate AI fairness rather than simply claim it.

4. Anonymized screening capability

The earliest stages of hiring are where unconscious bias has the greatest influence.


An ATS should allow recruiters to remove identifying information such as name, gender, age, ethnicity proxies, during initial screening stages. 

This reduces unconscious bias at the highest-leverage point in the funnel and supports DEI compliance reporting downstream.

5. EEOC and OFCCP-compliant data collection.

Organizations cannot demonstrate fair hiring if they don't collect compliance data correctly.

Recruiting software should support voluntary self-identification of race, gender, disability, and veteran status. 

Just as importantly, this information should remain separated from hiring decisions and accessible only to authorized users.

The platform should also generate applicant flow logs, disposition reports, and demographic reporting needed for EEOC and OFCCP compliance while maintaining complete audit records of recruiting activity.

6. Automated data retention and deletion

Modern ATS platforms should allow organizations to configure geo-specific data retention policies that automatically remove personally identifiable information when retention periods expire. 

Candidate records should be automatically deleted or anonymized when retention periods expire, while consent records and deletion logs remain available for compliance purposes.

7. Data portability

GDPR right-of-access requirements mean candidates can request their data. The ATS must be able to export complete candidate records in a portable format, including resumes, interview feedback, communications, assessments, and application history in a structured, portable format.

It largely helps with compliance with data protection regulations like GDPR, as now you can quickly respond to data access requests.

8. Native permission management

Not everyone involved in hiring needs access to every piece of candidate information.

A modern ATS should provide role-based permissions that control access to demographic information, salary expectations, interview notes, offer details, and other sensitive data.

Granular access controls so that demographic data, salary data, and protected information are only visible to authorized users.

9. Transparent candidate notifications

Recruiting software should provide built-in workflows that notify candidates about AI use in screening, automated decisions, and data collection practices. 

These capabilities help organizations comply with laws such as the Illinois Artificial Intelligence Video Interview Act while preparing for the growing number of AI transparency requirements emerging across the United States and Europe.

How to evaluate an ATS for compliance: The 10 questions to ask every vendor

Ten questions that tell you whether a vendor takes compliance seriously or not:

  1. Have you completed a third-party bias audit on your AI screening tools, and can you share the results?
  2. How does your platform support NYC Local Law 144 compliance, including annual bias audits and candidate notifications?
  3. What is your EU AI Act compliance roadmap? Which features qualify as high-risk under the Act, and how are you addressing the requirements?
  4. How does the platform handle GDPR right-of-access and right-to-deletion requests? What is the typical turnaround time?
  5. What audit trails does the system generate, and how long are they retained?
  6. How do you handle PII when data is sent to AI models for screening or scoring?
  7. Are DEI reporting and EEO data analytics included in the base subscription or require an upgrade?
  8. What bias guardrails are built into your AI features?
  9. How do you support OFCCP applicant flow logs and federal contractor reporting?
  10. What is your data residency policy, and can data be stored in specific geographies for compliance?

Vendors who can answer these directly and confidently take compliance seriously. Vendors who deflect to "talk to our sales team" or who cannot produce documentation are signaling something important.

Who internally owns ATS compliance: TA, IT, or Legal?

About the Franken-stack compliance problem

When recruiting runs on five integrated tools, the compliance surface area expands and burdens your IT team.  Each system integration introduces potential points for data errors, system breakdowns, and downtime.

That complexity creates compliance risk. Every integration is a place where data flows can break, audit trails can fragment, and consent records can be lost. 

Consolidation is itself a compliance strategy.

The TA team owns process compliance

The Talent Acquisition team is responsible for ensuring hiring workflows are configured correctly and consistently followed. That includes candidate consent collection, AI disclosure notices, EEOC and OFCCP data collection, interview workflows, retention policies, and candidate communications.

IT owns technical compliance.

IT is responsible for identity management, single sign-on (SSO), SAML authentication, encryption, integration security, API governance, backup policies, disaster recovery, and data residency requirements

IT also ensures data moves securely between the ATS and other HR systems without compromising auditability or privacy.

However, a well-designed ATS should minimize IT dependence for day-to-day compliance tasks. 

Recruiters shouldn't need engineering support to generate applicant flow reports, configure retention policies, or produce compliance dashboards. 

If routine compliance reporting requires custom SQL queries or business intelligence projects, the platform is adding unnecessary operational risk. 

Legal owns regulatory interpretation

Legal answers these questions: What does the EU AI Act mean for our specific use case? When do we need to notify candidates? What jurisdictions apply to our hiring? 

The pattern that works

TA, IT, and Legal meet quarterly on recruiting compliance. The ATS provides the data that informs all three. Compliance becomes a shared system, not a quarterly fire drill.

The forward view: What's coming in 2026 and 2027

Three regulatory trends to plan for:

EU AI Act implementation deepens

The Act's high-risk AI provisions will roll out through 2026 and 2027. Companies hiring EU candidates should have a compliance infrastructure in place well before the applicable deadlines. Late adopters could face significant penalties.

US state-level AI hiring laws proliferate

Colorado, NYC, Illinois, Utah, and Maryland have already introduced AI hiring regulations. California, Texas, and Washington are likely next. Multi-state employers need an ATS infrastructure that supports varying state requirements without manual workarounds.

Bias audits become standard procurement requirements

Enterprise buyers are increasingly requiring third-party bias audits as part of ATS evaluation. Vendors without audit documentation are being filtered out of evaluations.

Final Thoughts

Compliance is no longer a feature checklist or a one-time implementation task.

New buyers should evaluate compliance posture upfront, and existing ATS users should audit their current tools against the 10-question framework. 

As recruiting regulations continue to evolve, it helps to have an ATS that doesn't require constant workarounds. 

Kula is one such all-in-one ATS, built with compliance in mind. 

It combines capabilities such as audit trails, anonymized screening, EEOC and OFCCP reporting, AI bias guardrails, and data portability. 

The platform undergoes independent monthly AI bias audits that support NYC Local Law 144 requirements and is preparing for the EU AI Act's phased implementation. 

Book a demo to see how Kula simplifies recruiting compliance from candidate application to audit readiness. 

Avika Dixit

I'm a B2B SaaS and tech writer for AI, recruiting, and e-commerce enablers tools. For over three years, I’ve been helping businesses break down topics like automated recruiting, billing automation, and marketing automation into content that actually engages and converts. I’ve worked with brands like Zenskar, Relay Commerce, and Videowise, creating data-driven stories that inform and inspire action.

Recent articles

blog image
The Best ATS for Tech Companies: What Engineering Teams Should Look For

Best ATS for Tech Companies: Compare ATS for Engineering Recruitment

Avika Dixit

July 7, 2026

blog image
Best ATS for Mid-Sized Companies: How to Choose a Platform That Scales

Best ATS for Mid-Sized Companies Stuck Between Startup & Enterprise

Avika Dixit

July 7, 2026

blog image
How to Choose the Best ATS for SaaS Companies (2026 Buyer's Guide)

Best ATS for SaaS Companies: Which Recruiting Platform Should You Choose?

Avika Dixit

July 7, 2026

blog image
ATS Migration Guide: Switch Systems Without Losing Data

ATS Migration Strategy: Keep Hiring Moving During the Switch

Avika Dixit

July 2, 2026

Get started today

The only true all-in-one ATS made by recruiters & loved by hiring teams.

Book a demo
tour
CTA