Recruitment compliance: how to build a defensible, audit-ready hiring process
Most hiring teams think recruitment compliance means "do not break the law." The harder half is the part nobody trains for: being able to prove it.
When an EEOC charge, an OFCCP audit, or a lawsuit lands, the question is rarely "did you mean to discriminate?" It is "can you show a consistent, documented process for every candidate?" That is what recruitment compliance really protects.
This guide covers the US laws that touch hiring, who they apply to, a stage-by-stage checklist, the mistakes that create the most exposure, and where an applicant tracking system genuinely helps keep records audit-ready.
One thing up front: software supports compliance, it does not make you compliant. You stay the responsible party and the data controller.
Key takeaways
- Compliance is really defensibility. The goal is to show a consistent, documented process for every applicant, not just good intentions.
- The biggest US risk areas are anti-discrimination (Title VII, ADA, ADEA, PWFA), background-check handling (FCRA plus ban-the-box), federal-contractor rules (OFCCP), work authorization (I-9), and data retention.
- Documentation, not intent, decides most outcomes. An undocumented "culture fit" rejection is the classic exposure.
- Rules vary by state and city. Remote and multistate hiring multiplies the surface you have to track.
- An ATS keeps the audit trail and consistent records. It does not run background checks, file your EEO-1, or give legal advice.
What is recruitment compliance?
Recruitment compliance is the practice of running every stage of hiring within the employment, anti-discrimination, and data-privacy laws that apply to you, and keeping records that prove you did.
Two halves sit inside that definition. The substantive half is following the rules: do not discriminate, handle background checks correctly, verify work authorization.
The evidentiary half is being able to demonstrate it later. Teams underestimate the second half, and that is where most of the pain shows up.
One quick clarification. "Recruitment compliance" here means the legal side of your own hiring process. It is different from "compliance recruiting," which is the business of hiring compliance officers and risk professionals. This guide is about the former.
Why does recruitment compliance matter?
The exposure is concrete. A rejected candidate can file an EEOC charge. A federal contractor can draw an OFCCP audit.
Mishandled background checks carry statutory damages under the Fair Credit Reporting Act. States and cities add their own penalties, and a clumsy process quietly costs you candidates and reputation.
Talk to recruiters and a clear pattern emerges. The anxiety is not "am I discriminating?" It is "if someone says I did, can I prove I did not?" That shift, from intent to defensibility, is the most useful way to think about compliance.
It also reframes the work as an asset rather than a tax. Teams with clean, consistent records pass audits faster, close offers faster, and win business from clients who now ask about hiring process before they sign. Documentation discipline is what makes all of that possible.
Who do the main hiring laws apply to?
Before the detail, find yourself in this table. Coverage usually depends on headcount or on whether you hold federal contracts. A common myth is that small businesses are exempt. Some thresholds start at one employee.
| Law or rule | Who it generally applies to | Why it matters in hiring |
|---|---|---|
| Title VII, ADA, GINA, PWFA | Employers with 15+ employees | Core anti-discrimination and accommodation duties across the hiring process |
| ADEA (age 40+) | Employers with 20+ employees | Age cannot drive sourcing, screening, or selection |
| FCRA (background checks) | Any employer using a background-check company | Disclosure, consent, and a specific adverse-action process |
| Ban-the-box / fair chance | Varies by state and city (150+ jurisdictions) | Controls when and how you ask about criminal history |
| OFCCP (Section 503, VEVRAA) | Federal contractors above set thresholds | Extra recordkeeping and outreach duties |
| EEO-1 reporting | Private employers with 100+; contractors with 50+ and a $50k+ contract | Annual demographic report |
If you hire across state lines, remember that state and local rules can apply based on where the candidate sits, not just where your office is.
Which US laws should every recruiter know?
You do not need to be a lawyer. You do need to recognize where each rule touches your workflow and what record it asks you to keep.
Anti-discrimination and equal opportunity
Title VII bars discrimination based on race, color, religion, sex, and national origin. The Supreme Court's 2020 Bostock decision confirmed that "sex" includes sexual orientation and gender identity.
The ADA covers disability and the duty to engage in an interactive accommodation process, the ADEA protects workers 40 and older, GINA covers genetic information, and the Pregnant Workers Fairness Act adds accommodation for pregnancy and related conditions. The EEOC's prohibited practices guidance is the plain-language reference.
Then there is disparate impact, from the 1971 Griggs v. Duke Power case. A neutral-looking screen that disproportionately filters out a protected group is unlawful unless it is job-related and a business necessity.
That is the rule that puts AI resume screens under scrutiny. A 2025 executive order told federal agencies to deprioritize disparate-impact enforcement, but the underlying liability under Title VII has not gone away, and private lawsuits and state laws still apply.
Background checks and criminal history
If you use a background-check company, the FCRA sets a clear path. Give the candidate a standalone disclosure and get written permission first. Before you reject anyone based on the report, send a pre-adverse notice that includes a copy of the report and a copy of "A Summary of Your Rights Under the FCRA," then give them a reasonable chance to respond before you finalize the decision.
The FTC's employer background-check guidance walks through it.
Ban-the-box and fair-chance laws now cover more than 150 US jurisdictions, and they differ on when you can ask about criminal history and how you must weigh it. The common thread is the individualized assessment: look at the nature of the offense, how long ago it was, and how it relates to the job, rather than auto-rejecting.
Because the rules are so local, check the current map in the NELP fair-chance guide for each place you hire. Federal agencies and contractors also cannot ask about criminal history before a conditional offer for covered roles.
Federal contractors and OFCCP
If you do business with the federal government, OFCCP rules can apply, sometimes to companies that do not think of themselves as contractors. The landscape shifted in early 2025: an executive order revoked the long-standing race and sex affirmative-action program for contractors.
The disability rules under Section 503 and the veteran rules under VEVRAA remain in force because they are statutory. Covered contractors still document selection decisions and keep applicant records, so a disposition reason for every candidate matters more here, not less.
Work authorization, pay transparency, and reporting
Every new hire completes a Form I-9 after the offer, and the process has to be applied the same way to everyone.
As a screening question, ask "Are you legally authorized to work in the United States?" Avoid framing it around visas or sponsorship in a way that screens by national origin or citizenship.
Pay transparency is moving fast. A growing number of states and cities require a salary range in the posting and ban asking for salary history, and a remote role can trigger the candidate's local rule. Separately, EEO-1 reporting still applies to covered employers. A proposal to end EEO-1 reporting is under federal review, but as of 2026 the filing obligation still stands, so plan as if you will file.
Candidate data, retention, and privacy
Keep job applications and hiring records for at least a year under EEOC rules, and longer if you are a federal contractor.
One rule people miss: the moment a charge or lawsuit is filed, a litigation hold kicks in and you must preserve everything related until it is resolved, even if your normal schedule would delete it. In California, the CCPA also covers applicant data.
If you hire in the EU or UK, GDPR treats a candidate as a data subject from the moment they apply. You need a lawful basis (usually legitimate interest), you can only keep data as long as you have a documented reason, and candidates have deletion rights.
For a US-only team this rarely bites, which is why it belongs at the edge of your checklist rather than the center.
How do you stay compliant at each hiring stage?
Compliance is easier when it is built into the workflow instead of bolted on before an audit. Here is the stage-by-stage version, with the record each step should leave behind.
- Job description and posting. Write essential functions and objective, measurable criteria. Drop protected-class language and add a salary range where it is required.
- Sourcing and outreach. Apply the same criteria to every channel. Federal contractors should document outreach, not just postings.
- Screening and knockout questions. Ask the same eligibility questions of everyone. Use "legally authorized to work" wording. Send AI or automated screens to a review queue and calibrate before you let anything auto-reject.
- Interview and evaluation. Use a structured question set and a consistent scorecard, and keep notes job-related. Interview notes are discoverable, so an offhand comment about someone's family or accent can become evidence.
- Background checks and adverse action (after offer). Get consent, run the individualized assessment, and follow the FCRA pre-adverse and adverse-action steps.
- Offer and I-9 (after hire). Verify work authorization consistently, and store medical or self-identification data separately from the main personnel file.
- Records and retention. Log a disposition reason for every rejection, keep records for the required period, and apply a litigation hold the moment a charge arrives.
A small worked example shows why the last point matters. Say 80 people apply, you interview eight, and you hire one.
If an auditor asks two years later why candidate number 34 was passed over, "we went with someone stronger" is not an answer. A logged, criteria-tied reason for each of the other 79 is.
The minimum policy. If you write down nothing else, write down five things: the criteria for each role, who owns the decision, what records you keep, how long you keep them, and how you handle exceptions. That one page is the backbone an auditor or a lawyer will ask to see.
Where does recruitment compliance go wrong?
The failures are rarely dramatic. They are small, repeated gaps that only surface when someone goes looking. These are the patterns that come up again and again in recruiting communities and in audit post-mortems.
- Undocumented hiring-manager rationales. "Not quite right" and "culture fit" are indefensible in discovery. Fix: require a short, criteria-tied reason for every pass.
- Missing or inconsistent disposition reasons. This is the single most common audit failure. Fix: a shared, finite list of rejection reasons everyone uses.
- Risky free-text rejection feedback. Well-meant feedback can hand a candidate a discrimination theory. Fix: keep external messaging consistent and neutral, and log the real reason internally.
- I-9 confusion on remote hires. Teams assume the PEO handles verification and the PEO assumes the company does. Fix: name who completes I-9 for remote staff before the first remote hire.
- Multistate blind spots. Remote hiring pulls in ban-the-box, pay-transparency, and salary-history rules you did not plan for. Fix: confirm the candidate-location obligations before you post.
- Blanket accommodation denials. Skipping the interactive process is active exposure, not a gray area. Fix: treat every accommodation request as a conversation you document.
- Unchecked AI screening. You own the outcomes of a screening tool, even one you did not build. Fix: test for adverse impact and keep a human in the loop.
How is recruitment compliance different in regulated industries?
The playbook is the same. The stakes and the scrutiny are higher, and the candidate data is more sensitive.
- Healthcare. Credentialing and sensitive personal data raise the bar on access control and recordkeeping. If this is you, see how a HIPAA-ready ATS approaches secure healthcare hiring.
- Financial services. Roles often carry heightened background and credential checks, so the FCRA process and clean records matter even more.
- Government and federal contractors. OFCCP recordkeeping, documented outreach, and disposition reasons are routinely audited.
- Transportation and safety-sensitive roles. DOT-regulated positions add drug and alcohol testing rules on top of the usual screening.
- Roles with vulnerable populations. Childcare, eldercare, and education often carry their own background-check mandates.
How does an applicant tracking system help with compliance?
Compliance comes down to showing a consistent, documented process. An applicant tracking system is where that record lives, which is exactly where it helps and exactly where its limits are.
In 100Hires, a few pieces support a defensible process. Activity history on each candidate and job gives you an audit trail of how everyone moved through the pipeline. Structured Evaluation Forms keep interviewers scoring the same criteria instead of scoring from memory.
Consistent knockout questions apply the same screen to every applicant, role-based permissions control who sees candidate data, and export plus deletion controls support your retention workflows.
Using the same Evaluation Forms and screening steps for everyone is what makes the records comparable later.
Be clear about what an ATS does not do. It does not run background checks, handle I-9 or E-Verify, file your EEO-1, run a formal statistical adverse-impact analysis, or give legal advice. It keeps the records and enforces consistency. You stay the decision-maker and the data controller.
| Compliance need | Ad-hoc or email-based hiring | ATS-backed process (100Hires) |
|---|---|---|
| Audit trail | Scattered across inboxes and memory | Activity history on every candidate and job |
| Screening consistency | Varies by interviewer | Shared knockout questions and Evaluation Forms |
| Disposition records | Often missing | A logged reason for every candidate |
| Data export and retention | Manual and easy to miss | Export and deletion controls |
| Who is responsible | The employer | The employer (the ATS supports, it does not replace you) |
If you want to see how that looks on real roles, book a demo or start a free trial.
Frequently asked questions
What documentation do we need to defend a hiring decision if a candidate claims discrimination?
You want to show a consistent, criteria-based process: the job criteria, the structured evaluations, and a logged reason for every rejection. In 100Hires, the candidate and job activity history plus Evaluation Forms keep that record in one place, so you can reconstruct how a decision was made months later.
How long should we keep rejected-applicant records, and does an EEOC charge change that?
Keep application and hiring records for at least a year under EEOC rules, and longer if you are a federal contractor. Once a charge or lawsuit is filed, a litigation hold applies and you preserve everything related until it is resolved. 100Hires retains candidate records and lets you export them, so a hold does not depend on someone remembering not to delete a file.
For a remote team, which state's ban-the-box and salary-history rules apply?
Usually the rules of the state or city where the candidate is located, not where your office is, so a remote req can pull in obligations you did not plan for. Confirm each location with counsel or the NELP fair-chance guide. In 100Hires you can set knockout questions and pipeline steps per role, so location-specific handling does not rely on memory.
Are we liable for bias in an AI screening tool we did not build?
Yes. EEOC guidance makes the employer responsible for adverse impact from a selection tool, including a third-party one. The safe pattern is to route AI or automated screens to a review queue and keep a human in the loop. 100Hires is built around that, with knockout logic that flags candidates for review rather than silently rejecting them.
Can an applicant tracking system make our hiring compliant?
No, and any tool that claims otherwise is overselling. Compliance is a property of your process, and you remain the data controller and decision-maker. What 100Hires does is make a consistent, documented process easier to run and easier to prove, with audit trails, structured Evaluation Forms, and retention controls.
Which hiring laws apply to small businesses?
More than most owners expect. Title VII, the ADA, and several others start at 15 employees, the ADEA at 20, but the FCRA and many state and local rules apply from your first hire. Small teams get the same audit trail in 100Hires as large ones, so good records do not have to wait until you are big.
Recruitment compliance is not about memorizing every statute. It is about building a process you can show, the same way, for every candidate. Get the records right and most of the risk takes care of itself.
To run that process in one place, start a free trial of 100Hires or book a demo.
