Practical AI and SaaS for Business

AI Recruitment Tools: What's Legal and What's Not

AI hiring software can save time, but it can also create discrimination, privacy and transparency risks. This guide explains the main legal issues, what regulators say and how to compare recruitment tools more safely.

Last verified: 14 July 2026. References checked against current legislation.

Editorial Perspective

You are Riley, the hiring manager at a 60-person retail chain, comparing three AI resume-screening products before the next hiring round. You need speed, but you cannot afford unexplained rejections, candidate complaints or a tool that creates more risk than it removes. This guide shows you which controls, questions and warning signs matter before you choose. No legal or technical background is needed.

This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.

If you are considering software that ranks applicants, scores interviews or recommends who should move to the next stage, it is normal to be unsure where ordinary recruitment software ends and regulated automated decision-making begins. This guide gives you a practical way to recognise the risk, understand what major regulators say and decide what to check before a tool influences a hiring decision.

In short: AI recruitment tools are not automatically illegal, but using one can create legal exposure when it disadvantages protected groups, blocks reasonable accommodation, processes candidate data without appropriate safeguards or makes important decisions without meaningful human review. The safer approach is to treat the tool as a decision-support system, not an automatic gatekeeper, and to document how people remain responsible for the final decision.

Start with the decision, not the AI label

The most important question is not whether a product calls itself AI. The practical question is what the system does to a real applicant. A tool that reformats interview notes is usually lower risk than one that ranks candidates, predicts job performance or automatically rejects people below a score.

For Riley, the hiring manager at a 60-person retail chain, that distinction changes the shortlist. Before reviewing the products, Riley assumed anything marketed for HR use was automatically suitable. After mapping each tool to the decisions it affects, Riley removes one product because automatic rejection cannot be disabled, negotiates a trial with human-review controls for a second, and records why the selected product presents a lower risk than the alternatives.

The same test works for a smaller business. Write down whether the tool merely helps staff organise information or whether it materially influences who is seen, shortlisted, interviewed, promoted or rejected. The closer it is to deciding a person's opportunity, the stronger the need for evidence, oversight, notice and a way to correct errors.

Why this matters to a business

A hiring tool can apply the same flawed rule to every applicant at scale. That may turn a minor design choice into a pattern of exclusion. A resume model trained on historical hiring data can reproduce old preferences, while a video assessment can penalise disability, accent, lighting, bandwidth or communication style rather than job ability.

The business consequences are not limited to court action. Poorly controlled screening can cause candidate complaints, damage trust, shrink the talent pool and create records that are difficult to explain later. It can also make managers less careful because a numerical score appears objective even when the underlying method is weak.

Buying from a recognised vendor does not transfer responsibility away from the employer. Regulators generally focus on the employment decision and its effect, not only on who wrote the software. A vendor may provide testing and documentation, but the business still chooses the tool, configures it and decides how much weight its output receives.

What regulators and laws focus on

Across jurisdictions, the recurring themes are discrimination, privacy, transparency and human oversight. The exact rules differ by location, so a global business may need to check several frameworks. The following summary is a navigation aid, not a finding about how any rule applies to a particular employer.

Discrimination and accessibility

In the United States, the Equal Employment Opportunity Commission explains that employment discrimination laws can apply when employers use software, algorithms or AI in hiring. Its resources also warn that a tool may screen out people with disabilities unless the employer considers accommodation and whether the assessment measures the actual requirements of the job. See the EEOC's AI and disability resources and its algorithmic fairness initiative.

This means a neutral-looking score is not enough evidence that a process is fair. A business should ask what the assessment measures, whether that factor is connected to the role, which groups were included in testing and what happens when an applicant requests another assessment method. A chatbot that cannot understand a screen reader or an interview game that rewards fast mouse movement can create barriers unrelated to job performance.

Automated decisions and personal data

Under the European Union's General Data Protection Regulation, Article 22 addresses decisions based solely on automated processing that produce legal or similarly significant effects. The rule includes exceptions and safeguards, so its application depends on the design and context of the process. The official text is available through EUR-Lex.

Even where a process is not solely automated, the wider privacy principles remain relevant. Candidate information should be collected for a clear purpose, limited to what is needed, kept accurate, protected and not retained indefinitely without reason. A vendor's ability to infer personality, emotion or future performance does not establish that the inference is reliable, necessary or appropriate for the role.

High-risk recruitment systems in the EU

The EU Artificial Intelligence Act classifies certain systems used for recruitment, selection and employment decisions as high-risk. The framework sets requirements for matters such as risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy and cybersecurity, with obligations and application dates depending on the actor and provision. Review the official EU AI Act text on EUR-Lex rather than relying only on a vendor summary.

For a buyer, the practical lesson is that a product described as compliant still needs evidence. Ask the supplier which parts of the system it considers high-risk, what documentation it will provide, how customers can supervise outputs and how changes to models or scoring logic are communicated. A vague assurance is not the same as usable documentation.

Local rules can add specific duties

Some cities and states add requirements beyond general employment and privacy law. New York City's rules for covered automated employment decision tools include a recent bias audit, public information about the audit and notices to affected candidates or employees. The city's Department of Consumer and Worker Protection provides an official AEDT information page.

This is why a single global compliance badge is not enough. The location of the job, candidate, employer and employment agency can change which rules are relevant. Before rollout, map where the tool will be used and have the applicable requirements checked by an appropriate adviser or authority.

Common recruitment uses and their relative risk

Lower concernHigher concern
Administrative support Drafting job ads, scheduling interviews, formatting notesUsing generated content without checking for exclusionary wording
Candidate matching Suggesting candidates for a recruiter to reviewHiding or rejecting candidates automatically
Assessment Structured tests tied to documented job skillsOpaque personality, emotion or performance predictions
Human involvement A trained person can disagree and records the reasonStaff routinely accept the score or cannot override it
Candidate rights Clear notice, contact route and accommodation processNo notice, explanation, correction or alternative process

What safer use looks like in practice

Safer use begins with a narrow purpose and a real human decision-maker. The system can help sort information, but a person should understand the criteria, review borderline cases and have authority to reject the system's recommendation. Human review is not meaningful when staff merely click approve or cannot see why a score was produced.

A 20-person professional firm might use software to identify whether applicants mention a required licence, then have a manager read every application. That is easier to explain and supervise than a model that assigns an overall employability score from writing style, social data or facial analysis. The second process introduces more inference and more ways for irrelevant factors to affect the outcome.

Good controls also include a way for candidates to ask questions, correct inaccurate information and request accommodation or an alternative assessment. The business should record the version of the tool, its configuration, the people authorised to use it and the reasons it was selected. Those records make later review possible when results or regulations change.

Data and privacy flag: Recruitment platforms may send resumes, interview recordings, test results and inferred candidate scores to the vendor's systems or subprocessors. Check where the information is stored, whether it is used to train models, how long it is retained and whether deletion can be completed across backups and connected services.

A practical buying and rollout checklist

Do not begin with a vendor demonstration. Begin with the employment task, the evidence needed and the decisions the tool must not make. The following sequence helps a small or medium business organise its review before seeking jurisdiction-specific advice.

  1. Define the use. State the role, stage of recruitment, input data, output and person responsible for the final decision.
  2. Ban automatic rejection by default. Require an override and a process for reviewing people who fall below a threshold.
  3. Test job relevance. Ask how each scored factor connects to a documented skill or requirement of the role.
  4. Request evidence. Obtain validation studies, subgroup results, known limitations, audit information and change logs.
  5. Check accessibility. Test keyboard access, screen readers, captions, time limits and alternative assessment routes.
  6. Review data handling. Map collection, hosting, subprocessors, model training, retention, deletion and cross-border transfers.
  7. Prepare candidate communication. Explain what the tool does, what data it uses, how to ask questions and how to request accommodation.
  8. Run a controlled trial. Compare outputs with trained human review and investigate differences before the tool affects real decisions.
  9. Monitor outcomes. Review selection rates, complaints, overrides and errors at regular intervals and after material system changes.
  10. Keep an exit route. Make sure data can be exported or deleted and the hiring process can continue without the product.

Questions to put to every vendor

Ask the vendor to answer specific operational questions in writing. What decisions does the system make or substantially influence? Can automatic rejection be disabled? What data was used to develop and validate it? Which protected or demographic groups were examined, and what limitations were found?

Also ask how the model changes over time, whether customers are notified before changes, what logs are available and how an individual result can be recreated. Request the contract terms governing candidate data, security incidents, subprocessors, deletion, audit assistance and responsibility for legal claims. A supplier that cannot explain the product clearly may be difficult to manage when a candidate challenges an outcome.

Do not accept a bias score without understanding its scope. Ask who performed the assessment, which version and configuration were tested, what population was used and whether the results resemble your roles and applicants. An audit can be useful evidence, but it does not prove that every deployment is fair or lawful.

Extra care for sensitive roles and sectors

The consequences rise when hiring affects safety, professional licensing or access to essential services. Healthcare, education, finance, legal services and public-sector employers may have additional confidentiality, recordkeeping, accessibility or procedural obligations. They may also process more sensitive applicant information or make decisions with longer-lasting effects.

In these settings, limit the tool to clearly defined assistance unless a deeper review supports broader use. Avoid speculative inferences about emotion, honesty, mental state or health from video, voice or behaviour. Confirm the position with the relevant regulator, professional body, insurer or qualified adviser before allowing the system to screen people out.

Frequently asked questions

Methodology (Real-World, Verified)

We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.

Related reading: our AI governance by region.

Try our free AI Compliance Checker to check whether your AI tools meet your compliance obligations.

Are AI recruitment tools legal?

They can be legal, but legality depends on what the tool does, where it is used and how the employer controls it. A product may create risk if it discriminates, blocks accommodation, mishandles personal data or makes significant decisions without the safeguards expected in that jurisdiction.

Can an AI tool automatically reject job applicants?

Automatic rejection is a higher-risk use because the system directly determines access to an employment opportunity. Some legal frameworks restrict solely automated significant decisions or require specific safeguards, so businesses should check local rules and generally keep meaningful human review and an alternative process.

Does a vendor bias audit make the tool safe to use?

No. An audit can provide useful evidence, but its value depends on the tool version, configuration, data, population and method examined. The employer still needs to consider whether the assessment matches its own jobs, applicants and recruitment process.

Should candidates be told that AI is being used?

Clear notice is a sensible baseline, and some jurisdictions expressly require it for covered tools. The notice should explain the role of the system, the information it uses, how to request accommodation or an alternative and where to ask questions.

Who is responsible if the recruitment tool discriminates?

Responsibility can involve more than one party, but buying software does not normally remove the employer's exposure for its employment decisions. Contracts may allocate some commercial risk, while regulators and courts can still examine how the employer selected, configured and relied on the tool.

What is the lowest-risk way to start using AI in recruitment?

Start with administrative support, such as scheduling, note formatting or checking for a clearly stated qualification, while keeping a trained person responsible for every material decision. Trial the system on historical or test data, document limitations and expand its role only when the evidence supports doing so.

Find official guidance for your region

Requirements vary by jurisdiction. This article provides general information only. Consult your regional authority or a qualified professional for advice specific to your situation.

The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.

The vendor questions in this guide are a starting point. Use a full AI vendor due diligence checklist before signing with any recruitment platform to document data handling, security and contract protections.

Read the Vendor Due Diligence Checklist