Trust Center

CCPA / CPRA & US state privacy compliance

Last updated: May 28, 2026

This page explains how Hirex supports compliance with the California Consumer Privacy Act (as amended by the California Privacy Rights Act), and similar privacy laws now in force across other US states.

For specific questions, email [email protected].

What is the CCPA / CPRA?

The California Consumer Privacy Act of 2018 (CCPA), as expanded by the California Privacy Rights Act of 2020 (CPRA), gives California residents rights over how businesses collect, use, and share personal information about them. It applies to for-profit businesses that meet specified thresholds and that do business in California.

Originally, CCPA had a carve-out for personal information collected from employees and job applicants. That carve-out expired on 1 January 2023. Employee and applicant data is now fully within the law's scope, which is what makes CCPA/CPRA directly relevant to applicant tracking systems.

Does this apply to your organisation?

The CCPA/CPRA applies to for-profit businesses that:

  • Have annual gross revenue over $25 million, or
  • Buy, receive, sell, or share the personal information of 100,000 or more California residents or households, or
  • Derive 50% or more of annual revenue from selling or sharing California residents' personal information

If you hire anyone based in California, the candidate data you process about them is in scope.

Candidate rights under CCPA / CPRA

California-resident candidates have the following rights:

  • Right to know what personal information you collect about them, where you collect it from, why, and with whom you share it
  • Right to access a copy of the personal information you hold about them
  • Right to delete their personal information, subject to limited exceptions
  • Right to correct inaccurate personal information (CPRA addition)
  • Right to opt out of the sale or sharing of their personal information for cross-context behavioural advertising
  • Right to limit the use of Sensitive Personal Information (CPRA addition)
  • Right to non-discrimination for exercising any of these rights

Customers must respond to verifiable requests within 45 days (extendable by another 45 days on notice).

How Hirex supports your compliance

Right to know (Notice at Collection)

You must give candidates a Notice at Collection at or before the point you collect their personal information. Hirex provides:

  • Configurable Notice at Collection on application forms and careers pages, presented before the candidate submits any data
  • Per-tenant customization so you can add your own categories, retention periods, and policy URL
  • Audit log of which notice was shown to which candidate at the time of application

Right to access

  • Export full candidate records through the application UI or API in machine-readable formats
  • Self-serve candidate portal, let candidates view what you hold about them without manual recruiter involvement
  • Support for fulfilling access requests within the 45-day CCPA window

Right to delete

  • One-click deletion of an individual candidate record
  • Automatic deletion via configurable retention rules
  • Compliant deletion, purge from production within 15 days and backups within 45 days, per NIST SP 800-88 standards

Right to correct

  • Candidates can update their own profile through the self-serve portal
  • Recruiters can correct records on a candidate's request, with full audit log

Right to opt out of Sale or Sharing

Hirex does not Sell or Share personal information within the meaning of CCPA/CPRA. The platform does not engage in cross-context behavioural advertising, and we do not provide candidate data to advertising networks. Customers who configure their own advertising tags on their careers pages are responsible for the resulting compliance posture; the platform supports a Global Privacy Control signal and customer-configured opt-out mechanisms.

Right to limit the use of Sensitive Personal Information

The Services are not designed to require Sensitive Personal Information. Where candidates voluntarily disclose it (for example, health information related to accommodation requests), Hirex processes it solely to provide the Services to you, never to infer characteristics, build profiles, or share with third parties beyond the operational sub-processors listed on our Sub-processors page.

Right to non-discrimination

The platform does not differentiate features, pricing, or service quality based on a candidate's exercise of CCPA/CPRA rights.

Hirex's role under CCPA / CPRA

Hirex acts as a Service Provider to its customers under CCPA/CPRA. We Process personal information only for the specific business purposes set out in our Data Processing Addendum, and we do not:

  • Sell or Share personal information
  • Retain, use, or disclose personal information for any purpose other than providing the Services
  • Combine personal information received from one customer with personal information received from another, except as needed to detect security incidents or fraud

This is reflected in our Data Processing Addendum.

Beyond California: the wider US state patchwork

CCPA was first. It is no longer alone. The following states now have substantively similar comprehensive privacy laws in force, each with their own scope, thresholds, and quirks:

  • Virginia, Consumer Data Protection Act (VCDPA)
  • Colorado, Colorado Privacy Act (CPA)
  • Connecticut, Connecticut Data Privacy Act (CTDPA)
  • Utah, Utah Consumer Privacy Act (UCPA)
  • Texas, Texas Data Privacy and Security Act (TDPSA)
  • Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, Kentucky, Maryland, Minnesota, Rhode Island, comprehensive laws in force or coming into force

Most of these laws share a common core: rights of access, deletion, correction, portability, opt-out from sale and targeted advertising; obligations on controllers and processors; risk assessments for high-risk processing.

Hirex's features above, Notice at Collection, configurable retention, audit logs, deletion compliance, no sale or targeted advertising, support compliance with each of these regimes.

Employment-specific AI laws

Several US jurisdictions have laws specifically aimed at the use of AI in hiring. They apply to customers, not directly to Hirex, but Hirex provides the documentation customers need:

  • New York City Local Law 144 (AEDT), annual bias audit and candidate notice required when an Automated Employment Decision Tool is used to assist hiring in NYC. Hirex provides the technical documentation needed to support the audit.
  • Illinois Artificial Intelligence Video Interview Act, candidate notice and consent obligations when AI is used to analyse video interviews. Hirex provides configurable disclosure text and consent capture.
  • Colorado AI Act (effective 1 February 2026), broad obligations on deployers of high-risk AI in employment. Hirex provides supporting documentation.

See our Responsible AI page for more.

Contact

  • CCPA / state-law privacy requests: [email protected]
  • Data Protection Officer: [email protected], Burak Yılmaz
  • Mail: Hirex HR, Inc., 8 The Green STE D, Dover, Delaware 19901, USA

Unlock your
recruitment potential!

Hirex is the only recruitment platform you need.

Get a demo

© Hirex HR, Inc.