Skip to content
PrivateAI
← Back to Home
guide

Can HR Use ChatGPT to Screen Candidates? The Privacy and Compliance Risk in AI Recruiting

11 min read min readBy PrivateAI Team

_Last updated: 2026-07-08_

Every resume, background check, and interview transcript your team pastes into ChatGPT to "summarize this candidate" is personal data leaving your organization's control — and in a growing number of jurisdictions, using AI in hiring decisions now triggers specific legal obligations most HR teams have never heard of.

That's the short version. Here's what the exposure actually looks like and how to fix it without giving up the efficiency AI brings to recruiting.

Automated hiring tools are no longer a gray area regulators ignore. New York City's Local Law 144 has required bias audits for "automated employment decision tools" since 2023. Illinois has had AI-specific disclosure rules for video interviews since 2020, later amended to require race and ethnicity reporting to the state. The EU AI Act classifies employment-related AI — screening, ranking, and evaluating candidates or employees — as a high-risk use case with its own compliance obligations. Colorado, Illinois, and a growing list of states have added their own layers on top. None of this is theoretical: it applies the moment a recruiter uses an AI tool to help decide who moves forward.

Layered on top of the regulatory risk is a simpler, more universal problem: candidate data is some of the most sensitive personal information your company handles — full legal names, home addresses, salary history, immigration status, criminal background checks, medical accommodation requests, and inferences about protected characteristics baked into resumes and cover letters. Pasting that into a consumer AI chatbot sends it to a vendor's servers, outside your data processing agreements, outside your candidate privacy notices, and outside your control.

This guide covers what the actual risk is, and a practical AI stack that lets recruiting and HR teams use AI without creating compliance or privacy exposure.


Why "Just Use ChatGPT" Doesn't Work for Recruiting

The Regulatory Layer

NYC Local Law 144 requires any employer using an "automated employment decision tool" to screen candidates for jobs in New York City to complete an independent bias audit, publish the results, and notify candidates the tool is in use. The law was written with vendor screening products in mind, but the definition of an AEDT is broad enough that a recruiter using a general AI tool to score or rank candidates can fall inside it, depending on how the tool is used and who ends up making the recommendation.

Illinois' AI Video Interview Act requires employers to notify candidates before using AI to analyze video interviews, explain how the AI works, get consent, and — since a 2022 amendment — report the race and ethnicity of applicants who were and were not advanced after AI-assisted evaluation, so the state can look for disparate impact.

The EU AI Act puts AI systems used for recruitment or for evaluating candidates and employees into its high-risk category, which brings obligations around risk management, human oversight, data governance, and technical documentation — obligations that apply to any employer using AI in that role, not just tool vendors.

Colorado and other states have moved on parallel tracks targeting "high-risk" AI systems used in consequential decisions, including employment. The exact implementation timelines have shifted as legislatures negotiate amendments, but the direction is consistent: more jurisdictions, not fewer, are putting rules around AI hiring decisions.

The common thread across all of this regulation: the moment AI touches a hiring decision, you've taken on obligations around transparency, auditing, and data handling that most teams using ChatGPT informally have never assessed.

The Data Exposure Layer

Separate from the regulatory question, there's the plain privacy exposure. A typical hiring pipeline touches:

  • Full resumes with names, addresses, and phone numbers
  • Salary history and compensation expectations
  • Background check and criminal history reports
  • References and reference call notes
  • Visa and work authorization status
  • Medical or disability accommodation requests
  • Interview notes that frequently include recruiter impressions tied to age, gender, or other protected characteristics, even unintentionally

When a recruiter pastes a resume into a consumer AI chatbot to "write a summary" or "compare against the job description," that data is processed on the vendor's infrastructure, potentially logged, and — depending on the tier — used to improve the underlying model. None of the standard candidate privacy notices most companies issue account for that flow. Neither do most companies' data processing agreements with their ATS or background-check vendor, which were negotiated assuming the data stayed inside that one system.


The Stack: AI That Doesn't Leave a Trail

Local Models for Resume and Application Review

The highest-volume, most repetitive task in recruiting — first-pass resume review, summarizing candidate backgrounds, drafting screening questions tied to a job description — is also the task best suited to a model that runs entirely on your own hardware.

Ollama runs locally on a standard workstation or a dedicated Mac Mini, and current open-weight models (Llama 4, Mistral Large 2, Qwen 2.5 72B) handle resume summarization, keyword-to-requirement matching, and interview question generation at a quality level well within what recruiting teams need. Because inference happens on hardware you control, no candidate data reaches a third-party vendor, no vendor logs it, and no vendor's terms of service become part of your compliance story.

This also sidesteps a chunk of the AEDT question directly: a tool that runs on infrastructure you control, that a human recruiter reviews and overrides, is a materially different risk posture than a black-box vendor product making automated pass/fail decisions. Documentation of that human-in-the-loop review is itself part of good compliance practice under most of the frameworks above.

Perplexity for Compliance and Market Research — Never for Candidate Data

Recruiting teams have a real, ongoing research need that has nothing to do with any individual candidate: tracking what's legally required in each jurisdiction you hire in, researching salary bands and market comp data, and understanding what disclosure language competitors are using.

Perplexity Pro is well suited to exactly that layer. Its Pro tier does not train models on subscriber queries, and the search-first, cited-answer format means you're asking questions like "what does NYC Local Law 144 require for a bias audit" or "current EU AI Act obligations for high-risk employment systems" — general research, not candidate-specific data. Use it to stay current on the compliance landscape and to research comp benchmarks. Never paste an actual resume, background check, or candidate name into it.

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.


A Practical Recruiting AI Workflow

Putting the pieces together, here's how a privacy-conscious recruiting team actually uses this day to day:

Resume screening and summarization: Local model via Ollama, run against resumes pulled from your ATS. Recruiter reviews every AI-generated summary before it informs a decision — human-in-the-loop, documented.

Interview question generation: Local model, fed the job description and candidate resume, generates role-specific questions. No candidate PII leaves the machine.

Compliance and market research: Perplexity Pro for jurisdiction-specific hiring law, comp benchmarking, and competitor policy research — general questions only, never tied to a specific candidate.

Background check and offer document storage: Tresorit, with access limited to the recruiter and hiring manager on that specific req.

Sensitive candidate correspondence: Proton Mail for offer negotiations, accommodation discussions, and any exchange involving background check results or medical information.

Audit trail: Keep a simple log of which roles used AI-assisted screening, what the tool did, and who reviewed the output. This single practice does more for Local Law 144 and EU AI Act readiness than any individual tool choice — regulators are asking for demonstrated oversight, not just good intentions.


A Compliance Checklist Before Rolling Out AI in Recruiting

  1. Does the tool make automated decisions, or does a human review every output? Human review changes your regulatory posture significantly.
  2. Have you notified candidates that AI is used in the process? Several jurisdictions require this explicitly.
  3. Where does candidate data go once it touches the AI tool — logged, retained, used for training? Get this in writing from any vendor.
  4. Is your candidate data stored in a way that satisfies your existing privacy notices and DPAs, or has AI introduced a new, unaccounted-for data flow?
  5. If you're hiring in NYC, have you assessed whether your tool qualifies as an AEDT requiring a bias audit?
  6. If you're hiring in the EU, have you mapped your recruiting AI use against the high-risk obligations in the AI Act?

If you can't answer one of these confidently, that's the gap to close before the next req goes live with AI in the loop.


The Regulatory Trend Only Moves One Direction

As of mid-2026, the pattern across US states and the EU is consistent: more disclosure requirements, more audit obligations, more scrutiny of automated hiring decisions — not less. No jurisdiction has banned AI in recruiting. Every one that has weighed in has said some version of: use it, but be transparent about it, keep humans in the loop, and be able to show your work.

A local-model-first workflow, encrypted storage for records, and encrypted channels for sensitive candidate communication satisfies that standard by design rather than by retrofit.


Stay Ahead of AI Hiring Compliance

New state and EU rules on AI in hiring are landing every few months, and most HR teams find out after a candidate complaint or an audit request, not before. The PrivateAI newsletter tracks what's actually changing in AI hiring law and which tools hold up under it — no vendor fluff, just what changed and what to do about it.

Subscribe below to get the next issue directly.


_Built a privacy-safe recruiting AI workflow at your company? We test and publish practitioner-sourced stacks — let us know what's working._