AI resume parsing processes sensitive personal data at scale. Every jurisdiction where you receive applications—and many where your data is stored or processed—has specific legal requirements governing that processing. Eight frameworks collectively cover the candidates in most global talent markets.

Understanding each framework’s specific obligations for AI parsing is prerequisite to HR compliance legal architecture that holds across audit and litigation.

1. GDPR (EU/EEA)

GDPR is the most operationally demanding framework. For AI resume parsing: you need a legal basis for processing (legitimate interest is most commonly used, but requires a balancing test); you must provide candidates with Article 13/14 notices specifying AI processing; Article 22 requires human oversight for automated decisions affecting candidates; data must be minimized to fields necessary for the role; and retention limits must be implemented automatically. AES-256 encryption at rest and in transit is required for sensitive personal data categories.

2. CCPA/CPRA (California)

California requires businesses to disclose AI processing in privacy notices, honor deletion requests for candidate data, and provide opt-out rights if candidate data is shared with third parties. The CPRA (effective 2023) added sensitive personal information protections that cover race, sexual orientation, and health data—categories that may appear in resumes. Automated processing using sensitive PI requires explicit disclosure.

3. PIPEDA (Canada)

Canada’s Personal Information Protection and Electronic Documents Act requires meaningful consent for personal data collection. For AI resume parsing, “meaningful consent” means candidates understand what data is extracted, how it’s used in screening, and with whom it’s shared. Canada’s Office of the Privacy Commissioner has specifically noted that automated employment decisions require enhanced disclosure.

4. LGPD (Brazil)

Brazil’s Lei Geral de Proteção de Dados mirrors GDPR in structure. The legal basis most applicable to recruitment is “legitimate interest,” which requires a documented balancing test. Candidates have rights to access, correction, anonymization, and deletion. Automated decision-making affecting employment requires disclosure and the right to human review—directly parallel to GDPR Article 22.

5. POPIA (South Africa)

South Africa’s Protection of Personal Information Act requires a lawful basis for processing, data minimization, retention limits, and operator agreements with third-party processors (including AI parsing vendors). Special personal information—health, criminal history, race, political affiliation—requires explicit consent and cannot be processed under legitimate interest alone.

6. PDPA (Thailand/Singapore variants)

Both Thailand and Singapore have PDPA frameworks requiring consent or legitimate interests for personal data processing, data accuracy obligations, and cross-border transfer restrictions. Singapore’s PDPA allows legitimate interests for HR processing with documentation; Thailand’s PDPA requires explicit consent for most processing without an equivalent legitimate interests carve-out.

7. PIPL (China)

China’s Personal Information Protection Law has extraterritorial reach and requires data localization for personal information processed within China. For multinational organizations sourcing Chinese candidates, this means AI parsing of Chinese candidate data must occur within China’s borders unless specific transfer mechanisms are established. Automated decision-making requires disclosure and the ability to reject automated decisions.

8. Illinois BIPA and Emerging State Laws

Illinois’s Biometric Information Privacy Act covers biometric data collection—including if any AI parsing component processes voice or facial data. Beyond BIPA, New York City’s Local Law 144 requires annual bias audits for automated employment decision tools used with NYC employees or applicants. Washington, Colorado, and Virginia have comprehensive privacy laws with employment data provisions. Compliance requires tracking the hiring locations of applicants, not just your organization’s headquarters.

Frequently Asked Questions

Does GDPR apply to non-EU companies doing AI resume parsing?

Yes, if you process resumes from EU residents. The GDPR has extraterritorial reach based on the location of the data subject, not the location of the data controller. Any company receiving applications from EU residents must comply with GDPR’s data processing requirements for those candidates.

What is the penalty for violating GDPR with AI resume parsing?

GDPR Article 83 sets tiered penalties: up to €10 million or 2% of global annual turnover for technical infringements (data security, documentation), and up to €20 million or 4% of global annual turnover for violations of core principles (legal basis, data subject rights, data transfers). HR AI violations typically fall in the higher tier.

How do CCPA and GDPR differ for AI resume parsing?

CCPA focuses primarily on the right to know, right to delete, and right to opt out of sale of personal information. GDPR is broader: it requires a legal basis for all processing, imposes data minimization requirements, mandates privacy by design, and applies to all personal data categories. GDPR is more operationally demanding than CCPA for HR AI deployments.