Monitoring a candidate for integrity is legal — but only if you do it the right way. The line between a defensible process and a privacy problem comes down to a few principles: be transparent, collect as little as possible, never collect what you do not need, and let a human stay accountable. Here is what the law actually requires.

This is general guidance, not legal advice. Rules vary by jurisdiction; check with counsel before you deploy anything.

GDPR: consent is necessary but not sufficient

In the EU, you need a lawful basis to process a candidate's data under Article 6 of the GDPR. The catch: consent is weak in a hiring context. The European Data Protection Board has stated it is problematic to rely on consent from candidates because of the power imbalance — it "is unlikely to be freely given." So consent-first is good practice, but you usually pair it with a documented legitimate-interests assessment.

What is non-negotiable everywhere:

  • Transparency. Articles 13 and 14 require telling candidates who is processing their data, why, on what basis, and for how long.
  • Data minimization. Article 5 limits you to data that is "adequate, relevant and limited to what is necessary," and Article 25 requires privacy by design and by default.

A system that reads device signals and stores no video is minimization built into the architecture.

Biometrics: the line you really don't want to cross

The moment you collect face geometry or a voiceprint, a separate set of laws kicks in. Illinois' BIPA requires written notice and a signed release before collecting a biometric identifier, with statutory damages of $1,000 to $5,000 per violation and a private right of action — and the Illinois Supreme Court held that no actual injury is required to sue. Texas and Washington have their own biometric statutes.

Crucially, these laws regulate biometric identifiers — face and voice — not ordinary device telemetry like window focus, paste timing, or process scans. Keeping detection to non-biometric signals avoids the biometric-law minefield, and the GDPR's special-category rules in Article 9 along with it.

The EU AI Act makes recruitment AI "high-risk"

The EU AI Act classifies AI used "for the recruitment or selection of natural persons" and to "monitor and evaluate performance and behaviour" as high-risk. That brings obligations for risk management, data governance, logging, accuracy, and human oversight — and Article 26 requires deployers to inform candidates that they are subject to the system. The high-risk obligations apply from 2 August 2026, so transparency to candidates is becoming a legal duty, not a courtesy.

US: tell candidates, accommodate, and stay accountable

US federal law has no single AI-hiring statute, but the rules still bite. The DOJ's ADA guidance says to tell applicants what technology is used and how they will be evaluated, and to provide accommodations. And under Title VII, the employer — not the vendor — is liable: a selection tool can create unlawful disparate impact even if an outside vendor developed and administered it. Any detection tool you use must be validated for bias and keep a human in the loop.

Recording and retention: default to the strict version

Interview recording is governed by wiretap law. While federal law allows one-party consent, about a dozen states require all-party consent — and because remote interviews often span states, the safe rule is to assume the strictest law applies and get explicit notice before recording.

Best practice from HR counsel is straightforward: put the privacy notice in the scheduling email so candidates see it in advance, control access, set a retention schedule, and be ready for access and deletion requests.

The defensible posture

Put it together and the compliant design looks the same in every jurisdiction: consent-first, device signals only, no stored video, short retention, and a human who owns every flag. That is data minimization by design, it sidesteps biometric and wiretap exposure, and it satisfies the transparency duties regulators now expect. It is exactly how Trueyy is built.

Sources