In 2026, most US state privacy laws explicitly exempt all HR data, meaning employee and candidate records generally do not fall under their scope outside of California. Where covered (California), the laws regulate HR data that typically lives in HRIS or ATS systems. This includes standard identifiers, like names, SSNs, or contact info, professional records, like resumes, and sensitive data, specifically biometrics (though states like Illinois also strictly regulate these under separate laws), demographics, and health.
HR data categories commonly scrutinized
When privacy mandates apply, HR teams must track and govern these categories of HR data. It includes identifiable employee and applicant data held across ATS, HRIS, payroll systems, and benefits management systems:
- Standard Identifiers: Data that directly identifies a worker, such as names, postal addresses, personal emails, and SSNs.
- Professional and Employment Information: Resumes, interview notes, performance reviews, salary history, and disciplinary records.
- Biometrics: Fingerprints for time clocks or facial scans for building access.
- Demographics: Racial or ethnic origin, citizenship, or religious beliefs.
- Health: Disability accommodations or medical leave info (which is different from HIPAA-covered data).
California treats employees and candidates like consumers, and these categories of HR data fall under the California Consumer Privacy Act (CCPA). Multi-state employers commonly adhere to these privacy laws to have a uniform way of handling data.
HR operational focus to cut down on risk in 2026
To lower risk and stay ready for requests, HR should focus on how they manage their systems:
- Post clear notices: Explicitly tell employees and applicants what data you collect and why.
- Build a process for requests: If an employee asks to see or delete their data, you must respond and act within specific timelines.
- Uphold "reasonable security": implement standard cybersecurity measures (encryption, access controls) to hedge against breaches.
- Provide access based on the job: Make sure only the right people can see sensitive files.
- Have logs and a digital trail: Show how you handled certain requests.
- Set timelines: Decide how long to keep hiring files and how to delete them safely.
- Check vendors: Make sure partners who handle payroll or benefits follow the same high rules.
HR teams can use an HR compliance checklist to make sure they track all the data these laws cover.
TL;DR
- In 2026, most US state privacy laws exclude HR data. But California scrutinizes ATS or HRIS information such as identifiers, professional records, and sensitive data like biometrics.
- Multi-state employers commonly align their data handling with the California standard.
- HR can prepare by clearly posting notices and creating a process by which people can see or delete their data.