Today’s job search is a data privacy hellscape

TLDR: The lack of widespread data protection laws in the US is putting job-seekers at risk, and the future doesn’t look promising.

The job market is rough. Tech continues its purge as money is no longer free. If you’re stuck in the loop putting personal details into Greenhouse, Workday, Lever, or other talent management platforms, my condolences.

If you haven’t, you may be unaware of how invasive job applications have become. I’m not talking about tracking links and cookies on job boards, but rather the applications themselves. Remote job-seekers apply for dozens, sometimes hundreds of roles, each containing an application yearning for more personal data. Let’s look at some of the data your future coworkers are asked to input when applying for exciting new roles.

If you work in hiring, feel free to jump down to What can HR and talent teams do to help protect applicants.

A long list of common application fields

Companies request more data than they need. Not news, but still alarming.

Here’s a list of required fields I’ve seen on on job applications in the last year, organized subjectively from most reasonable to least. These are specific to roles in or adjacent to technical writing and software, so your mileage may vary.

  • Name

  • Email

  • Phone number

  • Date of birth

  • Resume

  • Cover letter

  • Full address

  • City / State / Country

  • High school performance (and explain it)

  • Gender

  • Disability status

  • Protected veteran status

  • Unemployment status

Additionally, it’s common to see optional demographic information requests, including:

  • Race

  • Sexual orientation

  • Transgender status

  • Hispanic/Latino status

The fields above are not always required. Some applications limit themselves to only require the necessary fields. They are the outliers. Bad defaults? Overzealous job posters? Regardless, it’s invasive.

A portion of a job application's demographics section. The race and transgender status questions are required, but offer a "I don't wish to answer" option.

My skepticism sensors go up when I see questions like these. Explicitly declining to answer is an answer on it’s own—one that potentially reveals more about the individual and how compliant they may be.

The applicant privacy policy

In some cases, applications may come with an attached applicant and candidate privacy policy. These policies are unhelpful to the average person. Some include data retention timelines, which is reassuring, while others include their legally required lawful basis, list of third parties, and contact details. On rare occasion you’ll find a required acknowledgement checkbox. For all others, it’s implied.

Across hundreds of applications, most lack a clearly visible policy and those that do surface one are clearly following the legal department’s guidance.

Why does this matter?

It’s easy to overlook the importance of consent when it comes to sharing information. The same person putting hours of their life on social media each week deserves to choose whether or not a hiring manager can see their address. I can only imagine how scary the situation must be for more targeted and vulnerable groups—especially in tech.

For most job-seekers, there’s a power imbalance that forces them to choose between a job—and income, healthcare, etc.—and privacy.

What can HR and talent teams do to help protect applicants?

The first step is auditing the type of information you request from applicants. The first rule of data is only collect what you need. Okay, protecting the data is more important, but only collect what you need!

Here’s a basic list of items you may need:

  • Name

  • Email

  • Phone (if you intend to call them as part of the process)

  • Resume/CV

  • Cover letter/comments (optional)

That’s it. You can also include role-related questions or prompts if your hiring managers know what they’re looking for.

You can set guidelines for who can review the information. It’s hard, if not impossible, to truly anonymize candidate details. Many companies had a good go at it, but candidates include revealing details in their cover letters and résumés. A better solution is to limit who can see application data. It’s surprisingly easy to reveal an applicant’s full résumé and personal contact details to team members. I’ve seen personal contact information for applicants while completing Greenhouse’s candidate scorecard system.

Finally, scrutinize your data processors. Default features and fields offered by talent platforms are hungry. Set short data retention times. Delete data after hiring. We all know you’re not reaching out to candidates “when similar roles open up.”

What can job-seekers do?

The job market is tough. When the situation improves, we need to demand better practices from employers and talent services companies.

Several services exist for removing personal data. The Consumer Report’s Permission Slip is free and automates data removal requests, but it’s unclear if they cover talent platforms. Other privacy tools like Mozilla Monitor are paid options for ongoing data deletion, with varying effectiveness.

We can also demand better personal data protection. In the US, that’s pretty unlikely. There’s an uptick in states introducing consumer privacy laws, but little chance of anything substantial at the national level. Even in my state of Oregon, which finally approved the Oregon Consumer Privacy Act, there’s an unfortunate clause that exempts any data provided to employers or in the process of applying to a job. This isn’t good enough. If you’re looking for another reason to contact your local representatives, privacy is a good one.

My best advice is: Provide as little information as possible.

Good luck out there.