Outdated, Overreaching, and Illegal: What’s Still on Your Job Application?

Home / Compliance / Outdated, Overreaching, and Illegal: What’s Still on Your Job Application?

A vintage green typewriter sits on a dark wooden desk with a sheet of paper loaded into its roller. The paper displays the words "Do applicants hate your JOB APPLICATION" typed in bold, all-caps lettering, creating a classic and focused visual that evokes themes of employment, retro technology, and formal documentation. The focus of the blog is job application privacy.

Recently, I responded to a call for consultants. The organization is fielding responses through its applicant tracking system. So, I started inputting my info and was shocked that they requested, although optional, a photo. Exiting stage left, job application privacy!

Insert record scratch! 

Immediately, I wondered why an organization would request such information and open themselves up to potential discrimination liability. Then, I thought that’s it not that different from requesting potential employees’ Linkedin profiles because they carry similar risks. Then, I decided that a Linkedin profile request is eerily similar to the situation where an organization asked an applicant for his Facebook password. Does anybody remember the Justin Bassett controversy (yes, I know I’m dating myself)? And what about issues like these?

  • What about my job application privacy as an respondent?
  • What if my profile is private?
  • What if I don’t connect with strangers and don’t want to connect with their recruiter? 
  • What if someone doesn’t have Linkedin at all? 

What are the ethical concerns of requesting access to someone’s social media profile?

Now, I know some people are going to argue that they’re searching for thought professional verification. So, what about those of us who refuse to verify on social media because of broad privacy concerns, including job application privacy? I’m not giving Facebook or Linkedin a copy of my drivers license! First, who knows what they’ll do with it and how their third party relationships come into play here? Second, they already have a ton of granular information via apps and get hacked often; thus, refusing to verify is my only way of protecting the few bits of my privacy that are left. Moreover, I hate the surprising accuracy of ads and stuff in my feeds that I often don’t buy anything and “like” infrequently on general principle. Further, I’m equally offended that I am limited regarding information that I have access to because my algorithm is steered in a particular way. Oddly, I also find the algorithm to be quite racist – if I get one more wig ad, another story about Shannon Sharpe, or the drama between Monique, Oprah, and Tyler Perry, I just might throw my phone across the room. I don’t know how many times I have to hit hide or dislike to get the algorithm to accept that my “not interested preferences” should over ride my race. I said this to say that a potential employer cannot be sure that they’re getting a good look at the person because all of these other factors are at play. 

So, let’s say an organization is actually interested in seeing whether I’ve posted samples of my work on Linkedin. Why not ask the applicant for it? If they can post it, they can upload it. But this takes us to another issue – potentially being unable to evaluate candidates fairly. If a candidate isn’t on social media and the employer doesn’t ask them for work samples, but is able to obtain such information from other candidates who are on social media, the comparison is not equal. In terms of equity and social media presence, there are even more issues. Linkedin isn’t the only professional social media platform, and when did it become a given that every professional would use it? Consider who may not be on Linkedin! For example, consider someone who has limited free time and is rarely on the platform. Or what about the person who is very active in their professional association, but doesn’t post about it often? 

Is it worth increased risk management issues?

So, as I smarted over the compliance and ethical issues, I also considered risk management. Some platforms request intensely personal information at the initial application phase. With limited exceptions, there’s no reason why an employer needs someone’s full social security number and full address at that stage, especially when the application doesn’t not contain full disclosure of how that data will be used. At stage 0, is your organization really gearing up for a background check, verifying identity for the right to work in the US (I9 compliance), or verifying information for payroll? Probably not. 

Above and beyond the wisdom of collecting this info, consider this: once you collect it, records retention and data security laws become even more meaningful concerns. Even if someone is just an applicant, employers are bound by federal and state laws to:

  • Retain application records for at least one year (two years for federal contractors or public institutions).
  • Preserve all materials used in hiring decisions—resumes, interview notes, screening results, etc.
  • Secure sensitive data like SSNs under privacy laws and data protection standards (e.g., FCRA, EEOC, and state-specific regulations).
  • Properly dispose of expired records—which means shredding, erasing, or otherwise rendering them unreadable.

So collecting SSNs at the application stage means assuming full data stewardship responsibilities, including encryption, access controls, breach protocols, and retention compliance. That’s a heavy lift for someone who may never be interviewed or that your ATS will auto-reject.

I suspect that this information is being gathered without malice and also without regard for liability or contemporary job application privacy. I also believe such requests are often a failure to sync knowledge and regulatory changes with processes (especially automation), which is sometimes difficult given the hodge podge of laws across our country. For example, does your org’s applicant process consider the following question:

  • Is my state a ban-the-box state and have our applicant questions been updated to reflect the answer?

These aren’t just annoying application quirks—they’re signals of larger disconnects between modern workplace values and outdated systems. They may even be red flags for candidates – do YOU want to work for an organization that doesn’t keep up? Do YOU want to be the candidate who brings up flaws in the hiring process? If your organization is still collecting photos, SSNs, or criminal history data (and depending on where you are, salary history) at the first click, it’s time to reevaluate what you’re really trying to learn—and what it might cost you.

To reduce legal risk and increase fairness:

  1. Audit your application forms regularly
    • Check for questions or data fields prohibited by federal, state, or local laws (e.g., ban-the-box, salary history bans, ADA restrictions).
  2. Ask for what you need—at the right time
    • Request work samples, background check consent, or sensitive data only after a conditional offer or when truly relevant. Respect timing and purpose.
  3. Invest in ethical tech and talent acquisition literacy
    • Don’t let automation be an excuse. If your ATS is pulling unnecessary data, or your team doesn’t know what’s legal, you’re not just inefficient—you’re exposed

Leave a Comment