The Consent-First Recruiting Playbook

Why consent-first hiring exists

For most of recruiting's history, the asymmetry has been absolute: candidates submit, employers retain. A resume sent on Monday could sit in a database for years, get parsed by tools the candidate never agreed to, get exported to vendors the candidate never heard of, and eventually surface in a sourcing query for a role they didn't apply to. The candidate, the original author of every word of that document, had no say.

That model is ending. GDPR Article 6, CCPA § 1798.140 as amended by the CPRA, NY Local Law 144, the Colorado AI Act, and a growing patchwork of state laws in Texas, Illinois, and Washington all converge on the same principle: a candidate's affirmative, informed, revocable consent is the legal basis for every meaningful operation you perform on their data.

Smart hiring teams have already noticed that consent-first sourcing isn't just safer — it's better. Candidates who opt in to discoverability are pre-qualified for openness. Candidates who grant AI extraction consent know what they're signing up for and don't churn out of the loop in week two.

The six consents every modern ATS should expose

Most ATSes still ship a single Terms & Privacy checkbox that covers everything from password hashing to lookalike-modeling ad-tech amplification. That's legally fragile and ethically thin. SourceHire exposes six independently revocable consents, and we recommend the same shape regardless of which tool you run:

• Core processing — the minimum required to process an application. This is the only mandatory consent.
• AI extraction — permission to run resume parsing through an LLM. When declined, only declared fields surface to reviewers.
• Discoverability — appear in the network-wide talent search beyond the job you applied to.
• Sensitive accommodations — capture accommodation needs and route them to reviewers.
• Marketing — receive platform emails about new opportunities.
• Professional enrichment — supplement the profile with public professional context.

Writing consent text candidates actually read

The standard legalese-by-default opt-in is unread, unenforceable in spirit, and bad sourcing besides. The five rules we apply to every consent string on SourceHire:

1. Specific verbs. “We may process your data” is meaningless. “Run your resume through Anthropic Claude to extract skills, seniority, and education history” is consent.
2. Named recipients. If data leaves your systems, name the partner. “Data partner” in the abstract is a CCPA-defective disclosure.
3. Verbatim field list. Enumerate the fields transferred, not just categories. Auditors and candidates deserve the same precision.
4. Independent revocation. Each consent is its own toggle. A candidate who revokes AI extraction should not lose discoverability.
5. Plain-language summary above the legal text. Same content, different audience. The legal text exists so a regulator can verify the disclosure; the summary exists so a candidate can make a real decision.

The audit posture that keeps you out of court

Demonstrable consent is the legal frontier. GDPR Article 7(1) requires you to be able to prove a candidate consented; CPRA § 1798.135(c) requires the same for “sale” determinations; many state laws are catching up. The audit artifact we recommend — and ship — is a hash-chained consent ledger:

• Every grant or revocation creates a new ledger row tied to the candidate, the consent option, the policy version, the verbatim text shown, and a hash chained to the previous row.
• Tampering is detectable: an auditor can re-walk the chain and verify no row was altered or deleted.
• The chain is exported in the candidate's DSAR JSON payload, giving them the same artifact you'd hand to a regulator.

Where to start this quarter

If your team is starting from a single bundled opt-in, the first move is breaking the bundle. Identify which downstream operations actually require explicit consent (anything that leaves your systems, anything that runs through an LLM, anything the candidate would find surprising). Split those into discrete consents. Rewrite the disclosure text. Wire up the ledger. The legal posture and the candidate experience improve in lock-step.