Regulations

Key markets

How Ribbon supports you

California

Ribbon supports compliance with California’s CCPA/CPRA and anti-discrimination rules by offering clear consent and data-use disclosures, tools for exporting or deleting candidate information on request, and flexible data-retention settings that help organizations manage personal data responsibly.

Current regulation

California requires all-party consent for recording calls/interviews.

The California Privacy Rights Act (CPRA) requires notice of data collection, purpose limitation, and secure handling of personal data.

What is needed to comply

Inform the candidate before recording and obtain explicit consent.
Clearly disclose the purpose of recording and how the data will be used/stored.
Allow candidates to opt out and provide alternative accommodations.

How Ribbon support compliance

Ribbon automatically displays a pre-interview consent notice before recording begins.
Interviews never start recording unless the candidate explicitly agrees.
Purpose, retention, and data-use details can be fully customized in the consent screen.
Secure storage, access controls, and retention settings help customers meet CPRA obligations.

New York

Ribbon aligns with New York State and NYC AEDT requirements through transparent AI-use notices for candidates, audit-friendly logs and scoring data that support independent bias reviews, and configurable scoring settings that ensure human oversight remains central to hiring decisions.

Current regulation

New York is a one-party consent state for call recording.
NYC and NY State privacy laws require clear notice of data collection and fair-use of candidate information.

What is needed to comply

Ensure at least one party consents to the recording (your organization or Ribbon does this by default).
Provide candidates with a notice that the interview will be recorded and how the data will be used.
Allow candidates to opt out and provide alternative accommodations.

How Ribbon supports compliance

Ribbon provides automatic candidate recording notifications.
Consent is logged before recording starts.
Data is stored securely with configurable retention to support compliance with NY privacy expectations.

Colorado

Ribbon helps employers meet expectations under Colorado’s Anti-Discrimination Act and the Colorado AI Act by providing documentation-ready logs of AI configurations, human-in-the-loop review workflows, and transparent, adjustable AI behavior that supports emerging risk-management obligations.

Current regulation

Colorado is a one-party consent state for recordings.
The Colorado Privacy Act (CPA) requires organizations to obtain consent for sensitive data and provide transparent processing notices.

What is needed to comply

Notify candidates that the interview is being recorded
Provide clear disclosure of how the recording will be used and stored.
Ensure secure processing and allow data-subject rights (access, deletion, etc.).

How Ribbon supports compliance

Consent prompts ensure candidates know the interview is recorded.
Customizable consent notices allow you to specify purpose, retention, and rights.
Ribbon’s data retention controls and secure infrastructure help customers meet CPA requirements.

Ontario

Ribbon supports Ontario’s Human Rights Code and federal privacy standards (PIPEDA) by using role-based access controls, privacy-aware interview design that minimizes exposure to sensitive information, and export/delete tools that help organizations respond to candidate data requests.

Current regulation

Ontario (and all of Canada federally) uses one-party consent for recordings.
PIPEDA governs how organizations collect, use, and store personal information.

What is needed to comply

Ensure at least one party (your organization) consents to recording.
Provide transparent notice to candidates about recording and data use.
Store recordings securely and only as long as necessary.

How Ribbon supports compliance

Recording occurs only when initiated by a consenting party.
Ribbon gives candidates clear pre-interview notifications explaining the purpose of recording.
Auto-deletion, access controls, and encryption align with PIPEDA best practices.

Quebec

Ribbon supports Quebec’s strict privacy framework under Law 25 by enabling explicit, customizable consent screens, offering privacy-first data retention and access settings, and providing detailed access logs that strengthen internal privacy governance and oversight.

Current regulation

Quebec follows one-party consent for recordings.
Law 25 (modernized privacy law) requires explicit, informed consent for collecting personal information and mandates strict transparency.

What is needed to comply

Provide explicit advance notice explaining the recording and its purpose.
Obtain clear consent (implicit may be insufficient under Law 25).
Provide information on retention, destruction, and cross-border data storage.

How Ribbon supports compliance

Ribbon’s consent module captures explicit candidate agreement prior to recording.
Customers can disclose retention and cross-border storage in the consent text.
Ribbon’s access controls, auditability, and retention policies support Law 25 obligations.

European Union

Ribbon is designed with GDPR and EU AI Act expectations in mind, offering configurable legal-basis and consent disclosures, tools for responding to access/rectification/deletion requests, and clear documentation and human oversight of AI-driven screening processes.

Current regulation

GDPR treats voice data as personal data.
Recording interviews requires a lawful basis, most commonly explicit consent.
Organizations must provide transparency, data-subject rights, strict access controls, and retention policies.

How Ribbon supports compliance

Obtain explicit consent from the candidate before recording.
Provide a clear explanation of:
- what data is collected
- why it's collected
- how long it's kept
- who can access it
- where it is stored

Honor deletion and access requests.

How Ribbon supports compliance

Ribbon presents a GDPR-compliant consent screen before any recording occurs.
Consent is logged and stored for auditability.
Retention controls, encryption, and role-based access support GDPR’s data-minimization and security requirements.
Customers can easily fulfill deletion or access requests directly in Ribbon.

Other regions

Ribbon’s flexible privacy, consent, and AI-governance features make it adaptable to additional regions such as the UK, Australia, and other U.S. states with privacy laws, and we can work with your legal team to support the specific requirements of your operating regions.

Current regulation

Most jurisdictions fall into either one-party consent (e.g., Australia, UK, many U.S. states) or all-party consent (e.g., Germany, parts of the U.S.).
Local privacy laws nearly always require transparency, purpose limitation, and secure data handling.

What is neededtocomply

Provide candidates notice that the interview is recorded.
Obtain explicit or implicit consent depending on jurisdiction.
Explain how recordings are processed, stored, and deleted.

How Ribbon supports compliance

Ribbon’s consent flow can be adjusted to meet both one-party and all-party consent laws.
Obtain explicit or implicit consent depending on jurisdiction. Customers can customize the language to reflect legal requirements.
Secure storage, encryption, retention rules, and auditability support compliance across regions.

Screen candidates 24/7 with Recruit AI

Built for global compliance

How we think about compliance.

How Ribbon supports you

Streamline hiring at scale