All articles

Data protection for HR in the United States

Mellow Editorial·5 min read

Reviewed by Mellow Editorial Team, HR & payroll content team

There is no single federal privacy law that governs how US employers handle employee data. Instead, US HR data protection is a patchwork of federal sector-specific rules, state statutes, and common-law duties — which means your obligations depend heavily on where your business operates and what data you collect.

What federal law actually covers

No comprehensive federal employee privacy statute exists. Federal rules tend to be narrow and sector-focused:

HIPAA applies to health plan information when your company sponsors a group health plan. It does not cover general employment records. If you self-administer a health benefit, you need a HIPAA-compliant firewall between your HR function and health plan data.

ADA and GINA require that employee medical records and genetic information be kept in files separate from general personnel files, with strictly limited access. This is a concrete, actionable obligation — not just best practice.

FCRA (Fair Credit Reporting Act) applies whenever you use a consumer reporting agency for background checks. You must give candidates a written disclosure, get written authorization, and follow an adverse-action notice process before rejecting someone based on the report.

FLSA and tax recordkeeping rules require you to retain payroll records for at least three years. IRS rules add their own retention requirements for tax documents. Destruction schedules must account for both.

State law is where most HR obligations now live

Several states have enacted substantive privacy or data-protection statutes that directly affect HR.

California is the most significant. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), now includes employees, job applicants, and contractors as covered individuals. California-based employers must:

- Provide a privacy notice at or before the point of data collection, explaining what categories of personal information you collect and why

- Honor deletion requests and requests to correct inaccurate data, subject to certain employment-law exceptions

- Limit use of sensitive personal information (which includes Social Security numbers, precise geolocation, and health data) to stated purposes

- Implement reasonable security measures

California also prohibits mandatory arbitration of certain claims and, relevant to data, prohibits most non-compete clauses — so non-disclosure agreements tied to data access need careful drafting to stay enforceable.

Other states — including Colorado, Connecticut, Virginia, and Texas — have enacted their own consumer data laws. Some include employees; some currently do not. This landscape is shifting. If you operate across multiple states, you cannot assume a single policy covers every jurisdiction.

What you should actually have in place

Regardless of which specific laws apply to you, the following are either legally required or defensible baseline practice:

A written data inventory. Know what personal data you collect (Social Security numbers, bank details, health information, biometric data if applicable), where it lives, who has access, and how long you keep it. You cannot protect what you have not mapped.

Role-based access controls. Payroll data, medical files, and background-check results should not be accessible to everyone in HR, let alone the broader company. Limit access to those with a clear, documented need.

A written retention and destruction policy. Federal and state law impose minimum retention periods for different record types. Holding data longer than necessary increases both your liability and the damage potential of a breach.

Vendor due diligence. Your HRIS, payroll processor, benefits administrator, and background-check vendor all handle employee personal data on your behalf. Under laws like the CCPA, you are responsible for ensuring they provide adequate protection. Written data processing agreements are not optional in regulated states.

A breach response plan. All 50 states have breach notification laws. They vary in trigger thresholds, notice timelines, and who must be notified (affected individuals, the state attorney general, credit bureaus). Having a plan before you need it — not after — is the only practical approach.

Biometric data deserves separate attention

Illinois, Texas, Washington, and several other states regulate the collection and use of biometric identifiers — fingerprints, voiceprints, facial geometry. Illinois's Biometric Information Privacy Act (BIPA) is the most aggressive: it requires written notice, written consent, a publicly available retention policy, and prohibits selling or profiting from biometric data. BIPA allows a private right of action, and class-action litigation against employers has been substantial. If you use timekeeping systems, access controls, or any technology that captures biometric data, state-specific compliance is non-negotiable.

Practical starting point

Map your data before you write any policy. A privacy notice or retention schedule built on guesswork is worse than none — it creates a paper trail showing you knew what you should have done. If you process data for employees in California or use biometric timekeeping anywhere, get legal review specific to those requirements. For multi-state employers, a single baseline policy with state-specific addenda is usually more sustainable than separate standalone documents for every jurisdiction.

---

Run HR and payroll in United States with Mellow

Mellow brings HR, payroll and 12 AI agents into one platform — built to handle United States properly, with payroll included, from £4 per employee per month. The AI agents don't just answer questions; they generate contracts, run cost estimates and draft letters for you.

- See Mellow pricing

- United States payroll software

- Compare Mellow with Deel

[Start a free trial →](/register)

USUnited StatesUScompliancerecords

Do more with the team you have

Mellow is AI-native HR & payroll that helps you invest in your people, not just manage headcount — across six countries. No credit card required.

Start free trial →

Related articles