Many job applicants face the same daunting job search process: spending hours on job boards looking for desirable postings, drafting tens to hundreds of cover letters and resumes, and submitting applications to various online portals. However, current applicants unknowingly face a growing problem — applying for ghost jobs.
Ghost jobs are job postings published by legitimate companies for positions that do not exist. These are distinct from the fake job listing scams used to defraud individuals and steal personal data. Although ghost jobs are not a new hiring practice, a 2024 survey reported 81% of recruiters have posted ghost jobs and another survey stated three in every 10 companies posted a ghost job this year.
Hiring managers cite various reasons for posting ghost jobs, such as collecting applications to build their talent pools, giving their companies an appearance of growth and keeping current employees motivated by making them feel replaceable.
Aside from the potential ethical dilemmas, this hiring practice raises many data privacy implications depending on the jurisdiction applicants are submitting from and where the employer is based.
Notice and transparency principles
The data collection frameworks of the EU and California rely on the foundational principles of notice and transparency. Under these principles, employers are required to provide notice of their purpose for collecting personal data from applicants at the point of collection to satisfy the transparency requirement.
During the general hiring process, hiring managers should include proper notice about data collection in their job postings so applicants are adequately informed when they submit their applications. However, ghost job postings — by design — do not provide proper notice because they do not state the hiring manager's true intent for collecting this data — whether that is collecting a talent pool, inflating company growth or any other reason besides filling a vacant role.
The applicant data collected from a ghost job posting will likely always be used for a secondary purpose because the hiring manager's true purpose differs from the one disclosed. Employers need to disclose this secondary purpose in their notices and may require consent from applicants to use their information for a secondary purpose that is incompatible with the original. Employers should be aware of job boards' policies against solicitations for general applications while considering their notices for secondary purposes. For example, LinkedIn prohibits employers from posting job listings that solicit general applications for any company position.
What are the legal implications?
While the EU and California data collection frameworks share the same underlying principles, the actual enforcement of their data protection laws are likely to differ vastly.
The EU
The EU General Data Protection Regulation may offer more robust data privacy protections to covered applicants, given its scope and existing guidance. At the outset, the GDPR requires personal data to be processed lawfully and fairly. Fairness requires controllers to process personal data in a manner conforming to the data subject's reasonable expectations.
In the case of ghost jobs, it is unlikely job applicants have the reasonable expectation their personal data will be processed for any purpose other than consideration for the job listed in the description. Ghost job postings used to inflate a company's growth are likely to fail the GDPR's fairness requirement before reaching the question of whether the company's purpose for processing the data was a lawful basis under the GDPR.
If the fairness requirement is met, companies must state the lawful basis they had to collect applicants' personal data. The GDPR provides six lawful bases for collecting a data subject's personal data. The most applicable to employers is when processing the data is necessary to fulfill a potential contract or a legitimate interest.
Employers can state facilitating a potential employment contract with an applicant as a lawful basis for collecting the applicant's personal data under the GDPR. However, when employers have no intention of hiring for the position posted in their job advertisements, applicants are unaware they are providing their personal data for a contract that will not exist. This is unlikely to pass both the fairness requirement and the lawful basis test for a contract under the GDPR.
It is also unlikely hiring managers could argue they have a legitimate interest in job applicants' personal data as a lawful basis under the GDPR. If hiring managers are using ghost job postings to either collect a talent pool or to create the illusion their companies are growing, they are unlikely to have a legitimate interest in the data at all because the job postings are misleading and deceptive.
Companies that fail to comply with the GDPR are at risk of enforcement actions that could result in large fines, like the recent decision by Ireland's Data Protection Commission to fine LinkedIn 310 million euros for targeted and behavioral advertising.
The U.S.
Unlike Europe, the U.S. does not have a federal employment or data privacy law directly regulating ghost job postings, but some state-level comprehensive data privacy laws have mechanisms that may address this practice.
Currently, California and Colorado are the only states with privacy laws that regulate the collection and processing of employees' and applicants' personal information. Colorado only regulates the collection of biometric data from employees and applicants.
The California Consumer Privacy Act provides applicants with privacy rights like the right to access, correct and delete their data. The CCPA also requires businesses to collect personal information from applicants solely to consider them as potential employees. If businesses collect, retain or share job applicants' personal information for a reason other than consideration for the specified role, they must show there was "another disclosed purpose that is compatible" with the original for collection. If businesses cannot provide that an alternative purpose was disclosed and compatible, they may be in violation of the CCPA.
The CCPA only covers California applicants, and it limits private rights of action to residents affected by data breaches. Instead, the California Privacy Protection Agency could bring enforcement actions against companies found collecting job applicants' personal information from ghost job postings. Companies could risk enforcement actions with fines up to USD2,500 for each violation and USD7,500 for each intentional violation.
What can be done?
Ghost jobs can hurt applicants and companies alike. Companies put themselves at risk of violating existing data protection laws for improper collection and use, which could lead to consequential enforcement actions. This practice could also create huge reputational risks for companies if their ghost job postings are uncovered and publicized.
Privacy teams should consider working closely with human resources and recruiting managers to increase awareness of the privacy concerns of ghost jobs. Additionally, they may consider reviewing a sample of job postings to identify whether data collection is occurring for a genuine job listing, as well as reviewing listings that have been posted for a significant period of time.
For job applicants, ghost jobs exacerbate feelings of inadequacy and frustration in the exhausting job-hunting process. Job seekers can protect themselves from ghost jobs by looking for signs indicating the advertised position may not exist. Look out for job postings that are weeks or months old, avoid postings with vague or generic role descriptions, and check if the position is available on the company's website. Applicants should know their rights under their state or national data privacy laws to see if they can report violations to the appropriate data protection authorities.
It is unclear whether ghost jobs are a hiring practice that will continue into the new year, however, companies using this recruitment technique should be aware of the regulatory and reputational risks they bring and adjust their courses of action accordingly.
Kayla Bushey is a Westin Research fellow and Saz Kanthasamy, CIPP/E, CIPM, FIP, is the principle researcher, privacy management, for the IAPP.
