Hiring Process for Small Business: Legally-Compliant Workflow in 2026

The hiring process is the second-most-litigated area of employment law (after termination). Most discrimination claims have their origin in hiring decisions — bias in screening, biased interview questions, inconsistent application of criteria, or retaining undocumented decisions. A defensible hiring process protects against most common claims while still letting you hire well. Here's the workflow.

Pre-posting: define the role legally

Before posting, document:

• Essential job functions — physical, cognitive, and behavioral requirements that are genuinely essential (vs nice-to-have)
• Minimum qualifications — education, experience, certifications
• Pay range — required disclosure in CA, CO, NV, NY, WA, IL, HI, RI as of 2026
• Bona fide occupational qualifications (BFOQs) — the rare cases where age/sex/religion can be required (e.g., theater roles requiring specific gender)

Legal mistake to avoid: requiring qualifications not actually needed for the role. "5+ years experience" for an entry-level job has been challenged as age discrimination (disparate impact on younger workers). "Bachelor's degree required" when not actually needed creates similar exposure.

Job posting requirements

Federal:

• EEO statement (encouraged, not strictly required for non-federal)
• No discriminatory language ("young", "recent grad" suggesting age preference; "strong" suggesting able-bodied; "native speaker" suggesting national origin)

State-specific (2026):

• Pay range disclosure required: California, Colorado, Hawaii, Illinois, Nevada, New York, Rhode Island, Washington, Washington DC. Most require: clearly stated range or starting salary in the posting itself.
• Ban-the-box (criminal history): 14+ states + many cities prohibit asking about criminal history on the initial application
• Salary history bans: 21+ states + DC prohibit asking about salary history during hiring

Interview process: what to ask, what to skip

Always-okay interview topics:

• Job-related skills, experience, qualifications
• Why they're looking for a new role
• What they're looking for in their next role
• Specific job-related scenario questions
• References
• Salary expectations (in salary-history-ban states, ask what they're looking for, not what they currently make)
• Authorization to work in the US (yes/no — but no document checks until after offer)

Never-ask topics:

• Age (or anything that hints — graduation year, family status)
• Marital status, family plans, pregnancy
• Religion or religious practices
• National origin (where parents are from, native language)
• Disability (until ADA accommodation discussion post-offer)
• Health conditions or medical history
• Criminal history (in ban-the-box states, on initial application)
• Salary history (in salary-history-ban states)
• Childcare arrangements or family responsibilities
• Sexual orientation or gender identity
• Citizenship status (only legal authorization to work — yes/no)

Documenting the hiring decision

The single most important defensive practice: write down WHY each candidate was advanced or rejected, in job-related terms.

Good documentation: "Advanced based on demonstrated experience with [specific tool/skill needed for role] and clear examples of [specific job-relevant achievement] in interview."

Bad documentation: "Not a culture fit" (vague; potentially discriminatory). "Too old for our team" (overt age discrimination). "Will get pregnant within a year" (sex discrimination).

Keep evaluation records for at least 1 year (longer in some jurisdictions). EEOC charges typically must be filed within 180-300 days, so the documentation paper trail is your protection.

Background checks (FCRA compliance)

Background checks fall under the Fair Credit Reporting Act (FCRA). Required steps:

1. Disclosure — separate document (NOT in the application) clearly disclosing intent to obtain background report
2. Written authorization — separate signed authorization from candidate
3. Pre-adverse action notice — if adverse decision based on background, candidate must receive copy of report + summary of FCRA rights, with reasonable time to respond
4. Adverse action notice — final notice with the source agency's information

State-specific provisions add to this (California has CCPA-related requirements; some states require multi-day waiting periods between pre-adverse and final notice).

Failure to follow FCRA = $100-$1,000 per violation in statutory damages, plus actual damages, plus attorney fees. Class actions for FCRA violations have routinely cost employers $1M-$25M+.

Onboarding: I-9, W-4, state forms

First-day legally-required documents:

• Form I-9 — employment eligibility verification. Section 1 by employee, Section 2 by employer within 3 days of hire, document examination required
• W-4 — federal tax withholding
• State withholding form — state-specific equivalent (CA Form DE 4, etc.)
• Direct deposit authorization
• Beneficiary designations for benefits
• Employee handbook acknowledgment
• State-mandated notices — varies (CA Wage Theft Notice, NY Wage Theft Prevention Act notice, etc.)

E-Verify required in some states (Mississippi, Arizona, Tennessee, North Carolina, others) for all new hires; voluntary federally but recommended for I-9 verification.

Frequently asked questions

Can I use AI to screen resumes?

Yes with caution. AI screening tools have been challenged for disparate impact discrimination (e.g., screening out women based on training data biases). EEOC issued guidance in 2023 requiring employers to validate AI tools for non-discriminatory outcomes. Document your process; test for disparate impact periodically; keep human review in the decision chain.

How long should I keep applications and resumes?

Federal recommendation (EEOC): 1 year minimum from date of decision. ADEA: 1 year. State requirements may be longer. Best practice: 2 years for all hiring records to cover most charge filing windows.

Can I require US citizenship for a job?

Generally no, except for jobs with specific federal citizenship requirements (some federal contractor roles, security clearances, etc.). Asking about citizenship status during hiring violates immigration law. You can ask: "Are you legally authorized to work in the US?" (yes/no, no documentation required until I-9 post-offer).

What's the right way to handle unsolicited resumes?

Acknowledge receipt; review for genuine fit; document any decision. Storing all resumes in a database for future searches is fine if you have policies on data retention and use. Don't discriminate in the storage/review process.

Should I do credit checks?

Only if genuinely job-related (e.g., financial management roles, fiduciary positions). Eleven states + several cities prohibit credit checks for most jobs. EEOC guidance discourages credit checks because of disparate impact concerns. Use sparingly with clear job justification.