Employers are running into these questions because non-U.S. applicants that are covered by more restrictive EU privacy laws (GDPR) make these types of requests now and again of American organizations. Even if the person requesting is from the United States, to our knowledge there is no state privacy law that would supersede the OFCCP’s record keeping regulations, which are federal law. The California Consumer Privacy Act (CCPA), for example, states that a business will not be required to comply with a request to delete personal information if the purpose is for compliance with a legal obligation (Civil Code section 1798.105(d)) and also lists compliance with federal, state, and local laws as one of the exemptions (Civil Code section 1798.145). As a federal contractor employer, you are required to maintain and preserve applicant records for two years from the making of the record or the personnel decision, whichever is later if you have 150 or more employees or a contract of $150K or more, and 1 year if you have fewer employees or a smaller contract (41 CFR Section 60-1.12(a)). You could reply back to the person making the request and indicate something to the effect that “U.S. federal law requires us to maintain all applicant records for [two years]. At the conclusion of the federal record keeping time period, we will expunge your records from all database. In the interim, however, we can place an indicator on your record that it is archived and may not be actively included in any recruiter database searches during the federal record keeping period.” Circa welcomes feedback on how other organizations have adapted to applicant privacy concerns while balancing their record keeping obligations.