You posted a job. You got 200 resumes. Now you're staring at them thinking: "How do I review these fairly? Can I just filter out people without degrees? And what do I do with the 195 people I don't hire?"
Most founders think: "I'll skim resumes for keywords, auto-reject anyone missing requirements, and delete the rejects when we're done hiring." What they don't realize: how you handle resumes determines whether you face discrimination lawsuits, violate federal record retention laws, or accidentally filter out your best candidates because of unconscious bias.
Founders who auto-reject based on degree requirements face disparate impact discrimination claims. Founders who delete rejected resumes before the 1-year minimum retention period face EEOC penalties and adverse inference in lawsuits. Founders who don't address hiring bias build homogenous teams that underperform and struggle to scale.
Here's how to review resumes fairly, what you can and can't automatically reject, and how long you must keep every application (yes, even the bad ones).
Should You Do Blind Resume Review?
Blind resume review = removing identifying information (name, schools, addresses, graduation dates) before evaluating candidates
The Case For Blind Review
The research is clear:
Resumes with "white-sounding" names got nearly 50 percent more callbacks than those with "black-sounding" names
A 2014 study found that managers of both sexes were twice as likely to hire a man as a woman
Using conventional résumé screening, about a fifth of applicants who were not white, male, able-bodied people from elite schools made it to a first-round interview. Using blind auditions, 60 percent did
What gets removed in blind review:
Personal identifying information is redacted or removed. This might include names, addresses, schools attended, and even dates of graduation
Why this matters:
Names signal gender, ethnicity, religion
Addresses signal socioeconomic status, race (via neighborhood)
Schools signal class, network, perceived prestige
Graduation dates signal age
Without this info, you focus on: Skills, experience, achievements, work samples
How to Implement Blind Review (Without Expensive Software)
Example - 15-person startup, California:
"We decided to ask job applicants to not include their name, address, college name, or graduation date on their resume"
Then: After receiving resumes for a position, assign each candidate a number and refer to applicants by their number until people are brought in for interviews
Low-tech option: Use a Sharpie to redact names, schools, addresses before printing/reviewing
Mid-tech option: Copy resume text into spreadsheet, filter out identifying info, assign candidate numbers
High-tech option: Use software like Blendoor, GapJumpers, or ATS with built-in blind review
The Limitations of Blind Review
Critical caveat: While blind resume reviews are a good start, they're just that: a start. After you've picked out candidates using the blind review technique, you still have to meet them for an interview. And when you meet them, you'll learn all the demographic information you worked so hard to avoid in the first place
Blind review addresses bias in screening. It doesn't fix:
Interview bias
"Culture fit" bias
Like-me bias ("went to same school!")
Confirmation bias in final decisions
What to do: Combine blind resume review with structured interviews, standardized questions, and diverse interview panels
When Blind Review Makes Sense
Use blind review when:
You have high application volume (50+ resumes)
You're in competitive talent markets (tech, finance, consulting)
You want to improve diversity outcomes
You have time to implement the process
Skip blind review when:
You have under 20 applicants (manual bias check is faster)
You're hiring for roles where school/network genuinely matters (e.g., sales role selling to specific industry)
You're already using structured rubrics with objective scoring
Can You Automatically Reject Based on Criteria?
This is where many founders create legal risk without realizing it.
The Legal Standard: Disparate Impact
Disparate impact = when a neutral policy has a disproportionate negative effect on a protected class
An employer whose screening test or requirement has a disparate impact on a protected group must show that the requirement is job-related and consistent with business necessity
The landmark case: Griggs v. Duke Power (1971)
An employer required a high school diploma or passing scores on intelligence tests for certain jobs, which disproportionately excluded African American applicants based on longstanding educational inequalities
The Supreme Court ruled this violated Title VII, even though there was no intent to discriminate.
Degree Requirements: High Risk
The problem with automatically rejecting people without degrees:
Degree requirements often do have a disparate impact against African American and Latino applicants
To defend a degree requirement, you must prove:
The degree is truly necessary to perform the job (not just "preferred")
There's no less discriminatory alternative that would work as well
Degree requirements are slippery, in part because it isn't clear exactly what particular skills, aptitudes, or abilities a degree confers (unless a particular degree is required for licensing, like a law degree or medical degree)
Example - 10-person startup, Texas:
High risk auto-rejection: "All candidates must have a 4-year college degree" (Disproportionately screens out Black and Latino candidates who could excel in the role)
Lower risk approach: "Bachelor's degree in Computer Science OR 4+ years professional software development experience OR completion of coding bootcamp + portfolio of projects"
Why this works: Provides alternative pathways to demonstrate competence without requiring a degree
What You CAN Auto-Filter
Lower-risk automatic screening criteria:
✅ Required certifications/licenses (when legally required for the job)
CPA license for accounting role
Bar admission for attorney
Medical license for doctor
Real estate license for agent
✅ Must-have technical skills (but test them, don't just rely on resume keywords)
"Proficiency in Python" → Give coding test to verify
"Fluent in Spanish" → Conduct portion of interview in Spanish
✅ Geographic requirements (when genuinely necessary)
"Must be based in New York" → If role truly requires in-office work
"Must have work authorization" → Legal requirement
✅ Years of experience (with caution)
"5+ years project management experience" → Generally acceptable
BUT: Could have disparate impact on younger workers (age discrimination)
Higher-risk automatic screening:
❌ College degree (unless truly job-related)
❌ Specific schools ("must be from Ivy League")
❌ GPA requirements (can screen out people who worked through school)
❌ Employment gaps (discriminates against caregivers, people with disabilities)
❌ "Culture fit" algorithms (often proxies for "people like us")
The AI Complication
If you're using AI/algorithms to screen resumes:
The EEOC has emphasized that employers using software/algorithms/AI as "selection procedures" can face disparate impact liability if outcomes disproportionately exclude protected groups
Companies need to implement regular audits of their AI hiring tools to check for disparate impact across protected classes. Human oversight should be mandatory, no candidate should be rejected by an algorithm without human review
Example - 12-person startup, California, using AI resume screener:
AI tool automatically rejects candidates who:
Attended HBCUs (historically Black colleges)
Have gaps in employment
Lack specific keywords
Result: Disparate impact discrimination claim + potential AI hiring law violations
Better approach:
Use AI to rank/score, not automatically reject
Require human review before rejection
Audit AI outcomes by protected class quarterly
Test for disparate impact
What to Do With Rejected Resumes
Short answer: Keep them. For at least one year. Longer is better.
Federal Retention Requirements
Private employers must retain personnel and employment records for one year from the date of making the record or the personnel action involved, whichever occurs later
What this means:
Application received January 1, 2026
Hiring decision made February 15, 2026
Must keep until February 15, 2027
Employment statutes require covered employers to retain job candidates' records—even for the candidates who aren't hired—including applications, resumes, interview notes, assessment tests, reference checks, drug screens and background screens
Best Practice: Keep for 2 Years
Best practice is to retain all job applications and resumes – solicited or unsolicited – for a minimum of two years from the date of the hiring decision
Why 2 years?
Government contractors have 2-year requirement
Some state laws require 2 years
Gives you buffer if discrimination charge filed
ADEA (age discrimination) has longer retention for workers 40+
What to Keep
Everything related to the hiring decision:
Not only do you need to keep the resume or application, you must also retain supporting applicant documentation. This would include items such as: interview notes, assessment tests, reference checks, background checks, all related documents leading to a hiring or non-hiring decision, as well as the offer or rejection letter
For rejected candidates, keep:
Resume/application
Cover letter
Any test results or work samples
Interview notes (if they got to interview stage)
Rejection email
Reasons for rejection (documented)
If a Discrimination Charge Is Filed
When an EEOC charge has been filed against your company, you should retain personnel or employment records relating to the issues under investigation as a result of the charge until the final disposition of the charge or any lawsuit based on the charge
What this means: If someone files an EEOC complaint, you must keep ALL related records until the case is fully resolved (even if that takes years)
How to Store Rejected Resumes
Physical resumes:
Secure file cabinet or storage room
Locked to protect candidate privacy
Label clearly: "Job Title - Hire Date - Destroy After [Date]"
Digital resumes:
Secure folder structure
Password-protected
Access limited to HR/hiring managers
Backup regularly
ATS (Applicant Tracking System):
Most ATS platforms auto-retain for compliance periods
Set retention policy in system
Export data before deleting if you switch systems
When to Destroy Records
After retention period expires:
When you're ready to "toss" those applications with confidential data, shred it or safely delete the electronic data
Don't just throw in trash: Resumes contain PII (personally identifiable information) - name, address, phone, email, potentially SSN
Proper disposal:
Physical: Cross-cut shredder
Digital: Secure deletion (not just "delete")
Both: Document destruction with destruction log
State-Specific Considerations
California
California has extensive record retention requirements
Recommend 2-3 year retention minimum
Strong disparate impact protections under FEHA
Colorado
Follow 1-year federal minimum
Colorado AI Act (effective June 30, 2026) requires documentation of AI hiring decisions
Keep records of how AI tools were used in screening
New York
Follow 1-year federal minimum
NYC Local Law 144 requires bias audit records for AI tools
Strong state-level disparate impact law
Texas
Follow 1-year federal minimum
TRAIGA (effective Jan 1, 2026) requires AI governance documentation
Note: Disparate impact alone not sufficient for discrimination claim under TRAIGA
Florida
Follow 1-year federal minimum
No additional state-specific requirements beyond federal
Practical Workflow for Resume Management
Step 1: Receive Applications
Set up organized system:
Folder structure: [Job Title]/[Date Posted]/Applications
Assign candidate ID numbers for blind review (if using)
Log receipt date
Step 2: Initial Screening
If using blind review:
Redact identifying info
Assign numbers
Score based on skills/experience only
If not using blind review:
Use structured rubric to reduce bias
Document why each person advances or is rejected
Avoid vague reasons ("not a culture fit")
Be specific:
✅ "Lacks required Python experience"
✅ "Has 2 years experience, role requires 5+"
❌ "Not a good fit"
❌ "Bad vibes"
Step 3: Document Decisions
For each rejected candidate, note:
Date reviewed
Who reviewed
Specific reason for rejection
Keep with their application
Why this matters: If you face discrimination claim, you need to show legitimate, non-discriminatory reasons for rejections
Step 4: Retention
Immediately after hire decision:
Move all applications to "Retention" folder
Set calendar reminder for destruction date (1-2 years out)
Restrict access to authorized personnel only
Step 5: Destruction
When retention period expires:
Review for any pending litigation (if yes, keep longer)
Securely destroy per policy
Log destruction: "200 applications for Marketing Manager role posted 3/1/26 destroyed 3/1/27"
Why How You Handle Resumes Matters
Resume review and retention isn't just logistics; it's legal compliance and bias prevention.
Best practices:
On blind review:
Use it if you have high volume or want to improve diversity
Combine with structured interviews (blind review alone isn't enough)
Simple implementation: Ask candidates not to include identifying info + assign numbers
On automatic rejection:
Avoid auto-rejecting based on degree requirements (disparate impact risk)
Provide alternative pathways to demonstrate qualifications
If using AI screening, audit for bias regularly and require human review
On retention:
Keep ALL applications (including rejected) for minimum 1 year, ideally 2 years
Keep everything: resume, notes, tests, rejection email, reasons documented
If discrimination charge filed, keep until fully resolved
Securely destroy after retention period
Three actions this week:
Review your current auto-reject criteria: Do you filter out anyone without a degree? That's high legal risk. Add alternative qualification pathways.
Check your resume retention: Do you have resumes from the last year? If not, you're violating federal law. Set up retention system now.
Document rejection reasons: For your next hire, write specific, job-related reasons for each rejection. "Not qualified" isn't enough. "Lacks required 5 years SQL experience" is defensible.
The goal isn't perfect hiring; it's fair hiring with defensible documentation.
Blind review reduces bias. Thoughtful screening criteria avoid disparate impact. Proper retention protects you legally.
Do all three, and you'll hire better while staying compliant.
This content is provided for informational purposes only and does not constitute legal advice; for guidance on your specific situation, please consult with an employment attorney licensed in your state.