Data Privacy

California AG Investigates Large Employers for CCPA Employee Data Compliance

California Attorney General Rob Bonta announced on July 14th an investigative sweep with written inquiry letters sent to large California employers requesting information regarding the companies’ compliance with the employee data provisions of the California Consumer Privacy Act (CCPA). AG Bonta’s letters specifically address businesses’ compliance with the CCPA’s legal protections governing the handling of employee and job applicants’ personal information. “We are sending inquiry letters to learn how employers are complying with their legal obligations,” AG Bonta said. The statement does not frame the letters as “warning letters” but rather letters requesting information about compliance.

Effective January 1, 2023, covered businesses must also comply with the CCPA’s robust privacy protections as it relates to employee data. Employees now have the right to know what personal information a company collects on them and be able to access it, as well as the ability to correct that information and request its deletion.

California lawmakers had initially exempted employee data from the privacy protections to help businesses ease into California’s privacy regime. That exemption expired in January 2023, though business groups, including the 4A’s and the California Chamber of Commerce, had made an effort to extend and/or eliminate it via supporting additional legislation.

These letters to California’s large employers should be a warning to agencies that the AG’s Office is delving into actual business practices concerning data privacy. Consumer-facing privacy policies and opt-outs are seemingly low-hanging fruit; the AG’s Office is increasingly updating its expertise and sophistication on privacy matters and has been actively looking into actual practices and data flows, not just basic reviews of policies and opt-out language. This new examination into legal compliance regarding the business use and processing of employee data is just another example of this.

If agencies haven’t already done so, immediate steps for compliance with the employee provisions of the CCPA/CPRA should include:

  • Examining the types and uses of employee and job applicant data inform 2023 CCPA readiness efforts.
  • Evaluating which exceptions to the 2023 CCPA’s various privacy rights, including rights to delete, correct, and limit, may apply to employment data and the company’s use cases for those categories of data.
  • Updating the company’s CCPA privacy disclosures to include employment data and any ancillary privacy statements that will need to link to those privacy disclosures.

California is the only state with a comprehensive data privacy law that does not provide exemptions for employee data. Other state privacy laws only cover consumers.

Worth noting, at its May 15, 2023 meeting, the California Privacy Protection Agency (CPPA), the state regulatory agency charged with enforcement of California’s revised data privacy law, the California Privacy Rights Act (CPRA), indicated that the agency could explore a potential future rulemaking on employee data including whether any exceptions or specific rules should apply. It might also consider whether to revise and/or add exceptions to the right to limit, including for HR/employee data.  Enforcement of CCPA employee data provisions may move forward even though enforcement of certain CPRA regulations has been postponed until March 2024.

For further information or questions, please contact Jim Potter, CHC Executive Director, at jpotter@cohealthcom.org.