California AG’s Office Takes Steps to Ensure Employers Comply With CCPA
Employers take note: The California Consumer Privacy Act (CCPA) now applies to employment-related data, and enforcement began on July 1, 2023. California Attorney General Rob Bonta did not waste time pursuing employers who may have violated the CCPA. On July 14, 2023, he announced that his office had requested information from some employers related to CCPA compliance.
The CCPA is one of the nation’s most expansive privacy laws. It gives consumers broad powers to control the collection, storage, and sharing of their personal information, including employment information. When the law went into effect on January 1, 2020, it included an exemption for data related to human resources. The California legislature did not take action to extend the exemption, however, so it expired on January 1, 2023.
The California Office of the Attorney General (OAG) and California Privacy Protection Agency have broad authority to bring CCPA enforcement actions against employers. Covered employers must meet specific requirements related to the privacy of employment-related data, and should take steps to ensure that they comply with the rules.
How Does the CCPA Apply to Employment Data?
When originally passed in 2018, the CCPA required employers to provide employees, contractors, job applicants, and other personnel with a “notice at collection.” Such notices had to describe “the categories of personal information to be collected from [the individual] and the purposes for which the categories of personal information shall be used.”
The California Privacy Rights Act (CPRA), which amended certain provisions of the CCPA, extended the temporary carve-out for HR-related data but expanded the required disclosures. The notices had to include more detail about the information collected, how long the information was to be retained, and the criteria for determining the length of data retention.
With the expiration of the exemption for HR-related data, the CCPA applies fully to the personal data of personnel and job applicants. These individuals can now exert the full extent of their rights under the law, including:
The right to know what personal information employers are collecting about them
The right to delete personal information employers collect, with certain exceptions
The right to correct inaccurate personal information
The right to opt out of the sale or sharing of personal information
The right to limit the use and disclosure of “sensitive information,” which broadly includes union membership and the contents of certain email and text messages
Employees can also opt out of the use of their data in automated decision-making technology, such as monitoring and performance analysis tools.
Which Employers Are Covered?
The CCPA applies to any for-profit company doing business in California that collects, shares, or sells the personal information of California residents and:
Has gross annual revenue of $25 million or more, or
Buys, sells, or shares information on 100,000 or more California residents, households, or devices, or
Derives more than half of its annual revenue from the sale of personal information of California consumers
A company may “do business” in California if it operates a website that allows California residents to provide their personal information. Furthermore, companies can become subject to the CCPA through the use of tracking technologies that share website visitors’ personal information with advertisers.
Covered employers should review the personal information they collect from employees and job applicants and how it’s used and disclosed. They should then ensure that their privacy policies describe the categories of information, including sensitive information. Employers may need separate privacy policies for employees, contractors, and job applicants. Privacy notices must be “reasonably accessible for consumers with disabilities” and made available in all languages in which the company conducts business in California.
What Steps Should Employers Take?
Data collection analysis can help employers respond to CCPA rights requests within the law’s required timeframe. Employers should establish, document, and test procedures for responding to requests and providing the required information. HR staff and other personnel who assist in the process must be trained in verifying the identity of individuals making requests.
Employers that use third-party platforms or agencies for collecting the personal information of California-based applicants must ensure that the third party’s website meets the CCPA’s privacy notice requirements. Agreements with any service providers should strictly limit the personal information they collect, process, or retain on the employer’s behalf. Employers should also implement security policies and controls to protect personal data and document a security incident response plan. Data retention policies should be tightened to minimize the amount of data subject to the CCPA.
As of July 1, 2023, companies no longer have 30 days to cure alleged CCPA violations. Penalties for noncompliance include fines of up to $2,500 per violation and $7,500 per willful violation. Companies should take steps now to ensure they fully comply with the law and become familiar with additional regulations that go into effect March 29, 2024.
Learn More About New Developments in Law
Stay up to date on the most current legal developments in California and the rest of the nation with Purdue Global Law School.
Purdue Global Law School offers an online Juris Doctor if you wish to become an attorney licensed in California. If you wish to advance your legal education but do not intend to become a practicing attorney, you may consider an online Executive Juris Doctor.