California Attorney General Announces New Investigative Sweep Targeting CCPA Compliance for “Large California Employers”
On July 14, 2023, the California Attorney General announced an investigative sweep targeting CCPA compliance efforts by “large California employers.” The Attorney General’s Office stated that it sent inquiry letters to large California employers “requesting information on the companies’ compliance with the California Consumer Privacy Act (CCPA) with respect to the personal information of employees and job applicants.” The California Attorney General’s announcement is a reminder that all aspects of the CCPA are now applicable to employee, applicant, and other HR data.
Before January 1, 2023, the CCPA only required covered employers to (a) safeguard HR data, and (b) provide a notice to employees, job applicants, owners, directors, officers, medical staff members, and contractors describing the categories of data collected in those contexts, and how that data would be used. However, California voters approved the California Privacy Rights Act (the “CPRA”) on November 3, 2020, which amended the CCPA and eliminated the exemption for data in the HR context.
Effective January 1, 2023, covered employers’ obligations to comply with the CCPA as it relates to HR data expanded significantly. CCPA-covered employers’ HR data privacy obligations now include, among other things, drafting or amending compliant service provider agreements and establishing processes for handling requests from employees, applicants, contractors, and others in the HR context to exercise their rights to access, delete, correct, and opt out of the sale and sharing of their personal data.
There is some degree of uncertainty as to how California employers can shape their CCPA compliance efforts. The CCPA regulations do not clearly address HR data, and the California Privacy Protection Agency (CPPA) recently acknowledged the lack of clarity in the CCPA regulations at a May 2023 meeting. The CPPA considered revising the CCPA regulations and/or adding exceptions or specific rules for employee data, given that “the current purposes are not really designed for” employee data, as one CPPA member noted. In addition, many employers who have fulfilled CCPA employee data access requests have been frustrated by the fact that the CCPA statute and the regulations do not contain meaningful exemptions applicable to data to be provided in the HR context, as can be seen in the General Data Protection Regulation, the comprehensive privacy law in the EU and UK, which does include HR data within its scope.
Several other states exempted employee and other HR data from their own comprehensive consumer data privacy laws: Virginia, Colorado, Connecticut are currently in effect, and Utah, Texas, Montana, Iowa, Tennessee, and Indiana have enacted new laws to take effect in the next few years. California remains the only state to extend its data privacy law to HR data. Hopefully, the CPPA’s November 2023 meeting will bring clarity for California employers’ compliance efforts.
In the meantime, the Attorney General’s announcement of an investigative sweep is a reminder that the CCPA’s statutory requirements, including those that apply to HR data, are enforceable, even though the Superior Court of California issued a ruling delaying enforcement of the new CCPA regulations until March 29, 2024.