What Does the California Attorney General’s New Investigative CCPA Sweep Mean for California Employers?
On July 14, 2023, the California Attorney General announced an investigative sweep targeting CCPA compliance efforts by “large California employers.” The Attorney General’s Office sent inquiry letters to the large California employers “requesting information on the companies’ compliance with the California Consumer Privacy Act (CCPA) with respect to the personal information of employees and job applicants.”
The CCPA did not always cover employee data. The CCPA largely exempted employee data from its framework. Before January 1, 2023, the CCPA only required covered employers to (a) safeguard employee data, and (b) provide a notice to employees, job applicants, owners, directors, officers, medical staff members, and contractors describing the categories of employee data collected and how the employee data is used. However, California voters approved the California Privacy Rights Act (the “CPRA”) on November 3, 2020, which amended the CCPA and eliminated the employee exemption.
Effective January 1, 2023, covered employers’ obligations to comply with the CCPA as it relates to employee data expanded significantly. CCPA-covered employers’ employee data privacy obligations now include, among other things, drafting or amending compliant service provider agreements and establishing processes for handling employees’ requests to exercise their rights to access, delete, and opt out of the sale and sharing of employee data.
There is some degree of uncertainty as to how California employers can shape their CCPA compliance efforts. The CCPA regulations do not clearly address employee data, and the California Privacy Protection Agency (CPPA) recently acknowledged the lack of clarity in the CCPA regulations at a May 2023 meeting. The CPPA considered revising the CCPA regulations and/or adding exceptions for employee data, given that “the current purposes are not really designed for employee[] [data],” as one CPPA member noted.
Several other states exempted employee data from their own comprehensive consumer data privacy laws: Virginia, Colorado, Connecticut are currently in effect, and Utah, Texas, Montana, Iowa, Tennessee, and Indiana have enacted new laws to take effect in the next few years. California remains the only state to extend its data privacy law to employee data. Hopefully, the CPPA’s November 2023 meeting will bring clarity for California employers’ compliance efforts.
What does the California Attorney General’s CCPA investigative sweep mean for California employers? The investigative sweep is a reminder that the CCPA’s statutory requirements, including those that apply to employee data, are enforceable, even though the Superior Court of California issued a ruling delaying enforcement of the new CCPA regulations until March 29, 2024.
Note: The post California Attorney General Announces New Investigative Sweep Targeting CCPA Compliance for “Large California Employers” first appeared on TheTMCA.com