Today, California Attorney General Bonta announced an “investigative sweep” through inquiry letters sent to California employers. In the letters, information on California Consumer Privacy Act (CCPA) compliance is requested specifically with respect to the personal information of employees and job applicants.
The Attorney General noted “we are sending inquiry letters to learn how employers are complying with their legal obligations. We look forward to their timely response.”
Recall that as of July 1, 2023, the California Privacy Protection Agency has the power to bring immediate administrative enforcement actions to enforce the CCPA as revised by the California Privacy Rights Act and the August 2020 operative CCPA regulations (see our posts California Employers Should Carry On with CCPA Compliance and California Privacy Law Action Items for Employers). While some may have hoped that the employment context would not be a focus of enforcement activity, the sweep announced today makes it clear that full CCPA compliance by employers is expected.
Our Top 5 Recommendations Are:
- Implement / update contracts with service providers, affiliates and other parties to whom the company discloses personal information about applicants and personnel, to avoid triggering or violating opt-out rights of employees (and implement an opt-out program if required);
- Issue / update privacy notices to job applicants and employees and addressing applicant and HR data in the company’s online CCPA Privacy Policy;
- Update the company’s data subject request program and train HR professionals;
- Revisit data deletion and retention policies given broad access rights for employees and associated compliance costs and risks; and
- Prepare assessments concerning the use of “sensitive personal information” to support reliance on exceptions or offer opt-out rights to employees.
For more, please see our California Privacy Law blog and resource page here or contact a member of our team.