Photo of Helena Engfeldt

On January 1, 2024, businesses must post updated Privacy Policies under the California Consumer Privacy Act (CCPA), which requires annual updates of disclosures and fully applies in the job applicant and employment context since January 1, 2023.

With respect to job applicants and employees, businesses subject to the CCPA are required to:

  1. Issue detailed privacy notices with prescribed disclosures, terminology, and organization;
  2. Respond to data subject requests from employees and job candidates for copies of information about them, correction, and deletion;
  3. Offer opt-out rights regarding disclosures of information to service providers, vendors, or others, except to the extent they implement qualified agreements that contain particularly prescribed clauses; and
  4. Offer opt-out rights regarding the use of sensitive information except to the extent they have determined they use sensitive personal information only within the scope of statutory exceptions.

If employers sell, share for cross-context behavioral advertising, or use or disclose sensitive personal information outside of limited purposes, numerous additional compliance obligations apply. For more: see also our related previous post: Employers Must Prepare Now for New California Employee Privacy Rights.

Key recommendations to heed now

Continue Reading Looking ahead to 2024: California privacy law action items for employers

It is an unprecedented time for California companies’ privacy law obligations. The California Privacy Rights Act (CPRA) took effect on January 1, 2023 with a twelve-month look-back that also applies to the personal data of employees and business contacts. The California Privacy Protection Agency recently finalized regulations and has kicked off a new phase of rulemaking including on

In first-of-its-kind legislation, under SB 54, California will require venture capital companies to collect and report diversity data from portfolio company founders as soon as March 1, 2025. The new Fair Investment Practices by Investment Advisers law intends to increase transparency regarding the diversity of founding teams receiving venture funds from covered entities

New York may soon restrict employers and employment agencies from using fully-automated decision making tools to screen job candidates or make other employment decisions that impact the compensation, benefits, work schedule, performance evaluations, or other terms of employment of employees or independent contractors. Draft Senate Bill 7623, introduced August 4, aims to limit the use of such tools and requires human oversight of certain final decisions regarding hiring, promotion, termination, disciplinary, or compensation decisions. Senate Bill 7623 also significantly regulates the use of certain workplace monitoring technologies, going beyond the notice requirements for workplace monitoring operative in New York since May 2022 and introducing data minimization and proportionality requirements that are becoming increasingly common in US state privacy laws.

While there is not yet a federal law focused on AI (the Biden administration and federal agencies have issued guidance documents on AI use and are actively studying the issue), a number of cities and states have introduced bills or resolutions relating to AI in the workplace. These state and local efforts are all at different stages of the legislative process, with some paving the path for others. For example, New York City’s Local Law 144 took effect on July 5, prohibiting employers and employment agencies from using certain automated employment decision tools unless the tools have undergone a bias audit within one year of the use of the tools, information about the bias audit is publicly available, and certain notices have been provided to employees or job candidates (read more here).

If enacted, Senate Bill 7623 would take things much further. Here are some of the most significant implications of the draft legislation:Continue Reading Check Yourself Before You Wreck Yourself: New York and Other States Have Big Plans For Employer Use of AI and Other Workplace Monitoring Tools

Today, California Attorney General Bonta announced an “investigative sweep” through inquiry letters sent to California employers. In the letters, information on California Consumer Privacy Act (CCPA) compliance is requested specifically with respect to the personal information of employees and job applicants.

The Attorney General noted “we are sending inquiry letters to learn how employers are

Since July 1, 2023, the California Privacy Protection Agency has the power to bring administrative enforcement actions under the California Consumer Privacy Act (CCPA) (see our post on California Privacy Law Action Items for Employers).

While a June 30, 2023 ruling by the Sacramento County Superior Court stays enforcement of the March 29, 2023

In less than two months, on January 1, 2023, the California Consumer Privacy Act (CCPA) as revised by the California Privacy Rights Act (CPRA) will take effect fully in the job applicant and employment context.

And with respect to job applicants and personnel, businesses subject to the CCPA will be required to (i) issue further revised privacy notices, (ii) be ready to respond to data subject requests, (iii) have determined if they sell or share for cross context behavioral advertising personal information about them, and (iv) have determined if they use or disclose sensitive personal information about them outside of specific purposes. If employers sell, share for cross-context behavioral advertising, or use or disclose sensitive personal information outside of limited purposes, numerous additional compliance obligations apply. See also our related previous post: Employers Must Prepare Now for New California Employee Privacy Rights.

Here are some key recommendations on what employers should do now:

1. Review contracts with parties to whom you disclose personal information about applicants and personnel. The CCPA prescribes certain types of clauses that have to appear in agreements between parties exchanging personal information, and you will have to include certain data processing clauses if you do not want to be considered to be “selling” (which the CCPA defines to mean disclosing in exchange for monetary or valuable consideration) or “sharing” (which the CCPA defines to mean disclosing for the purposes of cross-context behavioral advertising) personal information and offer related opt-out processes. It is not practical for employers to offer opt-out rights in most scenarios, due to the CCPA’s non -discrimination requirements. The CCPA regulations, which are currently being revised by the California Privacy Protection Agency (latest draft as of this publication is available here), include additional requirements. Businesses should continue to update such contracts with parties it discloses personal information to.

2. Prepare/revise notices at collection and include HR data in your online CCPA Privacy Policy. At collection notices in the employment context have been required under the CCPA since 2020, but new specific disclosure requirements apply from January 1, 2023. Your comprehensive online CCPA privacy policy will also have to reflect your processing of HR data. You should consider updating/preparing a privacy notice at collection that is specific to the CCPA and separate from any privacy notice you might use to address privacy laws in other jurisdictions, since California laws establish increasingly unique requirements and use unique terms that may be difficult to reconcile with those of other jurisdictions (from January 1, 2023, businesses must use specific terms from the CCPA to describe categories of personal information in all notices at collection). At the same time, you have to be mindful of setting or negating privacy expectations. If you issue privacy notices to job applicants and personnel that merely address CCPA disclosure requirements, the recipients of such notices may develop privacy expectations that could later hinder you in conducting investigations or deploying monitoring technologies intended to protect data security, co-workers, trade secrets and compliance objectives.Continue Reading California Privacy Law Action Items for Employers