In less than two months, on January 1, 2023, the California Consumer Privacy Act (CCPA) as revised by the California Privacy Rights Act (CPRA) will take effect fully in the job applicant and employment context.

And with respect to job applicants and personnel, businesses subject to the CCPA will be required to (i) issue further revised privacy notices, (ii) be ready to respond to data subject requests, (iii) have determined if they sell or share for cross context behavioral advertising personal information about them, and (iv) have determined if they use or disclose sensitive personal information about them outside of specific purposes. If employers sell, share for cross-context behavioral advertising, or use or disclose sensitive personal information outside of limited purposes, numerous additional compliance obligations apply. See also our related previous post: Employers Must Prepare Now for New California Employee Privacy Rights.

Here are some key recommendations on what employers should do now:

1. Review contracts with parties to whom you disclose personal information about applicants and personnel. The CCPA prescribes certain types of clauses that have to appear in agreements between parties exchanging personal information, and you will have to include certain data processing clauses if you do not want to be considered to be “selling” (which the CCPA defines to mean disclosing in exchange for monetary or valuable consideration) or “sharing” (which the CCPA defines to mean disclosing for the purposes of cross-context behavioral advertising) personal information and offer related opt-out processes. It is not practical for employers to offer opt-out rights in most scenarios, due to the CCPA’s non -discrimination requirements. The CCPA regulations, which are currently being revised by the California Privacy Protection Agency (latest draft as of this publication is available here), include additional requirements. Businesses should continue to update such contracts with parties it discloses personal information to.

2. Prepare/revise notices at collection and include HR data in your online CCPA Privacy Policy. At collection notices in the employment context have been required under the CCPA since 2020, but new specific disclosure requirements apply from January 1, 2023. Your comprehensive online CCPA privacy policy will also have to reflect your processing of HR data. You should consider updating/preparing a privacy notice at collection that is specific to the CCPA and separate from any privacy notice you might use to address privacy laws in other jurisdictions, since California laws establish increasingly unique requirements and use unique terms that may be difficult to reconcile with those of other jurisdictions (from January 1, 2023, businesses must use specific terms from the CCPA to describe categories of personal information in all notices at collection). At the same time, you have to be mindful of setting or negating privacy expectations. If you issue privacy notices to job applicants and personnel that merely address CCPA disclosure requirements, the recipients of such notices may develop privacy expectations that could later hinder you in conducting investigations or deploying monitoring technologies intended to protect data security, co-workers, trade secrets and compliance objectives.

Continue Reading California Privacy Law Action Items for Employers

Effective January 1, 2023, California employers must continue to provide notification to employees of COVID-19 exposure in the workplace through 2023, but will be able to satisfy the notification obligation by displaying a notice in the workplace. On September 29, Governor Gavin Newsom signed AB 2693 into law, revising and extending the existing obligation for

It is official.  California has joined Colorado, Washington and New York City in requiring job posting to include pay ranges. Today (September 27, 2022), Governor Newsom signed SB 1162 into law, requiring California employers with 15 or more employees to include the salary or hourly wage range of positions in job listings. SB 1162 also

California employers will need to review and confirm their employees’ exempt status and non-exempt hourly wage rates before the start of the new year because of an unusual change in the statewide minimum wage applicable to all California employees.

On July 27, 2022, the California Director of the Finance Department sent a letter to Governor

The U.S. Supreme Court just handed employers a huge win in the continuing war over California’s Private Attorneys General Act (PAGA), a bounty-hunter statute that deputizes employees to sue on behalf of the state. In yesterday’s Viking River Cruises, Inc. v. Moriana, decision, the Supreme Court held that employers may compel employees to arbitrate

The Supreme Court of California has just resolved a long-standing debate over whether employees may recover additional statutory penalties if employers do not include unpaid premium payments for meal period and rest break violations (commonly referred to as “break penalties”) on employee paystubs, or include such premium payments with an employee’s final wages due immediately

Pay transparency laws (laws requiring employers to disclose compensation ranges to applicants) are spreading like wildfire across the US. Regulators are hoping such laws eliminate pay differentials based on gender or race. Putting good intentions aside, the laws are a source of huge consternation for businesses as the state and local requirements vary greatly in

On April 1, a state court judge in Los Angeles ruled that the California law (AB 979) mandating publicly traded companies include people from underrepresented communities on their boards violates the California Constitution. We initially reported on AB 979 here, noting that it was the first law of its kind in the US and was the second time California sought to mandate diversification of public company boards through legislation. In 2018, the first piece of California legislation (SB 826) aimed at increasing gender diversity; in 2020, AB 979 sought to increase diversity from underrepresented communities.

AB 979

The 2020 law requires publicly held corporations headquartered in California to include at least one person on their boards from an underrepresented community by the end of last year, with additional appointments required in future years. People from underrepresented communities are defined as anyone who self-identifies as Black, African American, Hispanic, Latino, Asian, Pacific Islander, Native American, Native Hawaiian or Alaska Native, or who self-identifies as gay, lesbian, bisexual or transgender.

Under AB 979, the California Secretary of State must report annually on companies’ compliance with the law and may impose fines of $100,000 for an initial violation and $300,000 for each subsequent violation.

Continue Reading California’s Board Diversity Law Struck Down in State Court, But Movement for Inclusion and Diversity on Boards Persists

Many thanks to our data privacy colleagues for co-authoring this post: Lothar Determann, Helena Engfeldt and Jonathan Tam.

2022 is looking to be an unprecedented year for California companies’ privacy law obligations. The California Privacy Rights Act (CPRA) takes effect on January 1, 2023, with a twelve-month look-back that also applies to the personal data of employees and business contacts. The new California Privacy Protection Agency is preparing regulations that will sit on top of existing rules from the California Attorney General. Meanwhile, the California Legislature is enacting privacy laws even though it has not repealed or streamlined any of the myriad California privacy laws that continue to apply in addition to the California Consumer Privacy Act (CCPA).

On March 1, we held a webinar focused on the employment law implications stemming from these significant changes and covering a handful of critical hot topics (e.g., how to process vaccination information, the treatment of employees of PEOs, and EORs). If you missed it, here are the major highlights you should know!

Employment Takeaways

Preparing for CCPA / CPRA Compliance
  • CPRA amendments to CCPA take effect January 1, 2023; this ends the transitional exemptions for “HR” and “B2B contact information” and includes a 12-month look-back to January 1, 2022.
  • “At collection notices” have been required since January 1, 2020, with increased disclosure requirements since December 16, 2020. For more detail, click here.
  • Businesses must declare on January 1, 2023, in privacy policies whether they have been selling or sharing personal information of employees and B2B contacts in the preceding 12 months and, if yes, offer opt-out mechanisms and alternatives without discrimination.
  • Businesses must update service provider agreements, including with recruiters and IT, cloud, payroll, benefits, and other providers.
  • Businesses must offer broad access, deletion, rectification, portability and other rights to California employees and B2B contacts, and prepare for what may be the end of confidentiality in the employment area; employers should conduct training, and implement robust data governance policies (incl. deletion and discovery).
Data Access / Deletion Requests from Employees
  • Under existing employment law, California employees (not contractors) have the right to inspect and receive a copy of the personnel files and records that relate to their performance or any grievance concerning them within 30 days of their written request. The existing right to inspect does not extend to records relating to the investigation of a possible crime, letters of reference, or various ratings or reports.
  • By contrast, the new “right to know” under the CPRA/CCPA goes further. It encompasses two distinct rights: (i) the right to a disclosure explaining how the employer collects and handles the individual’s personal information; and (ii) the right to copies of “specific pieces of personal information.” The “right to know” applies to California consumers, which goes beyond employees (i.e., including contractors). In theory, it could extend the scope of the “right to know” from simply the personnel file to include, for example, informal communications about the employee, investigations, etc. Employers must generally comply with such requests within 45 days.
  • The “right to know,” however, is not absolute, and employers can refuse if the request is manifestly unfounded or excessive (e.g., if the purpose is to harass) and does not cover privileged information (e.g., communications with in-house and external counsel).
  • The CPRA/CCPA also introduce a new right to “data deletion.” This right is not absolute either. An exception should apply for most categories of personal information reasonably necessary to managing or administering current or past employment or contract work relationship.
  • Finally, the CPRA/CCPA gives California residents other rights including the right to limit the processing of sensitive information. There are exceptions to the right to limit the processing of sensitive information, but none of the statutory exceptions apply squarely to HR data.


Continue Reading A Quick Primer On New Privacy Law Obligations For California Employers

With special thanks to our data privacy colleague Helena Engfeldt for her contributions.


 On February 17, 2022, California Senator Bob Wieckowski introduced a bill (SB 1189) that would add protections for biometric information and establish a private right of action permitting individuals to allege a violation of the law and bring a civil action. The legislation is similar to the Biometric Information Privacy Act in Illinois (BIPA) which is creating expensive headaches for Illinois employers. (Read about the latest BIPA developments here.) If enacted, the law will cover all employers that use biometric time-keeping systems in California. Many employers would have to navigate the law alongside other California privacy laws such as the California Consumer Privacy Act (CCPA).

Here’s what employers need to know about SB 1189:

Covered employers?

The bill would apply to any private entity regardless of size. “Private entity” is defined as an individual, partnership, corporation, limited liability company, association, or similar group, however organized.

How does the bill define biometric information?
  • A person’s physiological, biological, or behavioral characteristics, including information pertaining to an individual’s deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity;
  • It includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.


Continue Reading Biometric Protections May Be Coming to California Soon | Employers Should Get Ahead Now