On July 14, 2023, the office of the California attorney general announced an investigative sweep of “large California employers” to request “information on the companies’ compliance with the California Consumer Privacy Act (CCPA) with respect to the personal information of employees and job applicants.” The attorney general has previously conducted other CCPA investigative sweeps, including into global privacy control signals, financial incentive programs, and mobile application compliance with consumer opt-out requests and authorized agents.
The announcement reminds covered businesses that the personal information of California employees and job applicants (“HR data”) is presently subject to the CCPA, following the January 1, 2023, expiration of a temporary exemption.
Accordingly, businesses subject to the CCPA must currently:
- Provide California employees and job applicants with a notice of the business’s privacy practices, with the same level of detail currently required for consumer-facing privacy notices.
- Honor certain requests from these individuals to exercise rights with respect to their HR data, including rights to access, delete and correct their personal information.
- Ensure that vendors with access to HR data are subject to specific contractual prohibitions – and that granting such access does not constitute restricted “selling” or “sharing” of personal information.
- Ensure that third parties to whom HR data is “sold” or “shared” are subject to specific contractual obligations.
Other comprehensive US state privacy laws, such as the Virginia Consumer Data Protection Act, the Colorado Privacy Act and the Connecticut Data Privacy Act (all currently in effect), permanently exempt HR data. The California Privacy Protection Agency’s board – the entity responsible for promulgating regulations under the CCPA – recently indicated that it is considering whether any exceptions or specific rules should apply to HR data in potential future rulemakings.
But the July 14 announcement makes clear that, at least for now, the California attorney general expects full compliance with the CCPA with respect to HR data. Additionally, the attorney general’s sweep highlights that the CCPA’s statutory requirements are presently enforceable, even if enforcement of the CCPA’s regulatory requirements was recently delayed by the Superior Court of California until March 29, 2024.