California Employers Beware: Attorney General Initials CCPA Investigation
Last month (July 2023), the California Attorney General announced a new California Consumer Protection Act (“CCPA”) investigatory sweep focused on employee data. The Attorney General’s Office reported that it sent inquiry letters to large California employers seeking information on how those employers are complying “with the CCPA with respect to the personal information of employees and job applicants.” The Attorney General’s Office has not disclosed the recipients or the contents of the inquiry letters, so the potential areas of non-compliance are unknown.
When enacted, the CCPA included an exemption for personal information collected by a business about employees and job applicants, requiring only that businesses provide these individuals with a privacy notice and to implement reasonable security protocols to protect the information. In 2020, the Consumer Privacy Rights Act (“CPRA”) amended the CCPA, and included a sunsetting provision that allowed the employee data exemption to expire on January 1, 2023. With the employee data exemption expired, California employees and job applicants may exercise rights in relation to their personal information, and employers have strict deadlines to respond to such requests.
For example, a California job applicant now has a right to know what personal information is collected about them, the right to access such information, the right to correct such information, and the right to delete such information. An employer has 10 business days to confirm receipt of such a request and 45 calendar days to respond, which may be extended to 90 calendar days.
Employees and job applicants can request to opt out of the selling or sharing of their data with third parties for purposes of targeted ads. They also have a right to request that the employer limit the use or disclosure of certain data that the law defines as “sensitive,” but only where the employer is using or disclosing the sensitive data in certain ways. Businesses must respond to these requests within 15 business days.
Businesses subject to the CCPA must implement a compliant request process for employees and job applicants. The process should address all of these types of requests and enable a business to respond by the statutory deadlines, as well as maintain a record of all requests and how they have been handled for at least a two year period.
The Attorney General’s Office investigatory sweep is a reminder that the CCPA’s requirements on employee data are now enforceable. And while this investigation targets large employers, all businesses that are subject to the CCPA should take note for purposes of fine tuning their own CCPA compliance programs.