California Attorney General conducts investigative sweep of large state employers regarding CCPA compliance in the HR context

The California Attorney General has announced an investigative sweep of large California employers in an effort to enforce compliance requirements under the California Consumer Privacy Act (CCPA), related to personal information collected, used, and otherwise processed in the HR context.

While the CCPA previously included a partial moratorium on a covered business’s (ie, an employer’s) compliance requirements with respect to personal information collected and processed in the employment context, this exemption sunsetted at the end of last year. Prior to January 1, 2023, employers were only required to comply with notice obligations under the CCPA (ie, provide employees, applicants, and contractors with a privacy notice). Since January, employers have been required to comply with all requirements under the CCPA, not just the notice obligation, including when collecting, using, and processing personal information about employees, contractors, job applicants, and, where relevant, their dependents and beneficiaries.

In its press release issued on July 14, 2023, the AG’s Office stated that it has sent inquiry letters to large California employers requesting information on the companies’ compliance with the CCPA with respect to the personal information of employees and job applicants and further that it is committed to the robust enforcement of the CCPA.

Specifically, businesses must provide employees, contractors and applicants with:

• a privacy notice that complies with the requirements set forth under the CCPA, prior to collecting an employee, contractor, or applicant’s personal information. This includes, for example, disclosures regarding:
• the types of personal information collected
• the purposes for which personal information is collected, used and disclosed
• the categories of third-party recipients of such personal information (eg, recruiting agencies, benefits providers)
• whether personal information is being sold or shared, and if so, for what purpose
• the period of time for which the types of personal information are being retained
• the consumer privacy rights that employees, contractors and applicants have with respect to their personal information and how individuals can exercise their rights (including through an agent).
• a way to access these notices, eg, on the company’s intranet, or online
• a way to submit consumer privacy requests, such as requests for access to, correction, or deletion of personal information, including via a webform and toll-free number
• a way for employees, contractors, and applicants to limit the use of their sensitive personal information and to opt out from the sale and sharing of their personal information (to the extent relevant).

While enforcement of the recently updated CCPA Regulations has been pushed to March 2024, the majority of CCPA requirements in the HR-data related context (including the version of the CCPA Regulations adopted by the Attorney General in 2020) have been in place since January 1, 2023 and are currently enforceable by both the Attorney General and the newly established California Privacy Protection Agency (Agency).

The delay in enforcement will only impact a subset of requirements in this context – those changes brought about by the Agency’s updates to the CCPA Regulations, which passed on March 29, 2023 and will be effective March 29, 2024. The Agency is expected to issue further regulations this year related to automated decision-making or data protection impact assessments for the processing of sensitive personal information, which can be relevant in the HR context but which will also have a one-year enforcement delay.

In practice, this means that employers should review:

• their current privacy notices for compliance with the CCPA, ensuring that the notices are tailored to the respective group of individuals. For example, the types of personal information and the purposes for which the information is being processed usually vary between employees and applicants, so combining the two groups of individuals into a single privacy notice is ill advised.
• their current onboarding process to ensure that prior notice is being distributed to employees and contractors, and that employees and contractors are notified accordingly whenever material updates are made to the notice. Similarly, employers must check whether notices are being provided to applicants prior to submission of their application (eg, within the online application platform, on the career page, or within the email signature line of recruiters)
• whether the privacy and HR team are prepared to intake HR-related consumer requests and adequately respond within the timeline required by the CCPA (generally 45 days, unless extended to 90 days). This includes, without limitation, (i) compiling all relevant information about the individual, applying any required or permitted exemptions under the CCPA, and providing the information back to the individual in a secure way; (ii) correcting or deleting any personal information unless an exception applies; and (iii) opting individuals out of the sale or sharing of their personal information, or use/disclosure of their sensitive personal information.
• How privacy, employment, and human resources will pair up on building internal policies and addressing HR privacy requests to ensure compliance with any relevant employment-related access or deletion requests.

Learn more about the implications of the California AG’s actions and these coming deadlines by contacting any of the authors or your usual DLA Piper relationship attorney.