The California Attorney General Investigates CA Employers’ CCPA Compliance

By: Tyler G. Newby , Daniel J. McCoy , Sheeva Ghassemi , David Feder

On July 14, 2023, California Attorney General Rob Bonta announced an “investigative sweep” through inquiry letters sent to large California employers. The sweep seeks information on companies’ compliance with the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Right Act (CPRA), regarding the personal information of employees and job applicants.

AG Bonda said he seeks “to learn how employers are complying with their legal obligations” and “look[s] forward to their timely response.”

Here’s what California employers need to know:

  • The CCPA applies to “covered businesses”—i.e., those with a total annual gross revenue exceeding $25 million, that buy, sell or share the personal information of 100,000 or more California residents or households, or that derive 50% or more of their annual revenue from selling or sharing the personal information of California residents.
  • Effective January 1, 2023, the personal information protections in the CCPA extend to California-based employees, job applicants, independent contractors, owners, directors, officers and medical staff members (“workforce”).
  • Covered employers have privacy obligations for their workforce, including transparency regarding the collection, use and handling of their data; the ability to request, delete and move their data, subject to defined objections; and safeguarding their data through reasonable security measures.
  • California has recently boosted its ability to enforce the CCPA. The CPRA amendments to the CCPA eliminated the 30-day grace period employers and other covered businesses originally had to make corrections after receiving a notice of noncompliance. The California Privacy Protection Agency may now bring administrative enforcement actions without prior notice.

With both heightened regulatory enforcement and a looming investigative sweep, employers subject to the CCPA should review their privacy programs to ensure compliance when handling workforce personal information. If you have any questions on the application of the CCPA to your workforce personal data, reach out to your Fenwick team.


Don’t have an account yet?