A recent announcement by California Attorney General Rob Bonta may curtail the relief experienced by California’s largest employers who are benefitting from the delayed enforcement of the newest California Consumer Privacy Act (“CCPA”) regulations.
On June 30, 2023, Judge James Arguelles of the Superior Court of California in Sacramento County enjoined the enforcement of the newest CCPA regulations until March 29, 2024. Less than two weeks later, on July 14, 2023, Attorney General Bonta announced a new “investigative sweep” of the state’s large employers aimed at ensuring companies’ compliance with the CCPA with respect to their handling of employees’ and job applicants’ personal information.
When it was passed in 2018, the CCPA imposed specific obligations on businesses, including requirements that they provide notice of privacy practices and fulfill consumer requests to exercise their right to access, delete, and opt out of the sale and sharing of their personal information. While HR-related data was originally exempt from the law, the exemption expired on January 1, 2023, when the amendments to the CCPA made by the California Privacy Rights Act of 2020 went into effect. Accordingly, these statutory privacy protections now cover companies’ employee and job-applicant data. “The California Consumer Privacy Act is the first-in-the-nation landmark privacy law, and starting this year, the personal information of employees, job applicants, and independent contractors received greater data privacy protections because of it,” said Bonta.
Bonta said that large California employers will receive inquiry letters seeking detail on their CCPA compliance efforts with respect to the personal data of employees and job applicants. Neither details of the letters nor their recipients have been disclosed at this time.
This is not Bonta’s first investigative sweep under the CCPA. In January of this year, Bonta’s office conducted a similar investigation of popular mobile applications’ alleged failure to comply with consumer opt-out requests, or failure to provide a mechanism for consumers who want to stop the sale of their personal data. In 2022, a global cosmetics corporation agreed to pay a $1.2 million fine to settle claims it violated the CCPA after Bonta’s first year-long enforcement sweep—the first monetary penalty under the law, and a clear signal that Bonta’s office is ready and willing to aggressively prosecute companies that don’t comply with the law.
This development, although it does not impact the injunction on enforcement of the newly issued regulations, underscores the importance of companies remaining vigilant to ensure their compliance with the CCPA’s statutory requirements.