California Attorney General Rob Bonta has been actively enforcing the California Consumer Privacy Act (CCPA) since July 2023, when he announced an “investigative sweep” through inquiry letters sent to large California employers only about six months after the amended law took effect and became applicable to employers.
Quick Hits
- The California Office of the Attorney General has been actively enforcing the CCPA since July 2023, and the California Privacy Protection Agency has indicated that it will take a very active role in CCPA enforcement.
- Covered businesses may be subjected to civil penalties or administrative fines of $2,500 for each violation of the CCPA and $7,500 for each intentional violation, with penalties up to $7,500 for privacy violations involving minors (whether intentional or not).
- Enforcement actions or administrative fines are not limited to instances in which there is a data breach—the subject of the action or fine can be the failure to comply with any of the provisions of the CCPA.
The CCPA, which was signed into law in June 2018, provides a host of disclosure obligations and consumer rights for California residents to control their personal information. In November 2020, California voters approved Proposition 24, the California Privacy Rights Act (CPRA), which, among other things, amended the CCPA to apply to the employer/employee relationship and to business-to-business transitions. The provisions making the CCPA applicable to all individuals (including employees) became effective on January 1, 2023. The CPRA also stepped up enforcement of the CCPA through the creation of the California Privacy Protection Agency, the state agency tasked with most CCPA rulemaking and separate enforcement mechanisms through administrative actions and fines. Although the examples of letters below have been issued by the attorney general, the agency has also signaled that it will be heavily involved in CCPA enforcement.
The Inquiry Letter
If the attorney general receives a complaint that a company may have violated the CCPA, the attorney general may send a letter to the company announcing that it is investigating compliance with the CCPA. These letters often make clear in the opening paragraph that, “As of January 1, 2023, businesses must comply with the CCPA with respect to employee and job applicant personal information.” These letters then usually request a “detailed written response” concerning how the company complies with the CCPA with respect to “personal information collected from current and former employees.” The response must provide an explanation of the company’s policies, procedures, and practices for personal information with respect to the following:
- Notices of collection provided to current employees;
- Notices to employees of their right to opt out of the sale of their personal information;
- Receiving, processing, and responding to current and former employees’ requests to exercise their rights under the CCPA to know and or delete personal information and to opt out of the sharing and/or sale of their personal information; and
- Notice, collection, and use of current and former employees’ personal information that is unrelated to employment purposes.
The attorney general’s letter will also request a detailed explanation concerning whether the company sells or shares personal information with third parties for purposes unrelated to employment, including a list of the third parties with whom information was shared, a description of the type of employee personal information the company sells or shares with third parties, and how the personal information is subsequently used.
California Privacy Protection Agency
The California Privacy Protection Agency has separate investigatory and enforcement powers for alleged violations of the CCPA. In addition to creating a new online consumer complaint form for alleged CCPA violations, the agency announced during a public meeting on July 14, 2023—the same day Attorney General Bonta announced his enforcement sweep—that it would prioritize the items raised above in the attorney general’s inquiry letters. The agency may enforce alleged violations of the CCPA through administrative actions and recover any unpaid administrative fines through a civil action. Notably, businesses may challenge the decision of the agency with respect to a complaint or administrative fine through a civil action under an abuse of discretion standard. The attorney general ultimately has the final say with regard to enforcement, as the agency must stay any ongoing administrative action or investigation at the request of the attorney general, but a business cannot be held liable for both an administrative fine by the agency and a civil penalty by the attorney general for the same violation.
The Enforcement Action
The attorney general or the California Privacy Protection Agency will generally only pursue an enforcement action (or impose an administrative fine, in the case of the agency) if the investigation following the inquiry letter reveals violations of the CCPA. An enforcement action or administrative fine is not limited to instances in which there is a data breach; the subject of the action or fine can be the failure to comply with any of the provisions of the CCPA, including the failure to provide the required notices and/or opt-out rights. While the CCPA only provides California residents (including employees) with a limited private right of action to file suit for a data breach, there is no such limitation on an enforcement action or administrative fine. The attorney general and the agency may pursue enforcement action civil penalties or administrative fines of $2,500 for each violation of the CCPA and $7,500 for each intentional violation. If two or more persons are responsible for any violations, they can be held jointly and severally liable.
© 2025, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.