California Employers Put On Notice: AG Initiates CCPA Investigative Sweep

California Attorney General Rob Bonta announced that his office sent inquiry letters to large California employers seeking information on how those employers are complying with the California Consumer Privacy Act (CCPA). Announcing this investigative sweep, Attorney General Bonta has put California companies on notice that his office is scrutinizing how they are protecting the privacy rights of their employees, contractors, and job applicants (California Workforce Members). Additionally, this announcement augers potential enforcement activity in the near future.

When enacted in 2018, the CCPA contained a partial exemption for personal information collected by a business about California Workforce Members (the Workforce Exemption), requiring only that California businesses provide California Workforce Members a privacy notice and implement reasonable security to protect their personal information. In 2020, however, the Consumer Privacy Rights Act (CPRA) amended the CCPA, including a sunsetting provision that allowed the Workforce Exemption to expire on January 1, 2023. On that date, California employees, job applicants, and contractors began enjoying all rights under the CCPA, including the rights to:

• Request access to personal information
• Request deletion and correction of personal information
• Opt out of the sale of personal information and targeted online advertising
• Limit the use and disclosure of “sensitive” (e.g., health, financial, racial/ethnic, biometric) information
• Not be subject to retaliation for exercising their privacy rights

The CPRA additionally established the California Privacy Protection Agency (Agency), which has co-extensive authority with the Attorney General to enforce the CCPA, as well as the right (and obligation, in some instances) to promulgate supporting regulations. The most recent regulations — mainly detailing requirements for privacy notices and fulfilling rights requests — went into effect in March 2023, and the Agency has initiated preliminary rulemaking regarding cybersecurity audits, risk assessments, and automated decision-making. With the Workforce Exemption expired, California employers will be subject to all such regulations, which are highly detailed and mandate specific compliance activities.

The Attorney General’s office has not disclosed the recipients or contents of the inquiry letters, so it is unclear at this time which areas of non-compliance have been prioritized. Nevertheless, businesses with California employees should be prepared for additional inquiry letters and potential enforcement action. Although a California state judge recently ruled that the Agency must wait to start enforcing the most recent certain regulations, the Attorney General has authority to enforce previously adopted regulations as well as the CCPA’s statutory provisions. To mitigate risks, employers should take a number of steps, including drafting and updating employee privacy notices, training staff on CCPA compliance, mapping employee data, and building processes for managing rights requests.

The attorneys in Arnold & Porter’s Labor & Employment and Privacy, Cybersecurity, & Data Strategy groups have extensive experience in counseling clients on CCPA compliance, assessing employee privacy programs, and responding to regulatory inquiries and investigations. Please do not hesitate to reach out to us to help assess and improve your CCPA compliance program.

© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.