The California Attorney General recently announced an initiative to investigate employers’ non-compliance with the California Consumer Privacy Act/California Privacy Rights Act (collectively the CCPA).
At the beginning of this year, the CCPA’s disclosure requirements and consumer rights provisions became applicable to job applicants, employees (and their beneficiaries), and independent contractors. Now, the California AG’s office has started to send out inquiry letters to California employers requesting information about their CCPA compliance. This is a big step forward for enforcement under the CCPA and this initiative focuses on employee data. The initial set of inquiry letters has gone out to large California employers, but this should be a reminder for ALL businesses to confirm they are in compliance with the CCPA if it applies to their business.
Businesses that have implemented CCPA compliance programs should evaluate whether they have met certain requirements, such as:
- Issuing or updating privacy notices to job applicants and employees, and addressing applicant and HR data;
- Updating any procedures or policies related to consumer requests to be sure that employees are included, and training HR professionals regarding the handling of those requests;
- Review and potentially revise data deletion and retention policies given broad access rights for employees and associated compliance costs and risks; and
- Conducting assessments pertaining to the business’ use of “sensitive personal information” (as defined by the CCPA) to support reliance on exceptions and offering opt-out rights to employees where required.
Note that the CCPA applies to for-profit entities that do business in California and have annual gross revenues over $25 million. If you have not yet assessed the applicability of the CCPA and issued an employee notice of collection, now is the time.