Skip to content
Fey LLC, Attorneys at Law
California Privacy

California AG Announces Enforcement Sweep on Employee and Job Applicant Information Practices

By Fey LLC

On July 14, 2023, California Attorney General Rob Bonta announced an enforcement sweep targeting employer compliance with the California Consumer Privacy Act (CCPA) with respect to employee and job applicant information practices.

This marks the first California AG enforcement action focused specifically on employment-related CCPA obligations since the employment and business-to-business data exemptions expired on December 31, 2022. Starting January 1, 2023, covered employers became fully subject to the CCPA’s requirements with respect to employee and job applicant personal information.

Three Areas of Focus

The AG’s enforcement sweep focuses on three key areas:

1. Notice to Workers and Job Applicants

Employers must provide at-collection privacy notices to employees and job applicants informing them of the categories of personal information collected and the purposes for which it will be used. This notice must be provided at or before the point of collection, meaning privacy notices should be incorporated into employment applications, onboarding materials, and HR workflows.

2. Honoring Data Access Requests

Employees and job applicants have the right to request access to the personal information a covered employer has collected about them. Employers must respond to verified requests within 45 days (with a possible 45-day extension) and provide the information in a portable format.

3. Respecting Deletion and Opt-Out Preferences

Employees and job applicants have the right to request deletion of their personal information and to opt out of the sale or sharing of their personal information. Employers must honor these requests and maintain procedures for doing so.

Practical Implications for Employers

Employers covered by the CCPA should immediately assess their compliance with these obligations:

  • Review employment applications: Ensure at-collection privacy notices are included
  • Audit onboarding materials: Verify that employees receive required notices at the start of employment
  • Establish DSR procedures: Implement processes for handling employee and applicant data subject requests within required timeframes
  • Update HR vendor contracts: Review contracts with HR technology vendors, payroll processors, and staffing agencies to ensure required service provider agreements are in place
  • Train HR teams: Ensure HR personnel understand employee privacy rights under the CCPA and how to handle requests

For a comprehensive CCPA/CPRA compliance framework, see our earlier post, Winter Is Coming: 10 Steps Organizations Should Be Taking Now.

#California#CCPA#employment#HR#enforcement#job applicants#employee data

Need privacy guidance?

Fey LLC helps organizations navigate complex data privacy and cybersecurity challenges.

Contact Us
Back to Insights