On July 14, 2023, the California attorney general (AG) announced a surprising “investigative sweep” into employer compliance with the California Consumer Privacy Act of 2018 (CCPA) and its implementing regulations, sending a stark message that the focus of CCPA compliance is not limited to tech companies.

Quick Hits

• Beginning on January 1, 2023, the CCPA’s disclosure and consumer rights provisions became applicable to various work-related individuals, including job applicants, employees, independent contractors, owners, emergency contacts, and beneficiaries.
• As a result, any personal information collected or shared from these categories of individuals is subject to the CCPA’s broad reach, including requirements for providing notices of privacy practices and honoring consumer requests to access, delete, or opt out of the sale and sharing of personal information.
• Despite the onerous nature of these requirements with regard to employee data, the California AG announced an increased focus on CCPA compliance in the employer-employee context and issued various inquiry letters to large California employers requesting information on CCPA compliance.

Companies are often surprised to learn that the CCPA applies to their businesses as a result of online tracking and marketing technologies on their website even though they are not routinely collecting or sharing large amounts of personal information in other contexts. As a result, companies may want to review their current collection practices—including a review of tracking technologies on their websites—to determine whether the CCPA applies, and if it does, whether they are complying with the disclosure and consumer rights obligations now in place for all California residents, including employees and other work-related individuals.

Who Is Subject to the CCPA?

The CCPA applies to for-profit entities that do business in California and meet any one or more of the following criteria:

• the business has annual gross revenues exceeding $25 million in the preceding calendar year;
• the business annually buys, sells, or shares the personal information of 100,000 or more California residents (including employees and other work-related individuals discussed above); or
• the business derives 50 percent or more of its annual revenue from selling or sharing California residents’ personal information.

Even companies that do not exceed the dollar threshold may unknowingly become subject to the CCPA through the use of website tracking technologies that share personal information, such as IP addresses and device identifiers (IDs), with cross-context behavioral advertising partners—and sometimes even unbeknownst to the business. Thus, companies using such technologies can satisfy the second prong solely by collecting the personal information of 100,000 or more unique California website visitors annually—or roughly 274 unique visitors per day—without even taking into account California employees or consumers whose information they may be collecting directly. In addition, even if these requirements are not met, the CCPA may still apply in certain circumstances where there is common ownership, branding with another entity subject to the CCPA, joint ventures, or partnerships between businesses.

There are various exceptions to the law, such as for nonprofits (in most circumstances), covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), information subject to the Gramm-Leach-Bliley Act, and certain information regulated by the Fair Credit Reporting Act, among others. Notably, the federal law exemptions are primarily information-specific rather than entity-level exemptions such that the CCPA can apply to companies’ collection and use of personal information in some situations but not others.

Investigative Sweep: Looking Forward

The California AG’s office began sending inquiry letters to California employers seeking information on their CCPA compliance measures. This move is significant as it marks the first publicly announced CCPA enforcement activity targeted specifically at employee data. The initial sweep appears focused on large California employers, but it serves as a reminder for all businesses to consider steps to ensure they are in line with CCPA requirements.

The investigative sweep serves as a wake-up call for businesses striving to ensure their CCPA compliance measures are robust and up-to-date. To navigate this investigative sweep, businesses may want to consider:

1. performing a review of online tracking technologies on their websites to determine whether those tools might subject the business to the requirements of the CCPA if the business would not otherwise meet the consumer applicability threshold;
2. implementing or updating contracts with service providers, affiliates, and other parties to whom the company discloses personal information about applicants and personnel;
3. issuing or updating privacy notices to job applicants and employees, and addressing applicant and HR data in the company’s privacy policy;
4. updating the company’s data subject request procedures and training HR professionals regarding the handling of such requests;
5. revisiting data deletion and retention policies given broad access rights for employees and associated compliance costs and risks; and
6. conducting assessments concerning the use of “sensitive personal information” to support reliance on exceptions and offering opt-out rights to employees where required.

At the same time, businesses may also consider reviewing their policies and disclosures relating to recently enacted and soon-to-be-effective comprehensive state privacy laws in other states, such as Virginia (January 1, 2023), Colorado (July 1, 2023), Connecticut (July 1, 2023), and Utah (December 31, 2023). By being proactive rather than reactive, businesses may be able to minimize the risk of potential penalties and costly regulatory investigations while also demonstrating their commitment to protecting the personal information of their employees and job applicants.