Attorney General’s Sweep
On July 14, 2023, California Attorney General Rob Bonta announced an “investigative sweep” focused on the employee data of certain, unnamed large employers in the state. As a part of the sweep, the Attorney Generals’ office sent letters to large California employers “requesting information on the companies’ compliance with the California Consumer Privacy Act (CCPA) with respect to the personal information of employees and job applicants.”
This sweep both serves as a reminder to businesses of the privacy obligations the CCPA creates for consumer and employee data (covered below) and highlights the enforcement role of the Attorney General’s office in implementing the statutory requirements of the CCPA (even amidst potential delayed implementation of specific CCPA regulations).
Though this is the third investigative sweep conducted by the Attorney General’s office (with other sweeps targeting mobile applications and loyalty programs) it is the first such sweep focused on compliance with the CCPA as it relates to the data of employees and job applicants.
CCPA Background
The California Consumer Privacy Act (CCPA) is a robust privacy statute that creates certain privacy rights for Californians. The statute applies to any for profit business, doing business in California, that either: has a gross annual revenue of over $25 million; buys, sells, or shares the personal information of 100,000 or more California residents, households, or devices; or derives 50% or more of their annual revenue from selling California residents’ personal information. The CCPA requires these “covered businesses” to comply with certain privacy requirements, like, for example: providing the ability to opt-out of the sale or sharing of personal information, requiring a disclosure of the personal information collected by the covered business, and a right to non-discrimination for the exercise of any privacy right.
Prior to January 1, 2023, the CCPA’s privacy requirements only applied to consumer information. Now, however, the CCPA treats employee information and consumer information similarly, meaning businesses must respect the privacy rights of employees just as they would consumers. This also means that individuals can exercise privacy rights (and create privacy obligations) related to any data collected and retained by their employer. This type of data could include anything from demographic data, information about a person’s union membership, geolocation information, the contents of any work email or messages, and more.
Takeaways
With this latest investigative sweep showing that the Attorney General is serious about enforcement, employers should remember that the CCPA applies to consumer data and employee data (this includes job applicants). With that in mind, employers can take some steps to better protect themselves.
First, employers should ensure they have a privacy policy, which is accessible to consumers and employees alike. Next, businesses should provide employees and consumers with a notice, provided at the time any personal information is collected, specifically identifying the information collected about them. Lastly, businesses need to remember that individuals have the right to know what information is collected, the right to delete that collected information (with limited exceptions), the right to opt-out of the sale or sharing of that information, the right to correct inaccurate information, the right to limit the use and disclosure of personal information, and the right to non-discrimination for the exercising of any of these other privacy rights. Ensuring the business has in place mechanisms that allow for the exercise of these rights could help limit the risk of an enforcement action.
Though the Attorney General has yet to bring an enforcement action against an employer as it relates to employee data, this investigative sweep should serve as a warning that this will likely be the next step as the state begins implementation of the employee data components of the CCPA.
