California announces investigative sweep for CCPA compliance

Lawyer offers tips for employers to be 'proactive rather than reactive'

California announces investigative sweep for CCPA compliance

California is applying more pressure on employers to ensure that they comply with the California Consumer Privacy Act (CCPA).

Recently, California Attorney General Rob Bonta announced an investigative sweep of employers. Through inquiry letters sent to large California employers, the attorney general’s office is requesting information on the companies’ compliance with the CCPA with respect to the personal information of employees and job applicants.

“The California Consumer Privacy Act is the first-in-the-nation landmark privacy law, and starting this year, the personal information of employees, job applicants, and independent contractors received greater data privacy protections because of it,” said Bonta. “We are sending inquiry letters to learn how employers are complying with their legal obligations. We look forward to their timely response.”

Eight of the top 10 metropolitan areas with the highest increase in pay transparency from February 2022 to February 2023 are in California, according to Indeed’s U.S. pay transparency research released in March.

Who is subject to the CCPA?

The CCPA applies to for-profit businesses that do business in California and meet any of the following:

  • Have a gross annual revenue of over $25 million
  • Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

However, even companies that do not exceed the dollar threshold may unknowingly become subject to the CCPA “through the use of website tracking technologies that share personal information, such as IP addresses and device identifiers (IDs), with cross-context behavioral advertising partners – and sometimes even unbeknownst to the business,” said Benjamin Perry, privacy lawyer in an Ogletree Deakins post.

“Thus, companies using such technologies can satisfy the second prong solely by collecting the personal information of 100,000 or more unique California website visitors annually – or roughly 274 unique visitors per day – without even taking into account California employees or consumers whose information they may be collecting directly. 

“In addition, even if these requirements are not met, the CCPA may still apply in certain circumstances where there is common ownership, branding with another entity subject to the CCPA, joint ventures, or partnerships between businesses.”

HR exemptions and B2B exemptions under the CCPA expired at the start of 2023.

How to navigate CCPA investigations?

The investigative sweep announced by Bonta serves as a reminder for all businesses to consider steps to ensure they are in line with CCPA requirements, said Perry.

To navigate this investigation, he suggested that employers consider the following steps:

  1. Perform a review of online tracking technologies on their websites to determine whether those tools might subject the business to the requirements of the CCPA if the business would not otherwise meet the consumer applicability threshold;
  2. Implement or update contracts with service providers, affiliates and other parties to whom the company discloses personal information about applicants and personnel;
  3. Issue or update privacy notices to job applicants and employees, and address applicant and HR data in the company's privacy policy;
  4. Update the company's data subject request procedures and train HR professionals regarding the handling of such requests;
  5. Revisit data deletion and retention policies given broad access rights for employees and associated compliance costs and risks; and
  6. Conduct assessments concerning the use of "sensitive personal information" to support reliance on exceptions and offering opt-out rights to employees where required.

“By being proactive rather than reactive, businesses may be able to minimize the risk of potential penalties and costly regulatory investigations while also demonstrating their commitment to protecting the personal information of their employees and job applicants,” said Perry.

Here are the new employment laws in California that have gone into effect as of Jan. 1, 2023.