Employers Beware–Attorney General Announces Sweep Targeting Employee Data
Attorney General’s Sweep
On July 14, 2023, California Attorney General Rob Bonta announced an “investigative sweep” focused on the employee data of certain, unnamed large employers in the state. As a part of the sweep, the Attorney Generals’ office sent letters to large California employers “requesting information on the companies’ compliance with the California Consumer Privacy Act (CCPA) with respect to the personal information of employees and job applicants.”
This sweep both serves as a reminder to businesses of the privacy obligations the CCPA creates for consumer and employee data (covered below) and highlights the enforcement role of the Attorney General’s office in implementing the statutory requirements of the CCPA (even amidst potential delayed implementation of specific CCPA regulations).
Though this is the third investigative sweep conducted by the Attorney General’s office (with other sweeps targeting mobile applications and loyalty programs) it is the first such sweep focused on compliance with the CCPA as it relates to the data of employees and job applicants.
The California Consumer Privacy Act (CCPA) is a robust privacy statute that creates certain privacy rights for Californians. The statute applies to any for profit business, doing business in California, that either: has a gross annual revenue of over $25 million; buys, sells, or shares the personal information of 100,000 or more California residents, households, or devices; or derives 50% or more of their annual revenue from selling California residents’ personal information. The CCPA requires these “covered businesses” to comply with certain privacy requirements, like, for example: providing the ability to opt-out of the sale or sharing of personal information, requiring a disclosure of the personal information collected by the covered business, and a right to non-discrimination for the exercise of any privacy right.
Prior to January 1, 2023, the CCPA’s privacy requirements only applied to consumer information. Now, however, the CCPA treats employee information and consumer information similarly, meaning businesses must respect the privacy rights of employees just as they would consumers. This also means that individuals can exercise privacy rights (and create privacy obligations) related to any data collected and retained by their employer. This type of data could include anything from demographic data, information about a person’s union membership, geolocation information, the contents of any work email or messages, and more.
With this latest investigative sweep showing that the Attorney General is serious about enforcement, employers should remember that the CCPA applies to consumer data and employee data (this includes job applicants). With that in mind, employers can take some steps to better protect themselves.
Though the Attorney General has yet to bring an enforcement action against an employer as it relates to employee data, this investigative sweep should serve as a warning that this will likely be the next step as the state begins implementation of the employee data components of the CCPA.
Disclaimer: Please contact your Payne & Fears attorney for current guidance on the subject matter of this article.