CA AG Investigative Sweep for Employer Compliance with CCPA

By Jennifer Ruehr

The California Attorney General announced on Friday, July 14 that it has initiated an investigative sweep of California employers’ compliance with the California Consumer Privacy Act (CCPA) as it applies to employees and applicants. 

A recent ruling by the Sacramento Superior Court delayed the California Privacy Protection Agency’s (CPPA) enforcement of the CCPA Regulations until March 2024.  This ruling, however, does not impact enforcement of CCPA’s statutory requirements. 

Next Steps 

New requirements for employers under CCPA became effective on January 1, 2023 and now applies to employee and applicant personal information, as well as information relating an employee or applicant’s family members, beneficiaries, etc.  Organizations will need to ensure that they have taken steps to comply with CCPA’s numerous requirements including: 

  • Providing adequate notice to employees and applicants prior to collecting personal information 

  • Publishing employee and applicant privacy policies 

  • Reviewing and updating internal policies and processes for collecting, using, disclosing employee and applicant personal information 

  • Determining retention periods for employee and applicant personal information (as this is a required disclosure in the privacy notice) 

  • Reviewing whether the organization is selling or sharing employee or applicant personal information (such as through online trackers on applicant web portals or out of date vendor agreements) 

  • Reviewing and updating agreements with vendors and other providers that the organization uses to process employee and applicant personal information 

  • Developing and implementing policies and procedures for handling individual rights requests, such as requests to know, correct, or delete personal information (and how these rights may complement or conflict with requirements under applicable employment law) 

  • Reviewing and updating policies and procedures for how sensitive personal information is collected, used, and disclosed, and whether the organization is required to offer employees and applicants a right to limit such use and disclosure 

  • Understanding whether any automated decision making or profiling is used in the employment or applicant context 

  • Developing and implementing appropriate training and record keeping policies and procedures 

In addition to these requirements, the CPPA is working on regulations related to when security and privacy risk assessments must be conducted as well as regulations relating to automated decision-making and profiling.  Based on the recent ruling delaying the CCPA enforcement of the current Regulations, any new Regulations will become effective one-year from the date they are finalized. 

For more information on CCPA’s compliance requirements or for assistance with these requirements, please contact your Hintze Law attorney or Jennifer Ruehr at jennifer@hintzelaw.com. 

Jennifer Ruehr, Partner with Hintze Law and Chair of the Employment Privacy Group and Co-Chair of the Cybersecurity & Breach Response Group, counsels retail, technology and e-commerce clients on global privacy, cyber-security, and related data technology and transactional matters.


Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, AI, and mobile industries in all aspects of privacy and data security.