The California Attorney General’s Office recently announced an investigatory sweep under the California Consumer Privacy Act (CCPA) by sending inquiry letters to “large” California employers.
These letters request information regarding companies’ compliance with the CCPA concerning personal information of employees and job applicants.
The exemption for employee and job applicant data under the CCPA ended in January 2023. Therefore, businesses subject to the CCPA must adhere to specific legal obligations, such as providing notice of privacy practices and fulfilling consumer requests to exercise their rights to access, delete, and opt-out of the sale and sharing of personal information.
The applicability of the CCPA to employee data has been a topic of debate. While the CCPA primarily focuses on consumer data and existing California law already grants certain rights to employee data, the finalized CCPA/California Privacy Rights Act (CPRA) regulations issued on March 29, 2023 do not specifically address employee data. During a recent California Privacy Protection Agency (CPPA) board meeting, the agency’s counsel acknowledged this area is one of the most challenging to address in future rulemaking.
Regarding the recently finalized CCPA regulations, credit unions should be aware that due to a recent court ruling, the CPPA is unable to enforce the March 29, 2023 CCPA/CPRA regulations until March 29, 2024. However, statutory changes under the CCPA/CPRA took effect on January 1, 2023 and remain in force despite the court’s ruling.
Credit unions subject to CCPA/CPRA should not only fine-tune their efforts to comply with the CCPA provisions but also review the CPRA regulations issued on March 29, 2023. Working with legal counsel is crucial to determine whether changes must be made in order to comply with the March 29, 2024 enforcement deadline.
The California Credit Union League will continue to monitor updates to California privacy law and regulatory enforcement going forward.