California Investigating Data Privacy Compliance Despite Enforcement Delay

Author: Robert S. Teachout, XpertHR Legal Editor

July 27, 2023

California's Attorney General is conducting an "investigative sweep" to gather information on large companies' compliance with the California Consumer Privacy Act (CCPA) regarding employees' and job applicants' personal information.

Attorney General Rob Bonta announced the investigation just two weeks after a court put new enforcement regulations on hold for one year.

The CCPA, as amended by the California Privacy Rights Act (CPRA), provides consumers with certain privacy rights regarding their personal information. The CPRA expanded the information protected by the law to include employment-related personal information. It also established the California Privacy Protection Agency to implement and enforce the CCPA, and the agency issued its final regulations effective March 29, 2023.

However, immediately after the regulations were finalized, the California Chamber of Commerce petitioned the court to enjoin enforcement of the CPRA for 12 months. The court agreed and issued a decision on June 30, 2023, delaying the Agency's enforcement of the regulations until one year from the date they were finalized (i.e., March 29, 2024).

Despite the enforcement delay, Bonta is moving forward with information-gathering, noting that the personal information of employees, job applicants and independent contractors now has greater data privacy protections under the CPRA, which became effective at the start of the year. "We are sending inquiry letters to learn how employers are complying with their legal obligations," Bonta said. "We look forward to their timely response."

The delay in enforcement provides time for employers in California or who have employees in California time to take steps to become compliant. Among other actions, employers should:

  • Determine whether their organization is subject to the requirements;
  • Create a compliant policy and procedures;
  • Develop employee communications providing the requisite information; and
  • Post notices and or otherwise provide the policy to employees, job applicants and independent contractors.

Employers who violate the CCPA and its regulations are liable for administrative fines of up to $2,500 per violation ($7,500 for violations affecting minors under 16 years of age), once enforcement begins.