The California Attorney General’s investigative sweep is a potential harbinger of increased focus on employers’ data privacy compliance with respect to employee data.
On July 14, 2023, the California Attorney General announced an investigative sweep targeting large California employers, focusing on employers’ compliance with the California Consumer Privacy Act’s (CCPA’s) recently expanded coverage of employees and job candidates. The announcement follows the expiration of a prior exemption for personnel and business to business (B2B) data under the CCPA (for more information, see this Latham blog post).
Since the expiration of the exemption at the start of 2023, the CCPA has applied to personal information about California residents collected, processed, and disclosed in the employment or B2B context. This application is a unique aspect of the CCPA, as other US state general data privacy laws do not regulate information collected in B2B or employment contexts (see, for example, Latham’s blog posts on laws in Florida, Texas, and Iowa). The California Attorney General’s announcement is therefore a significant warning to businesses: they should ensure they are accounting for this California-specific requirement.
Several current US data privacy laws regulate the handling of employee data in specific contexts. For example, in New York State, the monitoring of employees’ internet usage and communications requires employers to comply with certain notice obligations. A New York law also recently went into effect regulating the use of artificial intelligence and other automated tools to make employment decisions — an issue that is also under consideration in California and other jurisdictions.
In addition, several preexisting US privacy laws apply in circumstances that can reach to the employment context, including:
- the Fair Credit Reporting Act relating to the use of credit reports, including by employers doing background checks;
- the Health Insurance Portability and Accountability Act relating to the handling of protected health information, including by employers that self-fund their employee health plan; and
- state biometric privacy laws (in particular the Illinois Biometric Information Privacy Act), which relates to the handling of biometric information, including by employers (e.g., using biometric timekeeping / identification technology).
Outside of the US, laws such as the EU General Data Protection Regulation (GDPR) generally regulate personal information about any individual — whether they are a consumer, employee, business contact, or otherwise.
However, the CCPA is currently the only US state general data privacy law to encompass personal information in the employee and B2B contexts. The California Privacy Protection Agency is considering whether to issue further regulations related to employee and B2B data, but to date the agency has identified this as a “hard” area that “[r]equires substantial research and pre-rulemaking activities” and has not yet previewed any draft regulations. The California Attorney General’s announcement prior to any further rulemaking on these topics signals a specific interest in assessing the extent to which covered businesses are complying with this change in the law. The investigative sweep may herald CCPA enforcement against companies that have not yet updated their policies and practices, and even against B2B companies that do not handle any consumer data. The announcement is particularly significant given the complexities in this area, alongside the recent change in the CCPA to remove a mandatory notice-and-cure period. It may also incentivize other states to extend their privacy laws to cover employee data.
Businesses subject to the CCPA should therefore continue to ensure they are taking appropriate steps to manage personal information of California residents processed in the employee and B2B contexts.