On July 14 California Attorney General Rob Bonta announced the latest CPRA enforcement sweep. This new effort is to investigate potential violations under the unique applicability of California's general privacy law, the CPRA, relating to employment-related personal information. As of January 1, 2023, the temporary exception for such personal information expired, and the CPRA applies in full force and effect to the personal information of employees, owners, directors, officers, staff members, and independent contractors of businesses subject to CPRA, along with applicants to such businesses. This applicability is unique to California - despite the enactment of sweeping privacy laws in 11 other states, only California applies the law to this type of information.
Notably, the enforcement sweep comes absent any regulations specifically targeted towards such information. As I previously discussed, enforcement based on regulations has been delayed until at least one year after the regulations were published by the OAL. However, employment-related information was not the subject of regulation and instead was the subject of a temporary exception in the CPRA statutory text that expired on January 1, 2023. The California AG seems to view this as fair game for enforcement, despite any expected regulations later.
Businesses subject to the CPRA should immediately draft and/or review their privacy notice for employees for compliance with the CPRA and be prepared to comply with requests (at least as much as makes sense given the context) from employees, applicants, and other similar people described above.