This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 1 minute read

California AG Rob Bonta Announces CPRA Enforcement Sweep for Employee and Applicant Information

On July 14 California Attorney General Rob Bonta announced the latest CPRA enforcement sweep. This new effort is to investigate potential violations under the unique applicability of California's general privacy law, the CPRA, relating to employment-related personal information. As of January 1, 2023, the temporary exception for such personal information expired, and the CPRA applies in full force and effect to the personal information of employees, owners, directors, officers, staff members, and independent contractors of businesses subject to CPRA, along with applicants to such businesses. This applicability is unique to California - despite the enactment of sweeping privacy laws in 11 other states, only California applies the law to this type of information. 

Notably, the enforcement sweep comes absent any regulations specifically targeted towards such information. As I previously discussed, enforcement based on regulations has been delayed until at least one year after the regulations were published by the OAL. However, employment-related information was not the subject of regulation and instead was the subject of a temporary exception in the CPRA statutory text that expired on January 1, 2023. The California AG seems to view this as fair game for enforcement, despite any expected regulations later. 

Businesses subject to the CPRA should immediately draft and/or review their privacy notice for employees for compliance with the CPRA and be prepared to comply with requests (at least as much as makes sense given the context) from employees, applicants, and other similar people described above. 

California Attorney General Rob Bonta today announced an investigative sweep, through inquiry letters sent to large California employers requesting information on the companies’ compliance with the California Consumer Privacy Act (CCPA) with respect to the personal information of employees and job applicants. Effective January 1, 2023, covered businesses must also comply with the CCPA’s robust privacy protections as it relates to employee data. Businesses subject to the CCPA have specific legal obligations, such as providing notice of privacy practices and fulfilling consumer requests to exercise their rights to access, delete, and opt out of the sale and sharing of personal information.


ccpa, cpra, employment information, enforcement, privacylaw, innovative technology