Large California employers are on Attorney General Rob Bonta’s radar and the latest to see a wave of communications from the AG. When CPRA was introduced as an update to the CCPA it was apparent that employment data was going to be an important part of compliance. However, with rulemaking hitting speed bumps and enforcement being kicked down the road, it may have come as a surprise to some companies on the receiving end of AG Bonta’s request.

What Did AG Bonta Send to California Employers?

Rather than the traditional enforcement letters that are warnings for companies to meet compliance requirements, AG Bonta is requesting via inquiry letters that these companies complete what is, essentially, a self-evaluation of compliance with the employment elements of CCPA/CPRA. This sweep puts companies on notice to review how they are upholding the CCPA update’s provisions for protecting the privacy rights of their applicants and workers. Companies should be prepared to defend what they return in their self-evaluation to the AG’s office.

When the newest version of CCPA went into effect in January, with it came new requirements around employment data for both employees and job applicants, a sector of people who up until that point had not yet been protected by privacy laws. While enforcement may be on the distant horizon, it’s clear that AG Bonta wants companies to know compliance should start now.

“The California Consumer Privacy Act is the first-in-the-nation landmark privacy law, and starting this year, the personal information of employees, job applicants, and independent contractors received greater data privacy protections because of it,” said Attorney General Bonta. “We are sending inquiry letters to learn how employers are complying with their legal obligations. We look forward to their timely response.”

History of CCPA/CPRA Enforcement Thus Far

• A high-profile settlement with Sephora over disclosure issues and failure to recognize consumer opt-outs in August 2022
• AG Bonta announced an investigative sweep on businesses with mobile apps, particularly in the retail, food, and travel industries to emphasize opt-out compliance in January 2023
• Announced a focus on companies that didn’t process consumer requests submitted via an authorized agent in January 2023

These actions by Attorney General Bonta make it known that despite enforcement being delayed, companies aren’t in the clear until then. Companies can’t rely on a cure period any longer and should heed Bonta’s advice to respond in a timely matter, should they receive one of his letters. This foreshadowing of future enforcement should light a fire under organizations in scope.

Truyo makes CCPA/CPRA compliance simple through DSAR response automation, GPC compliance, a form to accept requests from employees, and more. If you have questions about compliance or the Truyo platform, reach out to hello@truyo.com.