Despite a recent court ruling delaying the enforcement of the California Consumer Privacy Act (CCPA) amendments by the California Privacy Rights Act (CPRA), the California Attorney General’s office and the California Privacy Protection Agency (CPPA) are pressing ahead with their enforcement efforts. These actions highlight the state’s commitment to delivering California’s Vigorous Enforcement of CCPA Amendments as a signal to businesses of the importance of compliance, regardless of legal delays.
The Sweep of CCPA Compliance in the Employment Context
On July 14, 2023, the California Attorney General’s office announced an investigative sweep targeting large employers’ compliance with the CCPA’s privacy protections of employee and job applicant personal data (“HR Data”). This move underscores the state’s determination to enforce the CCPA’s extension to HR Data, a unique feature not replicated in other state data privacy laws.
Critical Aspects of the HR Data Compliance Sweep
- Scope: The sweep focuses on how large employers handle HR Data, including personal information collected in the ordinary course of employment, emergency contact details, and benefits administration data.
- Requirements: Businesses must provide privacy policies to California employees and respond to their rights and requests, such as access, correction, deletion, and data portability, without retaliation.
- Enforcement Mechanism: Inquiry letters have been sent to selected companies, probing their compliance with legal obligations to protect HR Data.
CPPA Enforcement for Connected Car Space
In a parallel move, the CPPA has initiated its first enforcement action as the US’s primary independent data privacy regulator, targeting the personal information collected by connected vehicles. This action reflects the growing concern over the vast amounts of data, including but not limited to:
- Camera image data,
- Smart Phone data
- Insurance black box recorders
Focus Areas in Connected Car Space
- Compliance Assessment: The CPPA is evaluating how companies involved in data collection from connected vehicles comply with the CCPA’s notice, disclosure, sale, and consumer rights requirements.
Outlook and Implications
The California AG’s office has a history of actively enforcing the CCPA, as seen in previous sweeps targeting mobile app compliance and online retailers, resulting in a settlement with Sephora. The recent focus on HR Data and connected cars reminds all California employers and businesses in the connected car space of the importance of CCPA compliance.
Despite Judge James P. Arguelles’ ruling to delay CPRA enforcement until March 2024, the CPPA and Cal AG have petitioned to overturn this decision. This legal challenge indicates a strong intent to continue enforcement activities without delay.
Message to Businesses
Businesses should rely on something other than the enforcement delay in their CCPA compliance strategies. The ongoing legal battle and the AG’s proactive enforcement actions signal compliance with CCPA, particularly in HR Data and connected car data, should be a priority.
In conclusion, the California Attorney General’s office and the CPPA are making it clear that consumer and employee data protection is a top priority, and businesses should act accordingly. The focus on HR Data and connected car space is a significant step in expanding the scope of data privacy laws and ensuring that individuals’ rights are protected in all aspects of their digital footprint.
The above are just two examples of sweeps the Attorney’s Office are pressing ahead with other industries that will surely follow.
Formiti delivers large and small data privacy projects for clients and stand-alone organisations. See here for more details. An excellent first step is to have an external 360 assessment and remediation report to highlight gaps and provide remediation actions to complete.