Following on the heels of a California Superior Court’s last minute ruling that stayed enforcement of the revised California Consumer Privacy Act (CCPA) regulations, as previously discussed on this blog, California’s data privacy regulators have responded in ways that confirm they are more committed than ever to holding businesses accountable for alleged violations of the CCPA, as amended by the California Privacy Rights Act (CCPA, as amended). 

On July 14, 2023, the California privacy regulators—the California Privacy Protection Agency (CPPA) and the Office of the Attorney General (OAG) —each announced updates providing insight on their interpretations of the CCPA and what can be expected in the near term. 

In brief, the CPPA’s Board of Directors met to discuss its work and current initiatives, and the OAG announced an enforcement sweep of large California employers’ compliance with the CCPA, as amended.

CPPA Board Meeting Takeaways

In a lengthy, regularly scheduled meeting, the CPPA Board met to discuss the status of outstanding rulemakings, its enforcement priorities, and its interpretation of the Superior Court’s ruling. 

  • CCPA, As Amended, Will Be Fully Enforced Now. The CPPA confirmed its view that enforcement of the CCPA, as amended and the existing CCPA regulations will proceed. Accordingly, businesses must be prepared now to comply with the nation’s strictest state consumer privacy law. The CPPA’s Deputy Director of Enforcement further noted that the CPPA will expect robust compliance with the updated CCPA regulations as of March 29, 2024, the end of the one-year period between when the rules were finalized and may be enforced.
  • Enforcement Priorities. As part of its update on enforcement and related priorities, the CPPA enumerated the following areas as Enforcement Division priorities: (a) consumer notices; (b) deletion rights; (c) responding to consumer privacy requests; and (d) dark patterns. It also noted that heightened consideration will be given to matters involving children, the elderly, and marginalized and at-risk groups.
  • Draft Cybersecurity Audit and Automated Decisionmaking Regulations Expected by September. The CPPA noted that it expects to release its draft cybersecurity audit regulations by the time of its September 2023 meeting. This is not a concrete deadline, but rather the intent of the Board. The CPPA also hopes to release its draft automated decisionmaking regulations at that time as well.
  • Risk Assessment Regulations. The CPPA Board discussed that its outstanding privacy risk assessment regulations may include thresholds covering data processing activities related to employee/student monitoring via technology, real-time location tracking, and AI training. 
  • New Consumer Complaint Form. The CPPA announced a new form for consumers to submit complaints about CCPA privacy violations to the agency. The form was launched around July 1, and the CPPA has already received 13 complaints via the form, most of which pertained to the right to limit the use of sensitive personal information.

Click here to view the slide deck used by the CPPA when overviewing its ongoing work with the outstanding regulations noted above. 

California Attorney General Announces Investigative Sweep of Large California Employers’ CCPA Compliance in Relation to HR Data

Also on July 14, 2023, California Attorney General Rob Bonta announced an investigative sweep, through inquiry letters sent to “large California employers, requesting information on the companies’ compliance with the CCPA with respect to the personal information of employees and job applicants.”

Close followers of the OAG will recall that it has announced sweeps in the past as well, including in relation to mobile applications’ compliance with the CCPA and the use of financial incentives and loyalty programs in the retail, home improvement, travel, and food services industries. 

The most recent announcement is brief and does not provide much detail. That said, notable features of the announcement include the following:

  • Job Applicants Are Called Out. In light of OAG’s specific reference to job applicants, which are included as “consumers” under the California privacy law, California businesses should be mindful of their notices at the point of collection in relation to applicants, including thinking through whether separate privacy policies or procedures may be appropriate for job applicants versus existing employees versus consumer-customers. 
  • What Constitutes a “Large California Employer” Is Not Defined. No formal indication is provided in the OAG’s announcement as to criteria used in determining which “large California employers” were selected to receive an inquiry letter regarding their CCPA compliance efforts, particularly in relation to their “notice[s] of privacy practices and fulfilling consumer requests to exercise their rights to access, delete, and opt out of the sale and sharing of personal information.” Although in light of its past enforcement action, it would stand to reason that “large California employers” need not specifically be California corporations or headquartered in the Golden State, and may simply pertain to in-scope employers with numerous employees in-state, we look forward to learning more about the calculus of which entities the regulator has chosen and why.
  • Multistate Cohesion. In a hat tip to other states and, arguably, an acknowledgment of the reach of its own work and development in this space, the OAG’s announcement noted that, “following California’s lead,” other states have passed their own comprehensive privacy frameworks. Specifically referencing the now-enforceable Connecticut and Colorado privacy laws, the OAG noted that it has led a coalition of attorneys general in urging Congress not to preempt stronger state privacy laws. Although enforcement in California and the other states of course remains separate, this may nonetheless be a subtle acknowledgment that regulators are in touch and are swapping enforcement notes, a reminder that regulation does not exist in a vacuum.