April 6, 2023

California Privacy Protection Agency Announces Completion of Formal Rulemaking

Certain employer exemptions within the California Consumer Privacy Act of 2018 (CCPA) were eliminated in accordance with the California Consumer Privacy Rights Act (CPRA)i when it became effective January 1, 2023. The January deadline also triggered several privacy related obligations for employers, such as:

  • Providing notification to applicants, employees, and contractors as to the categories of personal information that is (or may be) collected by the employer.
  • Informing employees of their rights when it comes to access or restrictions on the use or disclosure of certain categories of personal information.
  • Informing employees of their rights when it comes to correcting or deleting personal information (subject to specific exemptions as applicable).
  • Informing employees about their right to request the personal information collected by the employer during preceding 12 months.

Enforcing the CPRA is the responsibility of the newly created California Privacy Protection Agency (CPPA) which has the authority to implement the CPRA and issue significant fines for noncompliance. In its compliance capacity, the CPPA has recently released its first substantive rulemaking package. The rulemaking package is available on the agencies website and is effective immediately.

CPRA violations are not subject to enforcement under California’s Private Attorney General Act (PAGA) and is retroactively applicable to all employer collected information beginning January 1, 2022.

First Steps

The first step for employers to take regarding compliance obligations is to determine whether their business falls subject to CCPA. In general, the CCPA applies to a “business” that:

  1. Does business in the State of California,
  2. Collects personal information (or on behalf of which such information is collected),
  3. Alone or jointly with others determines the purposes or means of processing of that data, and
  4. Satisfies one or more of the following:
  5. Has gross annual revenue in excess of $25 million in the preceding calendar year (measured on January 1 of the calendar year)
  6. Annually buys, sells, or shares the personal information of 100,000 California consumers or households
  7. Derives 50% or more of its annual revenue from selling or sharing personal information.

Although the CPPA notice states that the regulations are “effective immediately,” enforcement efforts are not scheduled to begin until July 1, 2023.ii

Next Steps

Employers subject to CCPA regulations should, if they have not already, begin taking the following steps toward compliance:

  • Inventory and map consumer data (e.g., employee and job applicant data).
  • Given that further rulemaking is underway at the CPPA concerning cybersecurity, begin an internal assessment of risk factors associated with any sensitive data collected or maintained (e.g., employment-related data such as social security numbers and leave-related information).
  • Review the privacy related obligations listed at the beginning of this article and begin preparing appropriate notices to employees and applicants.
  • Add CCPA compliance training to existing supervisor training modules.

Employers should keep in mind that compliance is ongoing under the CCPA and that to be effective it should be tailored to the specific data collection and usage of the business.



i The CPRA was enacted to amend certain provisions of the CCPA.

ii Pending legal action initiated by the California Chamber of Commerce seeks to delay enforcement to allow businesses additional time to comply.