The California Privacy Protection Agency (CPPA)’s recent action serves as an important reminder for employers to follow the requirements of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). The agency issued a $1.35 million fine against a national retailer after finding multiple data privacy violations involving job applicant data, among other things.
CCPA Overview
Effective January 1, 2020, the CCPA was designed to provide data protection rights to California consumers, including the right to know what information is being collected and the right to request deletion or correction of personal data.
The CCPA requires covered businesses to:
- Provide disclosure notices when collecting personal information;
- Comply with consumer requests regarding personal information (subject to some exceptions);
- Implement reasonable security measures with respect to personal information collected; and
- Not discriminate or retaliate against anyone exercising their rights under the law.
The law defines “consumers” broadly; although the definition doesn’t explicitly include employees, the agency has taken the potion that personal information collected in the employment context — including that of employees, job applicants and independent contractors — falls within the law’s scope.
The Company’s Infractions
The CPPA determined that the company violated California consumer privacy rights when it:
- Did not keep an up-to-date privacy policy explaining consumers’ rights;
- Did not give California job applicants notice of their privacy rights or instructions on how to use them;
- Did not provide a functional way for individuals to opt out of the sale or sharing of their personal information; and
- Shared personal information with other businesses without contracts that included the required privacy safeguards.
To settle the claims, the company agreed to pay a $1.35 million penalty and committed to a series of corrective steps, including conducting regular scans of its online platforms and requiring a senior corporate officer or director to certify compliance each year for the next four years.
Lessons for Employers
For employers, this hefty penalty underscores that privacy compliance is not just limited to consumer-facing data; employee- and recruitment-related data also fall within its scope. Employers should review and update their applicant and employee privacy notices to ensure they clearly outline rights and categories of information collected. They must confirm that opt-out processes actually work and that browser preference signals are honored.
Employers should also work with legal counsel to ensure that contracts with vendors that process employee personal information meet the legal requirements. And privacy compliance should be treated as an ongoing operational responsibility that includes training and periodic audits.
Vanessa M. Greene, J.D., Employment Law Subject Matter Expert, CalChamber
CalChamber members can read more about the California Privacy Rights Act and CPRA Compliance Tips in the HR Library. Not a member? Learn how to power your business with a CalChamber membership.
