November 28, 2022

Volume XII, Number 332


California Consumer Privacy Act FAQs: Employment Information

1. What’s changing?

Under the current version of the California Consumer Privacy Act (“CCPA”), an employer’s obligations related to the personal information it collects from employees, applicants, and contractors residing in California (collectively, “Employment Information”) are relatively limited.  Specifically, it needs to (1) provide those individuals a “notice at collection” that discloses the categories of personal information the employer collects about them and the purposes for which that information is used, and (2) safeguard those individuals’ personal information against unauthorized access or acquisition.

Come January 1, 2023, however, those obligations will dramatically expand when California’s new comprehensive privacy law, the California Privacy Rights Act (“CPRA”), which amends the CCPA, takes effect. 

2. How will Employment Information be treated after January 1, 2023?

Subject to any regulatory updates, Employment Information will be treated like commercial consumer information.

3. What are we required to do by January 1, 2023?

With respect to Employment Information, the core requirements of the CCPA will be as follows:

  • At or before the collection of Employment Information, provide employees, applicants, and contractors a notice at collection, disclosing the categories of Employment Information you collect, the purposes for which that information is used, and certain record retention information.

  • Provide employees, applicants, and contractors a privacy policy that discloses, in addition to the notice at collection of information, the sources from which you collect Employment Information; the parties to which, and purposes for which, you disclose that information, and the rights granted to employees, applicants, and contractors by the CCPA (e.g., the right to access, correct, and/or delete personal information).

  • Develop policies, procedures, and forms to process requests to access, correct, and/or delete personal information, and to avoid discriminating against individuals for exercising those rights.  This includes verifying the identities and authority of the persons making the requests, including third parties acting on their behalf.  

    • Train applicable staff on processing the above requests.

  • Determine whether you must extend the right to limit the use and disclosure of sensitive Employment Information. This will depend on your uses and disclosures of “sensitive personal information”, which is a narrow subset of personal information.

  • Identify service providers and contractors with access to Employment Information and ensure your contracts with those parties are CCPA-compliant.

  • While not a per se requirement, conducting a data mapping exercise is often critical to compliance with the obligations listed above.  Specifically, data mapping will help you identify, inter alia: what personal information you collect about employees, applicants, and contractors; the purposes for which you use that information; the sources of that information; the parties to which that information is disclosed, and for what purposes; and how long that information is retained.

4. What about the personal information of spouses and dependents?

Subject to any regulatory updates or clarifications, if the spouse or dependent is a California resident, their personal information would be subject to the same protections as Employment Information.

5. I keep seeing more “Do Not Sell My Personal Information” links on websites.  Does that requirement apply here?

We expect most employers will not be “selling” or “sharing” Employment Information, as those terms are defined under the CCPA.  However, it is prudent to analyze those definitions – in particular, for selling – to be sure.

6. January 1, 2023, is really soon.  We don’t have time for all of that.  Where should we focus our attention?!?

Full compliance with the CCPA will be a heavy lift for employers.  Those looking to triage in advance of the effective date can prioritize these relatively manageable action items:

  • Develop a working draft of your privacy policy (which would include an updated notice at collection)

  • Ensure your service provider and contractor agreements are compliant

  • Implement a preliminary framework for processing requests to access, correct, and/or delete personal information

  • Start the data mapping process

7. Is there a chance the California legislature could change this?

The California legislature reconvenes in January 2023 and, yes, it is possible it could pass a law that would revert to the rules for Employment Information described in Question 1 above or eliminate the CCPA’s application to Employment Information entirely.  By that point, however, the changes described above will already be in effect (although there is an enforcement grace period through July 1, 2023).  Waiting and hoping the California legislature jumps in to save employers is a risky strategy. 

Jackson Lewis P.C. © 2022National Law Review, Volume XII, Number 270

About this Author

Mary Costigan, Jackson Lewis Law Firm, Privacy Attorney, Cybersecurity, Berkeley Heights
Of Counsel

Mary T. Costigan is Of Counsel in the Berkeley Heights office of Jackson Lewis P.C. She holds a Certified Information Privacy Professional/US designation from the International Association of Privacy Professionals (iapp). Ms. Costigan advises multinational, national, and regional companies on emerging privacy and cybersecurity issues, including the broad and growing array of mandates, best practices, and preventive safeguards. In particular, she focuses on advising and assisting clients in matters relating to compliance with the General Data Protection Regulation (GDPR)...

Jason C. Gavejian, Employment Attorney, Jackson Lewis, Principal, Restrictive Covenants Lawyer

Jason C. Gavejian is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. and a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

Mr. Gavejian represents management exclusively in all aspects of employment litigation, including restrictive covenants, class-actions, harassment, retaliation, discrimination and wage and hour claims in both federal and state courts. Additionally, Mr. Gavejian regularly appears before administrative agencies,...

(973) 538-6890

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and...

973- 538-6890
Damon Silver, Employment Lawyer, Corporate Matters, Jackson Lewis

Damon W. Silver is an Associate in the New York City, New York, office of Jackson Lewis P.C.

In his Privacy, e-Communication and Data Security practice, Mr. Silver advises clients in various industries on compliance with federal and international privacy laws, including HIPPA, the ADA, GINA, FMLA, the TCPA, FCRA, and the EU-U.S. Privacy Shield. He also provides guidance to organizations on data breach prevention and response. 

In the area of employment litigation, Mr. Silver defends...


Rob Yang is an associate in the San Francisco, California, office of Jackson Lewis P.C. Rob’s practice focuses on representing employers in workplace law matters, including defending a broad array of litigation claims, such as:

  • Discrimination
  • Harassment
  • Wrongful termination
  • Retaliation
  • Failure to provide reasonable accommodations
  • State and federal wage and hour

Rob has handled cases from inception through resolution, including initial case evaluation. Prior to joining Jackson Lewis, Rob...