Client Alert- California Employers, Are You Prepared For Upcoming Data Privacy Changes?

May 19, 2022
  • Employment Law
  • FisherBroyles News
  • Privacy & Data Security

A copy of this Client Alert can be found here.


The California Consumer Privacy Act (CCPA), modeled from the European Union’s General Data Protection Regulation (GDPR), has been referred to as “GDPR Lite.”

One reason for the nickname may be due to the CCPA’s exemption of human resources (HR) and business-to-business (B2B) personal data from the full scope of CCPA’s requirements.  However, the HR and B2B exemption expires on January 1, 2023, when the California Privacy Rights Act takes effect and amends the CCPA (CCPA/CPRA).

While two pending bills propose to extend the HR and B2B exemption, organizations should act now to update CCPA/CPRA compliance programs and protocols.


Without extensions, as of January 1, 2023, employees, applicants, independent contractors, and business contacts will be entitled to exercise all the rights that the CCPA offers “consumers,” including: the right to request any specific personal information collected; the right to request the correction of any inaccurate data; the right to request the deletion of personal information; and the right to limit the use of “sensitive personal information.”


CCPA/CPRA also introduces new concepts that further complicate HR compliance with consumer rights requests:

  • On March 10, 2022, California’s Attorney General published an official opinion concluding that the CCPA’s right to know includes “internally generated inferences about a consumer from either internal or external information sources.”
  • “Sensitive personal information” is a subset of personal information and includes: precise geolocation; racial or ethnic origin; union membership; the contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication; biometric information; and personal information collected and analyzed concerning a consumer’s sexual orientation.


However, a consumer’s right to limit use and disclosure of sensitive personal information applies only to such data that is collected for the purpose of inferring characteristics about a person and “not necessary to perform the services or provide the goods reasonably expected by the individual,” an undefined phrase in the CCPA.

This begs so many questions for HR personnel: How does an employer communicate to the employee the inferences it has generated about the applicant/employee? Will the risks of complying with consumers’ rights have a chilling effect on the hiring/review process and internal communications with or about a candidate or employee? Won’t information requested be discoverable and evidence for a potential discrimination claim? If a business uses time-keeping mechanisms that utilize precise geolocation or biometric data (for example, using a thumb print to clock in), can employees restrict those uses? Is sensitive personal information “necessary” and “reasonably expected” if it is used by an employer to promote diversity in the workplace?

It should be noted that consumers’ rights are not absolute. For example, even if a consumer requests deletion of their data, businesses may retain the data if necessary to comply with law, bring and defend claims, if it would violate an evidentiary privilege under California law, and for other reasons set forth in the CCPA/CPRA. We recommend consulting with counsel to develop protocols before deleting any information pursuant to a consumer’s deletion request.

Many of the amendment’s provisions allude to regulations that have not yet been issued. Employers shouldn’t hold their collective breath for regulations to provide guidance—the CCPA regulations arrived well after its effective date and then were amended several times. In the interim, employers must use good faith efforts to comply with CPRA/CCPA. To add to the pressure, CPRA removes the 30-day cure period before the business is subject to an enforcement action.


The CCPA Annual Lookback for Disclosures

The CCPA-required disclosures should reflect the data-handling practices in the 12-month period prior to a privacy policy’s effective date. While all organizations should regularly review their privacy policies, those subject to the CCPA should set calendar reminders to conduct an annual policy review for completion, accuracy, and up-to-date information.


Our Employment and Privacy partners stand by to help you stay ahead of the curve. For additional information, please contact Kimberly Dempsey Booher at [email protected] or Amy Epstein Gluck at [email protected] with any questions or more specific situations.

About FisherBroyles, LLP

Founded in 2002, FisherBroyles, LLP is the first and world’s largest distributed law firm partnership. The Next Generation Law Firm® has grown to hundreds of partners practicing in 23 markets globally. The FisherBroyles’ efficient and cost-effective Law Firm 2.0® model leverages talent and technology instead of unnecessary overhead that does not add value to our clients, all without sacrificing BigLaw quality. Visit our website at to learn more about our firm’s unique approach and how we can best meet your legal needs.

These materials have been prepared for informational purposes only, are not legal advice, and under rules applicable to the professional conduct of attorneys in various jurisdictions may be considered advertising materials. This information is not intended to create an attorney-client or similar relationship. Whether you need legal services and which lawyer you select are important decisions that should not be based on these materials alone.

© 2022 FisherBroyles LLP