On July 14, 2023, California Attorney General Rob Bonta announced a California Consumer Privacy Act (“CCPA”) enforcement sweep focused on large California employers’ compliance with the CCPA’s requirements applicable to the personal information of employees and job applicants. This is a clear signal that the Attorney General will not wait to pursue enforcement of these provisions, even though the California Privacy Protection Agency (the “Agency”) has yet to address them in its rulemaking.

In this blog post, we offer a roadmap for compliance for companies with California employees, independent contractors, and applicants to consider as they continue to enhance their existing programs or fully operationalize these changes.

The CCPA previously exempted personal information collected in the recruitment and employment (“HR”) context, but the exemption expired on January 1, 2023 after the California legislature failed to extend the exemptions.

As a result, entities subject to the CCPA must provide employees, applicants, and independent contractors the same rights and protections they afford other CCPA “consumers,” including rights regarding the collection, use, and disclosure of personal information. The HR requirements imposed by the CCPA are in addition to employees’ existing rights under California law to inspect and receive a copy of their personnel files.

Many anticipated that enforcement of the CCPA’s protections for HR data might be limited given that the Agency’s recently finalized regulations do not address employee data and because the Agency’s board members indicated that any such regulations would require substantial research and pre-rulemaking activity. This investigative sweep may inform future rulemaking and is a clear signal that employers of all sizes should not wait for the Agency to issue regulations before implementing CCPA HR requirements.

There are several steps that companies with California employees, independent contractors, and applicants could consider as they continue to enhance their compliance with the CCPA’s HR requirements and their general CCPA programs:

  1. Data Mapping. Employers should consider a data mapping exercise covering all data processed in the HR context. They should also consider updating any current data mapping to account for such HR data. This exercise includes the personal information of employees, applicants, independent contractors, consultants, directors, board members, and beneficiaries of employees. Such mapping should consider the collection, business purposes, storage, retention, and disclosures of such personal information. It should also account for any data flows involving service providers, contractors, or third parties. Employers should also consider the impact of remote work on data collection. This information should be kept up to date on a regular basis.
  2. Updating Notices and Policies. Employers should revise any existing HR privacy notices and create privacy policies covering HR data, to the extent that these do not already exist. These notices and policies may need to be tailored depending on the type of consumer involved.  Employers should also consider how these notices and policies are made available to various covered individuals—such as through an employee portal or at recruiting events.
  3. Processing Data Subject Access Requests. Employers should consider establishing or updating any existing process for receiving and processing data subject access requests (“DSARs”) for HR data that is distinct from its processes for other consumer requests. Given the sensitivity of HR data, other legal requirements to retain such data, and the possibility that such requests may be used by employees and others in litigation, it may be prudent to treat such requests with special care.  The DSAR procedures should include mechanisms to flow-down consumer rights requests to service providers, contractors, and third parties.
  4. Vendor Agreements. Once employers have identified and updated their tracking of data flows, they should revisit their contracts with any parties that handle HR data and update the contracts to include CCPA-mandated obligations, such as prohibitions on the commercialization of personal information, including HR data.

The authors would like to thank Debevoise Summer Law Clerk Shannon Pennoyer for her contribution to this blog post.

To subscribe to the Data Blog, please click here.


Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.


Johanna Skrzypczyk (pronounced “Scrip-zik”) is a counsel in the Data Strategy and Security practice of Debevoise & Plimpton LLP. Her practice focuses on advising AI matters and privacy-oriented work, particularly related to the California Consumer Privacy Act. She can be reached at jnskrzypczyk@debevoise.com.


Tricia Bozyk Sherno is a member of Debevoise's Litigation Department, concentrating in employment and general commercial litigation. She has a broad-gauged employment law practice, with experience representing clients in matters involving discrimination and harassment, contracts, corporate raiding and compensation across a broad range of industries. She can be reached at tbsherno@debevoise.com.


Michael R. Roberts is a senior associate in Debevoise & Plimpton’s global Data Strategy and Security Group and a member of the firm’s Litigation Department. His practice focuses on privacy, cybersecurity, data protection and emerging technology matters. He can be reached at mrroberts@debevoise.com.