California AG investigating business compliance with data privacy law

California Attorney General Rob Bonta has launched an investigative sweep to examine how businesses are complying with newer elements of California’s landmark data privacy law.

Bonta announced his office has sent inquiry letters to large California employers seeking information about whether they are handling the personal information of employees and job applicants in compliance with the California Consumer Privacy Act.

The AG noted in a press release that starting this past Jan. 1, businesses must now comply with CCPA’s privacy protections in their handling of employee data. This is in addition to their duties under the law regarding consumer information.

“The California Consumer Privacy Act is the first-in-the-nation landmark privacy law, and starting this year, the personal information of employees, job applicants, and independent contractors received greater data privacy protections because of it,” Bonta said in a statement. “We are sending inquiry letters to learn how employers are complying with their legal obligations. We look forward to their timely response.”

This is not the first investigative sweep Bonta has launched regarding CCPA.

Earlier this year, his office announced an investigative initiative focused on businesses with mobile apps.

The early 2023 inquiry was particularly concerned with “popular apps in the retail, travel, and food service industries that allegedly fail to comply with consumer opt-out requests or do not offer any mechanism for consumers who want to stop the sale of their data,” according to a press release.

The sweep also focused on businesses that failed to process consumer requests submitted via an authorized agent, as required by the CCPA.

“I urge the tech industry to innovate for good — including developing and adopting user-enabled global privacy controls for mobile operating systems that allow consumers to stop apps from selling their data,” Bonta said at the time.

Bonta’s most high-profile enforcement action regarding CCPA compliance was a settlement with Sephora announced in August 2022.

The settlement stemmed from an enforcement sweep of online retailers, and it resulted in Sephora agreeing to pay $1.2 million in penalties.

The AG alleged that Sephora “failed to disclose to consumers that it was selling their personal information and “failed to process user requests to opt out of sale via user-enabled global privacy controls.”

Bonta’s office has also created a website where it posts examples of how businesses have responded to notices of alleged noncompliance with CCPA.

Beginning July 1 of this year, the California Privacy Protection Agency could also enforce the CCPA through administrative enforcement actions.

However, a state court judge issued an opinion in late June preventing the California privacy agency from enforcing some new regulations that recently went into effect.