California Targets Employer Data Rules in Major CCPA Overhaul
California’s privacy agency began rulemaking to clarify CCPA requirements for employee data.
Why it matters: Employers must brace for possible tougher standards on collecting, using, and disclosing employee data. The changes could require overhauls to existing privacy notices, risk assessments, and compliance workflows.
- The CPPA launched preliminary rulemaking on April 20, 2026, focused on employee data privacy under CCPA.
- Employers must comply with all CCPA requirements around employee, applicant, and contractor data since January 2023.
- Preliminary comments to the CPPA on rulemaking are due by May 20, 2026.
- The CCPA is the only comprehensive state law covering employee and job applicant data.
The California Privacy Protection Agency (CPPA) announced fresh rulemaking on April 20, 2026, to address personal information practices related to employees, job applicants, and independent contractors under the CCPA.
- The CPPA is actively seeking input from stakeholders on whether dedicated or more tailored regulations are needed for the workplace data context.
- Businesses and privacy professionals have until May 20, 2026, to submit preliminary comments.
- This development targets open questions lingering since the CCPA fully extended to HR data on January 1, 2023, after employment-related exemptions expired.
Enforcement has ramped up. In July 2023, the California Attorney General conducted an investigative sweep of large employers’ CCPA compliance as it applies to employee and applicant data.
Employers must already meet comprehensive CCPA obligations, including:
- Detailed privacy notices for workforce data
- Support for rights like access and deletion
- Conducting risk assessments before sensitive data processing
The CPPA also finalized new rules on cybersecurity audits, risk assessments, and automated decision-making technology, effective January 1, 2026. These include:
- Mandatory risk assessments prior to high-risk data use (details)
- Required cybersecurity audits and agency reporting by specified revenue thresholds
- New compliance measures for businesses using automated decision-making for significant decisions by January 1, 2027 (guidance)
Attorney General Rob Bonta summed up the stakes: "Consumers have the right to understand how their personal information is being used, including whether companies are using their data to set the prices that Californians pay, whether that be for groceries, travel, or household goods."
By the numbers:
- May 20, 2026 — Deadline for preliminary comments on CPPA's inquiry.
- January 1, 2026 — Effective date for new cybersecurity, risk, and audit regulations.
- January 1, 2027 — Compliance deadline for automated decision-making technology rules.
Yes, but: Details on specific new employee data rules are not yet available, as rulemaking is in the early stages.
What's next: Employers should monitor for draft rules and prepare to update HR privacy policies and compliance procedures.