Among US states, California is the only one that treats employees as full “consumers,” providing them the right to an employee notice and an applicant notice and employee rights. While California enforcement has not yet focused squarely on employer practices, a fresh call for public comments from CalPrivacy on how to strengthen employee privacy notices and rights signals this may soon change—and employers should take note.

That Was Then:

The California Consumer Privacy Act (CCPA) imposes meaningful privacy obligations on employers, not just consumer-facing businesses. Since the expiration of the CCPA’s employee data exemption on January 1, 2023, covered businesses have been required to extend the same privacy protections to employees, job applicants, and independent contractors that they provide to other consumers. This includes providing detailed privacy notices at or before the point of collection, disclosing the categories and purposes of personal information collected, and responding to consumer requests including requests to access, correct, delete, and opt out of the sale or sharing of personal information. Employers must also offer mechanisms for submitting these requests, such as web forms and toll-free telephone numbers, and must respond within the timelines prescribed by the statute.

In July 2023, California Attorney General Rob Bonta underscored the seriousness of these requirements by announcing an investigative sweep of large California employers, sending inquiry letters requesting information about their CCPA compliance with respect to employee and job applicant data.

Since that sweep, California privacy regulators have not been shy about enforcing both proper disclosures and consumer rights. On the notice side, CalPrivacy’s $1.35 million fine against Tractor Supply Company, its largest CCPA penalty to date, found that the retailer’s consumer-facing privacy policy failed to disclose key categories of personal information and had not been updated in four years, and that its job applicant notices failed to describe CCPA rights or explain how to exercise them. On the consumer rights side, CalPrivacy fined American Honda Motor Co. $632,500 for requiring excessive personal information to exercise privacy rights, using an asymmetrical opt-out banner, and failing to produce CCPA-compliant vendor contracts. It also fined clothing retailer Todd Snyder $345,178 for similar violations, including a misconfigured privacy management tool that failed to process opt-out requests for approximately 40 days. As CalPrivacy’s head of enforcement Michael Macko put it in the Tractor Supply announcement: “We made it an enforcement priority to investigate whether businesses are properly implementing privacy rights, and this action underscores our ongoing commitment to doing that for consumers and job applicants alike.”

While in California we have yet to see extensive employer-focused enforcement, this is something that is already well established in Europe. The EU General Data Protection Regulation recognizes employees as data subjects and affords them robust privacy rights, including the right of access. EU and UK regulators have not hesitated to enforce these obligations against employers. Notable enforcement actions demonstrate the significant financial exposure employers face for noncompliance, with fines in the tens of millions of euros for excessively intrusive employee monitoring, for failure to honor individual rights, and for excessive data retention or collection practices.

Employees in Europe have also been increasingly active in exercising their privacy rights, frequently submitting access requests in the context of workplace disputes, grievances, and anticipated litigation. EU regulators have affirmed that employers cannot sidestep these obligations simply because legal proceedings are underway.

This Is Now:

A new call for comments from CalPrivacy, however, signals that California may start focusing on employer compliance again. Yesterday, CalPrivacy announced a call for public comments, due on May 20, 2026, on how to make employee privacy notices and rights more effective. 

CalPrivacy is asking employers to weigh in on

  • What challenges do they experience when providing a privacy policy, Notice at Collection, or CCPA rights notices to job applicants and employees?
  • What challenges do they experience when describing information practices in a privacy policy or other disclosures to consumers? How can the regulations address this issue? 
  • What challenges do they experience when providing job applicants and employees with the ability to exercise their privacy rights? How can the regulations address this issue? 
  • What steps do they take to oversee their service providers’ and contractors’ CCPA compliance, and what challenges do businesses face when doing so (e.g., do they conduct audits, are they effective)?
  • What else should CalPrivacy consider regarding CCPA requirements for job applicants and workers in the employment lifecycle (hiring, working, and offboarding)? 

Employees are asked to weigh in on:

  • When reviewing a privacy policy or similar disclosure, what is the most important information to consumers? 
  • What language in privacy policies do they find confusing, unclear, or difficult to understand? How can CalPrivacy address this issue? 
  • What are effective ways for consumers to receive notice of their CCPA rights and how to exercise those rights? 
  • What are their expectations or concerns regarding why businesses collect, use, disclose, or retain their personal information as a job applicant or employee, and how can the notice be improved?
  • What else should CalPrivacy consider regarding CCPA requirements for job applicants and workers in the employment lifecycle (hiring, working, and offboarding)? 

Take Action

This comment period is a rare opportunity for both employers and employees to shape the next generation of CCPA employee privacy rules before they are written. Employers dealing with the practical challenges of drafting compliant notices, managing employee DSARs, or overseeing service provider compliance should make their voices heard. Comments are due by May 20, 2026. It is also time to revisit any gaps you may have in your employee and applicant notices and employee rights processes, as enforcement in this area may soon be accelerating.