California’s New Privacy Rules: A Major Impact on Employers

On November 22, 2024, California’s privacy landscape shifted significantly as the California Privacy Protection Agency (CPPA) proposed tough new regulations. These rules, an extension of the California Consumer Privacy Act (CCPA), place a heavy focus on how employers manage employee data. The changes center on risk assessments, automated decision-making technology, and cybersecurity audits, creating urgent compliance challenges for businesses across the state.

Employers Face Stricter Scrutiny with New Risk Assessment Mandates

The proposed regulations introduce a new layer of responsibility for employers through mandatory risk assessments. These are not simple checklists; they are detailed evaluations required when using employee data for specific purposes, especially when automation is involved.

Employers must now weigh the benefits of their data processing activities against the potential privacy risks to their employees. This involves analyzing up to 30 different elements to identify threats like unauthorized data access or potential discrimination.

These assessments must be thoroughly documented, updated at least every three years, and submitted to the CPPA. Failing to conduct or submit these reports can lead to significant penalties, as the agency aims to enforce greater accountability.

Navigating the New Rules for Automated Hiring and Management Tools

Another major focus is on automated decision-making technology (ADMT), which the CPPA defines very broadly. It includes any system that uses personal information to help make decisions about hiring, promotions, performance reviews, or employee monitoring.

Employers planning to use ADMT will have several new obligations.

• Pre-Use Notice: You must inform employees and applicants before using ADMT, explaining its purpose and how it works.
• Right to Opt-Out: Employees have the right to opt out of certain uses of ADMT, which could disrupt automated HR workflows.
• Privacy Policy Disclosures: Your company’s online privacy policy must be updated to include specific information about your ADMT practices.

While some exceptions to the opt-out rule exist for security or hiring, they are narrow. For example, to qualify for an exemption, an employer must offer a human review of the automated decision, a requirement that could reduce the efficiency gains of using ADMT.

Cybersecurity Audits and Other Key Compliance Changes

The new rules also mandate annual cybersecurity audits, although this requirement primarily targets large businesses that process significant amounts of personal data. These audits must be conducted by an independent expert and certified by a high-ranking executive or board member before being submitted to the CPPA.

Even if your business is not required to conduct these formal audits, the standards provide a clear roadmap for what the CPPA considers reasonable security. Adopting similar practices, such as data encryption and regular cybersecurity training, can help protect your business from liability in the event of a data breach. Furthermore, the proposals include smaller but important updates, such as a new requirement to inform individuals of their right to file a complaint with state authorities if their data request is denied.

What’s Next? Key Deadlines and How to Prepare

The CPPA has a deadline of November 22, 2025, to finalize these regulations, but employers should not wait to start preparing. The agency is accepting public comments on the proposed rules until January 14, 2025, giving businesses a brief window to provide feedback.

The proposed changes signal a major shift, and proactive preparation is key to avoiding future compliance issues. Below is a summary of the upcoming requirements.

These new rules will undoubtedly increase the cost and complexity of HR compliance in California. Employers are advised to begin reviewing their data handling practices, particularly those involving automated systems, to get ahead of these sweeping changes.