The California Consumer Privacy Act of 2018 (as amended by the CPRA of 2020) — the most comprehensive US state privacy law, granting California residents (including employees and applicants since 2023) substantive rights over their personal information with employer compliance obligations.
CCPA (California Consumer Privacy Act of 2018), as amended by the CPRA (California Privacy Rights Act of 2020), is the most comprehensive US state privacy law and the closest American analogue to EU GDPR. Effective January 1, 2020, with employment-data provisions taking effect January 1, 2023, CCPA grants California residents substantive rights over their personal information and imposes corresponding compliance obligations on covered businesses. For US employers — particularly those with significant California workforce or operations — CCPA compliance affects everything from privacy notices to data-subject-request handling, vendor management, and employee-data architecture.
**Coverage.** CCPA applies to for-profit businesses that (1) Collect personal information of California residents, (2) Determine the purposes and means of processing that information, and (3) Meet at least one of three thresholds: $25M+ annual revenue, OR buy/sell/share personal information of 100,000+ California consumers/households per year, OR derive 50%+ of annual revenue from selling or sharing California residents' personal information. The thresholds capture most mid-market and larger businesses with California operations. Non-profit organisations are generally not covered (with exceptions). Public-sector entities have separate rules.
**Personal information scope.** CCPA's 'personal information' definition is exceptionally broad — any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes (1) Identifiers (name, address, phone, email, SSN, account numbers). (2) Commercial information (purchase history, browsing behaviour). (3) Internet-activity information (IP address, cookies, search history). (4) Geolocation data. (5) Biometric information. (6) Inference data (preferences inferred from other information). The breadth means most employer-held employee data falls within CCPA scope.
**Sensitive personal information.** CPRA introduced a 'sensitive personal information' (SPI) category with heightened protections, including (1) Government-issued identifiers (driver's licence, passport, SSN). (2) Financial-account information. (3) Precise geolocation (within 1,850 feet). (4) Racial or ethnic origin, religious beliefs, union membership. (5) Health information. (6) Genetic information. (7) Sexual orientation, sex life. (8) Biometric information for identification purposes. (9) Mail, email, text-message contents. SPI requires additional disclosures and gives consumers the right to limit use and disclosure to specifically authorised purposes.
**Rights of California residents.** CCPA grants California residents (1) **Right to know** — request what categories and specific pieces of personal information a business has collected, used, disclosed, and sold. (2) **Right to delete** — request deletion of personal information, subject to exceptions (legal compliance, fraud prevention, internal uses, etc.). (3) **Right to correct** — request correction of inaccurate personal information. (4) **Right to opt out of sale or sharing** — consumers can opt out of the sale or sharing of their personal information. (5) **Right to limit use of sensitive personal information** — consumers can restrict SPI to specifically authorised uses. (6) **Right to non-discrimination** — businesses cannot retaliate against consumers for exercising CCPA rights. (7) **Right to data portability** — receive personal information in a structured, machine-readable format.
**The 2023 employment-data shift.** Until January 1, 2023, an 'employment exception' largely exempted employee and applicant personal information from CCPA's substantive rights provisions (though notice obligations applied). The CPRA expired the employment exception, fully extending CCPA rights to employees, former employees, applicants, contractors, directors, officers, medical staff members, and emergency contacts of these individuals — essentially anyone whose personal information is collected in an employment context. This was a major shift requiring substantial employer programme work to extend CCPA-compliance practices into HR systems.
**Employer compliance obligations.** Covered employers must (1) **Privacy notice at collection** — provide notice describing categories of personal information collected, purposes, retention periods, and rights at or before collection. Typically at hire, in the application process, and at significant policy updates. (2) **Privacy policy** — comprehensive privacy policy on the website (career page) covering CCPA disclosures. (3) **Mechanisms for rights requests** — toll-free number, email address, or web form for consumers to submit requests. (4) **Verification process** — verifying the requester's identity before responding to rights requests. (5) **Response within timelines** — 45 days for most requests, extendable by another 45 days with notice. (6) **Privacy training** — staff training on handling CCPA rights requests. (7) **Vendor management** — Service Provider or Contractor data-processing agreements with HRIS, payroll, benefits, and other vendors handling employee data. (8) **Records of requests** — maintain records for at least 24 months of rights requests received and responses provided. (9) **'Do not sell or share' link** — for businesses that sell or share personal information; less commonly relevant for employment contexts.
**The California Privacy Protection Agency (CPPA).** CPRA established the California Privacy Protection Agency, which now shares enforcement authority with the California Attorney General. CPPA can investigate complaints, conduct audits, issue regulations, and impose administrative fines. Civil penalties can reach $2,500 per violation or $7,500 per intentional violation; fines for violations involving minors' data are higher.
**Private right of action.** Unlike many privacy laws, CCPA includes a private right of action specifically for data breaches involving certain categories of personal information (SSN, driver's licence, financial-account number, account credentials). Consumers can sue for statutory damages of $100-750 per consumer per incident or actual damages, whichever is greater. This has produced significant data-breach class actions against employers and other businesses.
**Multi-state harmonisation.** California pioneered comprehensive US state privacy law, and many states have followed with similar (though not identical) laws — Colorado, Connecticut, Iowa, Indiana, Tennessee, Texas, Virginia, and others. Multi-state employers face overlapping compliance obligations with state-by-state variations in scope, rights, and enforcement. Most large employers extend CCPA-style protections to all US employees as a matter of practical compliance simplicity.
**Common compliance pitfalls.** First, missing the 2023 employment-data shift and treating employee data outside CCPA scope. Second, missing the 45-day response window for rights requests. Third, inadequate vendor data-processing agreements. Fourth, retaining employee data beyond what's necessary or supportable. Fifth, treating CCPA as a one-time compliance exercise rather than ongoing programme. Sixth, neglecting state-by-state variations in multi-state operations.
**Automation through Peoplifi.** Peoplifi supports CCPA compliance with role-based access controls and audit logging for all personal-data access, automated data-subject request workflows for the 45-day window, configurable retention policies aligned with legal requirements, structured data-export for portability requests, deletion workflows respecting legal-hold and other exceptions, and vendor-management documentation supporting Service Provider agreements with downstream processors.
Our HRIS issues a CCPA-compliant privacy notice at hire and lets California employees export, correct, or delete their HR data on request.
Peoplifi unifies HR, payroll, time tracking, and performance into one modern platform — so concepts like CCPA stay handled, not stuck in spreadsheets.
Start free 14-day trial