California Consumer Privacy Act (CCPA)

Request Information Littler's Privacy and Data Security Practice

As California continues to refine and expand its privacy rules, including rules governing the use of automated decision making for employment decisions, employers are navigating increasingly complex responsibilities around HR data and workplace technologies. Littler is here to help you make sense of these changes, evaluate your obligations, and plan your compliance strategy well in advance of legal changes.

2025 CCPA Regulations: New Employer Requirements

In August 2025, the California Privacy Protection Agency (known as CalPrivacy) finalized the first set of regulations under the California Consumer Privacy Act (CCPA) that directly address the employment context. The new rules on risk assessments and automated decision-making technologies (ADMT) impose new compliance obligations on employers engaging in practices that are common in the employment context. In addition, changes in data security and other requirements of the CCPA may necessitate changes to employers’ compliance programs. Covered employers include mid-size or larger, for-profit businesses operating in California.

Risk Assessment Regulations in 2026

Effective January 1, 2026

Covered employers must conduct a privacy risk assessment before engaging in many activities involving HR Data (personal information of job applicants, employees, or independent contractors residing in California). Activities requiring an assessment include:

Processing sensitive personal information, such as race, health, and biometric information
Using ADMT for a significant employment decision, even including assignment of work
Systematic monitoring to infer characteristics, for example, work performance

HR professionals and in-house employment counsel must be involved – even at organizations with privacy teams – because the regulations require participation of employees who are directly involved in, and have first-hand knowledge of, these activities.

Risk assessments steps include:

Documented assessment of nine enumerated areas
Attestation of accuracy by a company executive
Summary reporting to CalPrivacy and, upon request, providing the full risk assessment.

How Littler can help:

Risk assessment templates
Assessing whether the requirements apply
Advising on modifying technologies or practices to avoid triggering assessments
Preparing policies and procedures and assembling a team
Counseling on governance and compliance procedures
Preparing and reviewing risk assessments

For more information, see Time for HR Professionals and In-House Employment Counsel to Add HR Data Privacy Risk Assessments to Their Repertoire.

Automated Decisionmaking Technology Regulations for 2027

Effective January 1, 2027

ADMT is defined broadly as “any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking,” meaning it encompasses far more than traditional AI tools.

Covered employers who use ADMT without meaningful human involvement for employment-related decisions must:

Conduct risk assessments
Provide pre-use notices
Update privacy policies
Honor opt-out and access rights

Technologies covered include those used to make the following key decisions:

Hiring
Allocation or assignment of work
Salary, hourly or per-assignment compensation, as well as other bonuses or benefits
Promotion
Demotion, suspension, or termination

How Littler can help:

Assessing whether ADMT regulations apply
Advising on modifications to include adequate human involvement or adjusting practices to avoid applicability of the regulations
Conducting required risk assessments
Updating privacy policies and preparing procedures
Counseling on governance procedures
Drafting or reviewing pre-use notices and privacy policies

For more information, see California’s Long-Awaited Final Regulations on Automated Decisionmaking Create New Compliance Challenges for Employers.

Cybersecurity and Miscellaneous Requirements

The 2025 regulations also impose detailed cybersecurity audits requirements for covered employers processing large volumes of California residents’ personal information. As custodians of HR data, HR departments may play a key role in these audits. The regulations also change some of the rules governing the CCPA rights to know, correct, delete, and opt out.

For more information, see California’s Long-Awaited Final Regulations on Automated Decisionmaking Create New Compliance Challenges for Employers.

The California Privacy Rights Act of 2020

The California Privacy Rights Act of 2020 (CPRA) substantially expanded the privacy and information security obligations of most California employers beginning January 1, 2023. The CPRA applies to the personal information of California residents who are employees, job applicants, independent contractors, and board members, as well as employees’ dependents who receive benefits through the employer (collectively, “HR Individuals”). Enforcement began on July 1, 2023.

The CPRA amended the CCPA by extending all of the statute’s requirements to businesses processing the personal information of HR Individuals, who had previously been subject only to limited protections, and by adding new CCPA requirements. The revised CCPA represents a significant departure from previous U.S. laws related to the data of HR Individuals by establishing a comprehensive data protection regime similar to global frameworks, such as the European Union’s General Data Protection Regulation. It required significant changes to existing policies, procedures, and practices for handling HR Individuals’ personal information.

For more information, see Substantial New Privacy Obligations for California Employers: The California Privacy Rights and Enforcement Act of 2020 Passes at the Polls.

CCPA Compliance Checklist and Customizable Vendor Addendum for California Employers

To assist employers with CCPA compliance, we have created a checklist which provides covered employers with a high-level overview of the action items they need to complete for CCPA compliance. In addition, we have created an editable Vendor Addendum that can be attached to employers' existing service agreements, to ensure that service providers process personal information consistent with employers' CCPA obligations. This Addendum can be customized to each employer's particular circumstances.

CCPA Project Checklist + Vendor Addendum

Data mapping to identify all repositories of HR Individuals’ personal information and the flow of that personal information into, and out of, the company
Drafting required notices at collection and online privacy policies
Preparing policies and procedures to address CCPA rights requests from HR Individuals
Enhancing existing information security policies and procedures to meet the CCPA’s compliance standard
Developing and implementing mandatory retention schedules
Drafting and negotiating required agreements with service providers, contractors, and other third parties
Providing employee training

Additional Resources

To assist your organization with CCPA compliance, Littler’s CCPA Team has developed the CCPA Compliance Suite. This comprehensive suite of templates and guidance can be purchased as an entire package or on an a la carte basis. Littler’s CCPA Compliance Suite consists of more than one dozen documents, including:

Template fact-finding memos and compliance documents to address CCPA requirements applicable to HR data
Information Security Supplement
Non-HR Data Supplement

Please contact your Littler attorney or CCPA@littler.com for more information about pricing.

The Littler CPRA/CCPA Podcast

The Littler California Privacy Rights Act Podcast features conversations related to a law that is a “game changer” for almost every employer that does business in California.