Industry groups are warning California’s top privacy regulator against imposing new rules governing data policy notices and employee data collection, arguing that businesses are already struggling to comply with the state’s rapidly changing requirements.
In letters to the California Privacy Protection Agency, groups representing tech giants and California businesses asked the regulator to hold off entirely on rulemaking covering the collection and use of employee and applicant personal data. The groups also warned the agency, known as CalPrivacy, not to change requirements for businesses to inform customers about their data privacy practices.
The agency had asked companies and consumers in April for input on the proposed data policy notice and collection rules. The public comment period closed May 20.
Technology trade groups, which have long opposed the agency’s rulemaking efforts, argued that the new regulations would add to a growing and complex web of privacy regulations in the only state with its own privacy regulator.
Trade group TechNet, whose members include
In a separate letter to the agency, the California Chamber of Commerce wrote that the state’s businesses are “already devoting considerable financial and operational resources” to complying with new privacy rules on tight notice.
The groups also raised concerns about new employee data regulations that expand on the California Consumer Privacy Act, which treats employees as consumers by extending “Notice at Collection” disclosure requirements to businesses and their employees.
“The employment context involves legitimate business needs for data processing that differ significantly from consumer-facing contexts,” wrote the Business Software Alliance, which represents tech companies including
The BSA pointed to the “enormous” scope of employee data already covered by the CCPA’s access and deletion protections—ranging from badge access logs to internal investigation records—and joined industry peers in asking the agency to refrain from further data regulation. Rulemaking that requires businesses to allow employee opt-outs from this data collection could prove difficult to carry out, wrote another trade group representing the state’s banking industry.
Others, like the founder of employment verification service MyEmployment, told CalPrivacy in public comments that existing employee data protections do not go far enough. In a separate letter to the agency, the founder suggested that the rulemaking process presents an opportunity to correct a “major blind spot” by bringing third-party service providers who sell employee data under the scope of the CCPA’s “Notice at Collection” regulations.
The trade groups also asked for greater flexibility in complying with notice requirements across different devices. The Network Advertising Initiative, which represents online advertisers, wrote that businesses in the state are facing compliance fatigue because “providing consistent, compliant notices and opt-out mechanisms across these environments presents costly and complex technical and design challenges,” the group wrote. Consumers, they added, are also facing “risk notice fatigue.”
CalPrivacy’s next step is to decide whether to move ahead with the rulemaking process.
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.