The California Consumer Privacy Act (CCPA) continues to stand apart as the only comprehensive state privacy law in the U.S. that applies to personal information relating to employees, job applicants, and independent contractors. Since that coverage expanded in January 2023, many employers have had to navigate the difficult task of applying a consumer privacy framework to workforce data. That has created practical challenges, particularly in areas such as privacy notices, internal data practices, and responses to requests from workers seeking to exercise their privacy rights.
On April 20, 2026, the California Privacy Protection Agency (CPPA) began preliminary rulemaking focused on employee data and related privacy notice and disclosure requirements under the CCPA. The CPPA is exploring whether separate or more tailored regulations are needed to clarify how the law should apply to personal information collected in the employment context. Its request for input suggests that regulators recognize the uncertainty businesses and workers have faced. Among other issues, the CPPA is asking what difficulties employers encounter when giving job applicants and employees the ability to exercise privacy rights, and how regulations could better address those concerns.
Although it is still too early to predict the substance of any final rules, this process could have significant consequences for employers subject to the CCPA. New regulations could better align compliance obligations with the realities of human resources and workforce data management. At the same time, such regulations may introduce additional notice, disclosure, or operational requirements that increase regulatory burden. For now, the rulemaking remains in a pre-proposal stage, with preliminary comments due by May 20, 2026. If the CPPA moves forward with formal rulemaking, proposed regulations and another round of public comment would follow, with any final requirements unlikely to take effect before 2027.