Privacy Agency Invites Comments from Businesses on the CCPA’s Usage of Personal Data

Recently, the California Privacy Protection Agency (CPPA) issued a call for comments on the current state of personal data collection under the California Consumer Privacy Act (CCPA). Specifically, the invitation to deliver remarks was issued on April 20th, 2026. Generally, the information provided by the agency discusses potential updates to CCPA regulations addressing notices and disclosures, as well as the handling of employee data.  Previously, in October 2025, the CPPA updated the CCPA to include new information on automated decision-making technology, cybersecurity audits, and risk assessments.

What Is the California Consumer Privacy Act (CCPA)?

On January 1st, 2020, the CCPA went into effect, protecting consumers’ privacy rights by placing obligations on how businesses collect, use, and share the personal information of California residents. Included within the protections, the CCPA provides affected consumers with the right to:

• know what personal data is being collected about them;
• know whether their personal data is sold or disclosed and to whom;
• say “No” to the sale of personal data;
• access their personal data;
• request a business to delete any personal information about a consumer collected from that consumer; and
• exercise their privacy rights without fear of discrimination.

Updates to the California Consumer Privacy Act (CCPA)

Markedly, the CCPA was soon amended by the California Privacy Rights Act (CPRA). Passed in November 2020, the CPRA provided additional privacy protections for individuals. Specifically, these protections applied to the personal information of employees, employees’ dependents who receive benefits, applicants, independent contractors, and board members.

Additionally, the CPRA established the afore-mentioned California Privacy Protection Agency (CPPA), which implements and enforces the law. Going beyond existing federal law, which primarily protects data in employees’ personnel files and even bars employers from asking certain illegal interview questions, the CPRA provides more comprehensive data protection, allowing individuals to opt out of, delete, or correct certain records. In this way, the CPRA closely mirrors data protection laws overseas, like the European Union’s General Data Protection Regulation (GDPR). The California Privacy Rights Act went into effect on January 1st, 2023.

Finally, it is important to note that even though the CPRA amended the CCPA, it did not create a new law. Being that, the general law being discussed in this post is the “CCPA” or “California Consumer Privacy Act.”

Who Does the California Consumer Privacy Act (CCPA) Apply To?

Presently, businesses that fall within the following perimeters must comply with CCPA standards:

• The company does business in California (even if they are based elsewhere).
• The business collects personal information (or does it on behalf of another entity).
• The company alone or jointly with others determines the purposes or means of processing of that data.

Also, if the business meets one of the following criteria, they are required to comply with the CCPA:

• The annual revenue requirement is satisfied if, as of January 1 of a calendar year, the business had annual gross revenues in the preceding calendar year in excess of $25 million.
• The business “alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households.”
• The business derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

The CPPA’s Invitation for Preliminary Comments on Notices and Disclosures

As mentioned earlier, the CPPA is questioning whether CCPA regulatory changes are needed regarding notices, disclosures, and personal data, i.e., employee data. The agency wants input from all individuals affected by the current law.

Now, the CPPA requires businesses to provide consumers with notices explaining their privacy practices. These notices could include:

• a privacy policy,
• Notice at Collection, and
• notices about consumers’ privacy rights.

The agency wants feedback addressing the following questions when it comes to those notices and disclosures:

• When reviewing a privacy policy or similar disclosure, what is the most important information to consumers? What information about a business’s collection, use, disclosure, and retention of personal information do consumers want but currently cannot find in existing privacy policies or similar disclosures?
• What language in privacy policies do consumers find confusing, unclear, or difficult to understand? How can the CPPA address this issue?
• What challenges do businesses experience when describing information practices in a privacy policy or other disclosures to consumers? How can the regulations address this issue?
• What are effective ways for consumers to receive notice of their CCPA rights and how to exercise those rights? For example, how do effective notice mechanisms differ across mobile apps, internet-connected devices, smartwatches, smart TVs, home appliances, gaming systems, or other interfaces that do not support traditional webpage-based notices?
• What challenges do businesses face when providing notices, including opt-out links, across different devices or platforms? How can the regulations address this issue?
• Please provide examples of effective consumer notices and disclosures. If possible, please provide information about specific testing, studies, or data demonstrating their effectiveness.
• What else should the CPPA consider regarding CCPA notice and disclosure requirements?

The Request for Comments on Personal Data and Employee Data

Additionally, the CPRA would like comments on the CCPA’s current collection and usage of personal data. For its questions, “employee” means current and former employees, as well as current and former independent contractors.

• What are your expectations or concerns regarding why businesses collect, use, disclose, or retain your personal information as a job applicant or employee?
• Have you received a copy of a business’s privacy policy, Notice at Collection, or CCPA rights notices as a job applicant or employee? Identify each notice you have received and describe your experience receiving the notice. For example, how did you receive the notice(s), at what point in the employment life cycle (hiring, working, offboarding) did you receive the notice(s), and what was the most helpful information in the notices? Do you have any suggestions on how to improve the effectiveness of the notice?
• What challenges do businesses experience when providing a privacy policy, Notice at Collection, or CCPA rights notices to job applicants and employees?
• Have you exercised your CCPA rights as a job applicant or employee? Describe your experience exercising your rights. Describe any challenges you experienced when exercising your rights. Do you have any suggestions on how to improve the experience?
• What challenges do businesses experience when providing job applicants and employees with the ability to exercise their privacy rights? How can the regulations address this issue?
• What steps do businesses take to oversee their service providers’ and contractors’ CCPA compliance, and what challenges do businesses face when doing so? For example, do businesses conduct audits of these entities or test the service provider’s or contractor’s systems? How effective are these audits and tests to assess a service provider’s or contractor’s CCPA compliance?
• What else should the CPPA consider regarding CCPA requirements for job applicants and workers in the employment lifecycle (hiring, working, and offboarding)?

Employer Takeaways

In conclusion, the April 2026 request for preliminary comments signals a possible new era in CCPA compliance. However, the agency wants participants to know that the preliminary comments are to assist with its preliminary rulemaking. The comments will not reflect any decisions made by the CPPA regarding future rulemaking. If regulations are proposed, a formal public comment period will be held then.

In short, the CPPA will be accepting preliminary submissions and answers to the above questions until May 20th, 2026. Comments may be submitted electronically to [email protected] with “Preliminary Comment - Notices & Disclosures and Employee Data April 2026” in the subject line. Additionally, answered questions may be sent by mail to the address displayed here.

When it comes to notices, disclosures, and employee and customer personal data privacy, WorkWise Compliance can help businesses comply with applicable laws and regulations. Our annual compliance plans include posters, digital resources, forms, checklists, and training to maintain a compliant workplace.