Your HR Software Is Collecting Employee Data. California Just Made That a Legal Obligation.
Most California employers think of the California Consumer Privacy Act as a consumer-data law – something that applies to website visitors and customer information. The new CCPA risk assessment regulations, enacted in fall 2025, reach directly into the employment relationship in ways that will catch many businesses off guard.
The CCPA applies to any for-profit business that does business in California, has global gross annual revenue in the preceding year over $26 million, and collects and processes the personal information of California consumers. Under the CCPA, “consumer” explicitly includes California residents who are job applicants and employees – not just retail customers. If your business is above the revenue threshold and you use any technology that collects, stores, or processes employee or applicant data, the risk assessment framework reaches you.
The regulation identifies specific processing activities in the employment context that present significant risk and trigger the risk assessment obligation. Using an automated decision-making tool that results in a decision affecting employment opportunities or compensation is one trigger. Using personal information to train an automated decision-making tool that makes employment decisions is another. Automated processing that infers employee characteristics – intelligence, aptitude, performance, health, reliability, or location – based on systematic observation is a third. And processing sensitive personal information outside of core human resources functions (such as routine payroll administration or legally required accommodation processing) is also flagged.
The risk assessment is not a simple form. It must document the categories of personal information processed, the sources of that information, the purpose and retention period for each category, how information is collected and what notice is given to employees and applicants, which third parties receive or have access to the data, and whether automated decision-making tools are used – and if so, the logic behind them, the outputs generated, and how those outputs inform significant employment decisions. The assessment must be reviewed and approved by executive management, excluding legal counsel from the approval chain.
The recordkeeping obligation runs for five years after the later of completion of the assessment or the end of the processing activity. The business is not required to submit the assessment itself to the California Privacy Protection Agency, but it must submit an attestation through the CPPA portal. That attestation requires a member of executive management with direct responsibility for the assessment to declare under penalty that the information submitted is true and accurate. Potential fines for violations range from approximately $2,600 to $7,900 per incident.
The compliance posture for most California employers starts with a technology audit: what tools are currently in use, what employee and applicant data they process, whether any of those tools include scoring, profiling, or automated decision outputs, and whether a risk assessment has been completed. Employers that use AI-assisted hiring platforms, productivity monitoring software, performance management tools with algorithmic outputs, or scheduling and attendance systems with predictive components should treat this as an active compliance item, not a future problem.
If you want to know where your business stands, contact Michael Trust Law, APC for a no-charge initial consultation. The facts determine what needs to be addressed – and how much of a conversation that takes.
This post shares general information based on common patterns I see in California workplaces. It is not legal advice, does not create an attorney-client relationship, and outcomes depend on specific facts – no lawyer can guarantee a result. Past results do not guarantee or predict future outcomes. AI may have been used to create this post. All content reviewed by a CA attorney before publication.
