Israel Samuels LLP

A Law Firm for Businesses

Big Changes In California Employment Privacy Laws for 2025

By Leave a Comment

Employers need to prepare for significant amendments to the California Consumer Privacy Act (CCPA) of 2018, as amended by the CPRA (CCPA) in 2025.

The CCPA grants California residents, including employees, specific rights relating to collecting and using their personal information. These changes include amendments to key definitions, application of data privacy rules to artificial intelligence (AI), and heightened regulatory oversight and enforcement.

Below is a synopsis of the top five developments that California employers should anticipate for 2025:

  • AB 1008: CCPA now expressly covers generative AI systems. The definition of “personal information” (PI) expands to PI located in various formats, including AI systems. If an AI system is capable of exposing PI—such as names, addresses, or biometric data—businesses will be subject to restrictions on how they may use or profit from that data. The Legislature’s goal is to ensure that AI systems adhere to the same privacy protections that govern other forms of data storage, processing, and use.
  • SB 1223: The CCPA’s definition of “sensitive personal information” is expanded to include a consumer’s neural data—information generated by measuring the activity of a consumer’s central or peripheral nervous system.
  • AB 1824: In 2025, a business that receives the consumer’s PI as part of a merger, acquisition, bankruptcy or other transaction must expressly comply with a consumer’s opt-out preferences.
  • Increased Enforcement Activity: The Privacy Police have stepped up the enforcement of the CCPA in recent years. After issuing its first enforcement action under the CCPA in 2022, several new enforcement actions against a variety of businesses for their use and disclosure of PI have been publicized. In 2024, the Privacy Police issued a $6.75 million fine against a cloud software company relating to a 2020 ransomware attack that resulted in California consumers’ PI theft. They also announced a stipulated judgment with a mobile app developer relating to collecting and sharing children’s data without parental consent. These actions show an increased focus on privacy and a willingness to go after companies who fail to take proper safeguards to protect PI.
  • New CPPA Regulations: The California Privacy Protection Agency (CPPA) published a set of draft regulations for public comment. The regulations primarily seek to update existing regulations, implement requirements for businesses to conduct cybersecurity audits, risk assessments, and implement consumers’ rights to opt out of automated decision-making technology (ADMT). These regulations could go into effect on April 1, 2025, following public comment period.

Contact your business attorney to discuss compliance with privacy laws, any investigation by the California Privacy Protection Agency, or any questions about these laws.
Happy Holidays

The information presented is not intended to be, and does not constitute, “legal advice.” Because each situation varies, and only brief summary information is provided here, you should not use this information as a basis for action unless you have independently verified with your own counsel that it applies to your particular situation.

Call Now Button