California’s privacy regulators just crossed a historic line — and employers should take note.

In In the Matter of Tractor Supply Company (Sept. 2025), the California Privacy Protection Agency (CPPA) issued its first full enforcement order under the CCPA, imposing $1.35 million in penalties and broad compliance obligations. Beyond fines, the agency ordered quarterly technology scans, contract audits, written certification of compliance, and email notification to all employees and job applicants that it has updated its Privacy Policy.

What makes this case different? It’s the first CCPA action to cover job applicants, signaling that privacy enforcement now extends well beyond consumers into the employment relationship.

The New Enforcement Message: Privacy Law Meets Employment Law

For California employers, the message from the CPPA’s enforcement could not be clearer: applicant and employee privacy notices must meet the same disclosure standards as consumer notices. Vendor contracts must include enforceable safeguards, and any use of AI or algorithmic systems in HR must be supported by documented bias testing and privacy-risk assessments.

We are at the dawn of a new era of enforcement — one that merges privacy law and employment law. This convergence is taking shape as California’s two key regulatory bodies — the California Privacy Protection Agency (CPPA) and the California Civil Rights Council (CRC) — finalize overlapping rulemakings that together reshape how employers must manage HR data and prepare for heightened scrutiny.

The CRC’s Automated-Decision Systems (ADS) regulations, effective October 2025, require employers using AI or algorithmic tools for hiring, promotion, or pay decisions to conduct anti-bias testing and maintain records for several years. As noted by Squire Patton Boggs in California Employers Face New Challenges for HR Data Processing (Aug. 2025), these rules “subject employers utilizing ADS to far stricter scrutiny” and establish that “the absence of such testing will be considered to support a claim of discrimination.”

At the same time, the CPPA’s new privacy-risk assessment and cybersecurity audit requirements under the CCPA extend directly to HR data. Employers must identify and evaluate any automated decision-making technologies (ADMT) used in employment, conduct and document risk assessments, and file annual compliance attestations with the agency. These assessments must clearly define the purpose of processing, document the logic of ADMT tools, evaluate potential harms (including discrimination), and outline safeguards to mitigate those risks.

In short, the CPPA and CRC have converged on a shared governance model that is centered on fairness, transparency, and accountability in the workplace. Coordinating compliance efforts under both frameworks is essential to meeting California’s evolving standards for workforce data protection.

The Broader Compliance Landscape: Contracts and Tracking in the Spotlight

While the expansion to HR data is new, the Tractor Supply decision builds on two long-standing enforcement priorities in California and other jurisdictions: contractual compliance and opt-out of online tracking. For years, regulators have scrutinized companies that share data with adtech or analytics providers without service-provider contracts containing all required privacy safeguards. They have also consistently enforced the obligation to honor “Do Not Sell or Share” links and Global Privacy Control (GPC) signals, ensuring consumers — and now job applicants — can meaningfully opt out of cross-context behavioral advertising.

These obligations are not new, and remain an active area of regulatory attention. The CPPA and other authorities continue to prioritize enforcement around vendor contracts, online tracking, and opt-out mechanisms. Regulated entities should be aware that these issues will remain a central focus of privacy oversight and enforcement well into 2026.

Takeaways

The Tractor Supply order makes it clear that, in California, privacy compliance is no longer just a consumer issue — it is also an employment law obligation.

Contractual compliance and online tracking remain top enforcement priorities. Regulators continue to monitor how companies manage vendor relationships, adtech integrations, and opt-out mechanisms across both consumer and employment data.

If your recruiting portal lacks California-specific notices — or if your vendor contracts and cookie practices still predate the CPRA — now is the time to act.

More information

• For a detailed analysis of this case see In the Matter of Tractor Supply Company

• For more information on the topic of HR and Privacy see: Squire Patton Boggs (Aug 2025) — California Employers Face New Challenges for HR Data Processing.

by Candace E. Moore

On July 24, 2025, the California Privacy Protection Agency (CPPA) Board approved major updates to the California Consumer Privacy Act (CCPA). These changes mainly focus on Automated Decision-Making Technology (ADMT), Cybersecurity Audits, and Privacy Risk Assessments. They aim to strengthen transparency, safeguard personal data, and expand protections for minors and location data.

These updates apply to both nonprofit and for-profit organizations and will be rolled out over the next several years, with deadlines based on the organization’s size and revenue.

Key Updates that Could Affect Your Organization

Automated Decision-Making Technology (ADMT)

ADMT refers to automated systems that make decisions based on personal data. Under the new rules, systems that replace human judgment face stricter limits. Systems that simply assist human decision-making are less restricted, but some uses — particularly in housing, credit, and employment — require “transparency disclosures.”

If you believe your activities are covered by these updates, you should…

· Review all AI and algorithmic tools to ensure they do not engage in prohibited decision-making.

· Add human oversight for decisions with legal or significant impact to any person.

Cybersecurity Audits

Organizations will be required to complete formal cybersecurity audits that assess threats, outline mitigation measures, and document active data protection practices.

These audits must be completed according to the deadlines below:

· If your business earns over $100M in revenue, by April 1, 2028

· If your business earns between $50M and $100M in revenue, by April 1, 2029

· If your business earns less than $50M in revenue, by April 1, 2030

If you believe your activities are covered by these updates, you should…

· Start drafting the audit frameworks to avoid any future compliance issues.

Privacy Risk Assessments

Beginning on April 21, 2028, certain “high-risk” activities, e.g., processing the data of minors, profiling, or processing sensitive health or location data will require formal risk assessments and attestation filings.

If you believe your activities are covered by these updates, you should…

· Identify which of your activities might meet the applicability threshold.

· Create an internal process for regular data privacy and security reviews.

Expanded Protections for Minors & Location Data

The CCPA board reinforced restrictions on targeted advertising, profiling, and the sales of data involving minors. Now location data has increased restrictions including stricter collection limits, disclosure requirements, and prohibitions on certain types of sharing.

If you believe your activities are covered by these updates, you should…

· Audit your data collection practices to ensure they remain compliant.

· Update your privacy policies to explain how minor and location data is being used and/or shared.

Tips & Tricks

· Map Your Data to understand what personal, sensitive, and location data you collect.

· Audit your organization’s use of automated decision making tools.

· Ensure that your policies accurately reflect your data practices.

· Keep an eye out for future deadlines.

· Engage in continued education on privacy, security and compliance best practices.

California’s updated rules are a part of a broader shift toward stricter oversight. Organizations that maintain transparency, security, and fairness into their operations will be better positioned to meet legal requirements and maintain public trust in the years ahead.

California has approved groundbreaking regulations targeting the use of artificial intelligence and automated decision-making in employment, ushering in new compliance challenges for HR teams. From mandatory bias testing to detailed risk assessments and cybersecurity audits, these rules signal a major shift in how employers must manage workforce data. Discover what’s changing, the deadlines to watch, and how to prepare for the complex road ahead. Read More

(SAN JOSE, Calif. – September 21, 2024) - When selecting a legal team to handle your privacy and compliance needs, it's crucial to choose a firm that can meet both your immediate and long-term requirements with exceptional quality and efficiency. At Golden Data Law (GDL), we offer more than just traditional legal services—we provide a unique blend of comprehensive compliance solutions and a commitment to legal education that sets us apart.

Here’s what GDL has to offer:

Unmatched Compliance Services Tailored to Your Needs

Your organization deserves a legal team that can address every facet of data privacy and compliance with expertise and precision. At GDL, we excel in providing a broad range of services designed to cover all your compliance needs:

●      Data Governance: We help you establish and maintain robust data governance frameworks, ensuring that your data handling practices are both compliant and efficient.

●      Mapping and Assessment: Our meticulous mapping and assessment services identify potential compliance gaps, helping you address them proactively.

●      EU and US Privacy Law Compliance: We offer expert guidance on navigating complex EU and US privacy regulations, ensuring your organization remains compliant across borders.

●      Transactional Work: We go beyond typical advisory roles by providing essential transactional services, supporting your contractual needs and legal agreements.

●      Expert Witness Services: When necessary, we offer expert witness services to strengthen your position in legal proceedings.

Unlike many privacy firms that focus solely on compliance advice, GDL offers a comprehensive suite of services that addresses every aspect of privacy law, making us a one-stop solution for all your legal needs.

Exceptional Team Committed to Quality

At GDL, the quality of our representation is paramount. Our team is composed of highly skilled professionals dedicated to providing top-tier legal support:

●      Lydia de la Torre: Our practicing partner, Lydia, brings extensive experience and strategic insight into privacy and compliance matters.

●      Candace Moore: Our Privacy Compliance Specialist, Candace, is an expert in navigating intricate privacy laws and ensuring your organization stays compliant.

●      Judith Saucedo: Our Academic Development Partner, Judith, adds a strategic and educational dimension to our practice, enhancing our overall service quality.

Our team’s commitment to excellence means you receive personalized, high-quality legal support tailored to your specific needs.

Commitment to Values and Social Responsibility

Choosing GDL means aligning with a firm that prioritizes more than just profit. As a Professional Benefit Corporation (B Corp), we leverage the power of the market to drive positive social impact. Our approach is rooted in conscious capitalism, emphasizing:

●      Social Responsibility: We integrate social responsibility into every aspect of our practice, ensuring our services align with your ethical values.

●      Transparency: Our operations are conducted with the highest level of transparency, providing you with clear insights into our practices and decisions.

●      Purposeful Decision-Making: We make decisions that reflect our commitment to both our clients and the broader community, enhancing the  impact and effectiveness of our services.

The Fellowship Program: A Strategic Edge

Our Legal Fellowship Program is a cornerstone of our mission and provides a distinct advantage for our clients. Inspired by the model of teaching hospitals, this program offers law students hands-on experience and professional growth under the mentorship of our experienced team. Here are two examples of how our program can benefit you by providing excellent services at an affordable rate:

●      Our Academic Development Partner works with our fellows to create materials that empower them to act independently while under active supervision. For example, the training materials we create in the context of our transactional services are a detailed step-by-step manual that streamlines and standardizes contract negotiations and execution.

●      Our fellows draft meeting agendas and summaries and provide clients with regular updates. We supervise these activities, which allows us to ensure that our fellows are developing foundational legal skills and are learning and understanding the law as it applies to our clients. Clients have expressed to us how much they appreciate the summaries and updates because they help them to manage internal communications and maintain a comprehensive record of legal advice they receive.

By choosing GDL, you’re not only securing top-quality legal services but also supporting a program that develops future legal talent, ultimately benefiting your organization with enhanced legal support and innovation.

Potential Access to Premier Global Expertise through Squire Patton Boggs

Our founder, Lydia de la Torre has a relationship as of Counsel with We have a strategic partnership with Squire Patton Boggs (SPB).   Subject to SPB’s client intake policies and procedures, GDL clients may be able to access that amplifies the benefits of working with GDL by providing clients with unparalleled access to  SPB’s top-tier international legal expertise. Squire Patton Boggs is a leading global law firm renowned for its cutting-edge capabilities across transactional, regulatory, policy, cybersecurity, and contentious matters. With a distinguished reputation for handling complex, high-value domestic and international transactions involving digital technologies and data assets, they are ranked “Elite” among the world’s leading data firms.

Squire Patton Boggs’ international team keeps clients ahead of the curve with comprehensive counsel on all aspects of data privacy, including the collection, commercialization, storage, and international transfer of data. Their renowned cybersecurity and incident response team offers critical support on matters such as breach avoidance, response, regulatory intervention, and litigation. This relationship can enable you to This partnership ensures that you benefit from the highest level of legal support in navigating the rapidly evolving landscape of data privacy and cybersecurity.

In conclusion, selecting GDL means partnering with a firm that offers exceptional legal services, upholds strong ethical values, and invests in the future of legal practice through our innovative fellowship program. Our unique approach, combined with potential access to premier global expertise, where appropriate, through our close working relationship partnership with Squire Patton Boggs, ensures that you receive unparalleled support while contributing to the advancement of the legal profession. Make the smart choice for your compliance needs and experience the GDL difference.

(SAN JOSE, Calif. – September 3, 2024) - Golden Data Law (GDL) is pleased to announce that its Founding Partner, Lydia de la Torre, is rejoining her former firm, Squire Patton Boggs (SPB) as Of Counsel in the Data Privacy, Cybersecurity, and Digital Assets Practice. The time commitment required by this new role will allow Lydia to continue dedicating the majority of her time to providing excellent representation to her current and future clients. Additionally, this role will facilitate a bilateral exchange of resources, enabling both SPB and GDL to offer enhanced support and opportunities to their respective clients.

SPB’s Data Privacy, Cybersecurity and Digital Assets Practice is ranked by Lexology’s Global Data Review, the data law and regulation magazine which identifies and profiles the world’s leading 100 law and consulting firms, as “Elite,” the highest level awarded by the publication which is reserved for the top 25 firms.

“We are thrilled to have Lydia rejoin Squire Patton Boggs,” said SPB’s Global Managing Partner Michele Connell in their press release. “She is a nationally leading privacy and data law thought leader who has been instrumental in shaping the current US consumer privacy law landscape and is known and respected by regulators worldwide.”

Alan L. Friel, chair of SPB’s Global Data Practice added, “I have followed GDL with interest since Lydia founded it after stepping down from SPB to take a role as an inaugural board member of the California Privacy Protection Agency. When she announced that she was going to step down from the Board, I immediately invited her to return to our senior ranks because of all the knowledge and experience I knew she would bring to bear at SPB. After several conversations, we were able to craft a role for Lydia that meets SPB’s needs while being supportive of her dedication to GDL’s mission and vision.”

“As different as SPB’s business model might seem from GDL’s “teaching law firm” model, both firms are strongly committed to diversity, equity, and inclusion and will dovetail perfectly,” said Ms. de la Torre. “GDL and SPB both foster an environment that champions open dialogue, collaboration, and a focus on ensuring equal opportunities to all.”

Ms. de la Torre's new role at SPB will enhance her ability to continue serving the needs of GDL’s clients now and in the future. GDL also looks forward to the new possibilities afforded by this role, including potential opportunities for its future fellows.