In honor of this year’s Asian American, Native Hawaiian and Pacific Islander Heritage Month theme “Advancing Leaders Through Innovation,” Littler associate Ed Tsui spoke with Littler shareholder, Lavanga Wijekoon, who shared how he has been able to advance his practice at the firm through innovation.

As the first compliance deadline rapidly approaches, employers should closely track a new lawsuit filed earlier this week that challenges the federal overtime rule. A coalition of business groups claims the Labor Department exceeded its authority by setting the salary threshold too high and requiring automatic increases every three years. Under the new rule, which is expected to impact 4 million workers, the salary threshold for the so-called “white-collar” exemptions is set to rise from $35K to about $44K on July 1 and jump to nearly $59K at the start of 2025. Employees will need to earn at least this new threshold to even be considered exempt from OT pay under the white-collar exemptions. Although the rule is now in legal limbo thanks to the May 22 lawsuit, you can’t count on a court blocking it – so you should keep preparing for it to take effect as planned. Here’s what you need to know as the legal challenge unfolds.

1. How Did We Get Here?

Under the federal Fair Labor Standards Act (FLSA), employees generally must be paid an overtime premium of 1.5 times their regular rate of pay for all hours worked beyond 40 in a workweek — unless they fall under an exemption. To qualify for the white-collar exemptions – the executive, administrative, and professional exemptions – employees must meet three criteria:

  • Be paid on a salary basis;
  • Be paid at least the designated minimum weekly salary; and
  • Perform certain duties.

Currently, the salary threshold for these exemptions is $684 a week ($35,568 annualized). The DOL’s new rule raises the rate first on July 1 to $844 a week ($43,888 annualized), then on January 1, 2025, to $1,128 (or $58,656 a year).

In addition to raising the salary threshold, the rule makes the following key changes:

  • The salary threshold will be automatically updated every three years starting on July 1, 2027.
  • The threshold for the “highly compensated employee” (HCE) exemption will rise, first to $132,964 on July 1, then to $151,164 on January 1, 2025 – which is also a bigger increase than initially proposed and is a significant increase from the current $107,432. The HCE threshold will also be updated every three years.

The business groups that are challenging the rule say the Labor Department doesn’t have the authority to make these changes.

2. Didn’t This Happen Before?

Yes. This lawsuit did not come as a surprise, and it tracks a challenge to the Obama administration’s 2016 rule, which also attempted to dramatically increase the salary threshold. In fact, the new lawsuit has been filed in the same federal district court in Texas.

In 2016, the court stopped the rule from taking effect just days before the hike was set to take effect – and it permanently blocked the rule in a 2017 order. In that case, the court said the new salary threshold was too high because it “essentially make[s] an employee’s duties, functions, or tasks irrelevant if the employee’s salary falls below the new minimum salary level.” The court also prohibited the DOL from automatically increasing the salary threshold without following certain requirements under the Administrative Procedure Act, such as providing notice and allowing the public an opportunity to comment.

In the new lawsuit, the business groups claim the DOL has defied the court’s prior order. They allege the agency issued another minimum salary level that goes “far beyond” what the Department is authorized to adopt – and by incorporating automatic increases into the new rule.

“The Department’s 2024 Overtime Rule largely repeats the errors of the 2016 Rule and fails to address the flaws previously identified by this Court,” according to the May 22 complaint.

Notably, there is also some debate over whether the DOL has the authority to set a salary threshold at all.

Moreover, when looking at the bigger picture, you should note that two cases pending before the Supreme Court are broadly challenging the boundaries of federal agency power. Our FP attorneys are predicting that SCOTUS will replace the Chevron standard – which gives agencies an immense amount of deference – with a narrower test that will give courts wide latitude to put regulations under a microscope and second guess an agency’s wisdom. If these predictions come true, the business groups challenging the OT rule could have a much better chance of succeeding on their claims. We expect SCOTUS to issue decisions in these cases by the end of June, just before the July 1 effective date for the DOL’s first salary threshold increase. Stay tuned for updates, as these cases could change everything.

3. What Should We Do Now?

It’s important to remember the effective dates for compliance have not been changed or blocked … at least not yet. Complying with the new salary level may require careful planning, budgeting, and communications with employees. So, you don’t want to wait and see what happens before you build a strategy to comply by July 1.

You can click here for our comprehensive guide to the new overtime rule – and 10 steps you can take now to prepare.


We will continue to monitor developments from the courts and the DOL’s Wage and Hour Division, so make sure you are subscribed to Fisher Phillips’ Insight System to get the most up-to-date information. For further information, contact your Fisher Phillips attorney, the authors of this Insight, or any attorney in our Wage and Hour Practice Group.

New York City employers should review their handbooks and employment agreements to ensure they comply with a new law that took effect May 11. Lawmakers recently amended the New York City Human Rights Law (NYCHRL) to prohibit any term of an employment agreement aiming to shorten the time for employees to file a claim of unlawful discriminatory practices, harassment, or violence under the NYCHRL. Here’s what you need to know to comply.

Key Compliance Points

  • The NYCHRL protects employees from illegal discrimination and harassment, among other things.
  • Aggrieved employees have one year to file a complaint with the NYC Commission on Human Rights alleging unlawful discrimination, harassment or violence and three years to file a gender-based harassment claim.
  • In addition, employees may file a lawsuit within three years of the alleged NYCHRL violation.
  • While court cases previously upheld contractually shortened statute of limitations periods under the NYCHRL, this amendment now prohibits any provision within an employment agreement that attempts to contractually shorten these time periods.
  • Now, if an employment agreement includes such a term, it will be void and unenforceable, but it will not affect the enforceability of other terms in the agreement.

What Should Employers Do Now?

  • You should take a fresh look at all employment agreements, handbooks, arbitration agreements, and other documents governing terms and conditions of employment.
  • Check for any language aiming to limit the time employees have to bring claims under the NYCHRL.
  • Any provision with such a term is now unenforceable, and the agreements should be revised accordingly.


We will continue to monitor workplace developments, so make sure you are subscribed to Fisher Phillips’ Insight System to get the most up-to-date information directly to your inbox. If you have questions about these updates, contact your Fisher Phillips attorney, the authors of this Insight, or any attorney in our New York City office.

As protests erupt across college campuses, educational institutions are grappling with how to handle escalating situations and balance important interests like free speech and student safety. Colleges and universities are under enormous pressure to resolve the unrest – but even as spring semesters wind down, there appears to be no clear path forward.  While campus protests present difficult line-drawing questions, the basic legal framework and other considerations can help guide your institution if tensions arise on your campus. We’ll give you the key points to consider and seven tips for crafting a protest policy.

Free Speech Rights: Public vs. Private Universities

The First Amendment to the U.S. Constitution limits the federal government’s ability to restrict speech – including protests – under certain circumstances. Those same limits are imposed on state and local governments. Here’s how the First Amendment applies to colleges and universities:

  • Public schools are considered arms of government and therefore must respect protestors’ free speech rights. But those rights are not absolute. For example, public schools – to protect campus safety and order – may sometimes impose rules on the time, place, and manner of protests if those rules are reasonable, content-neutral, and leave other channels open to communicate the message.
  • Private schools are not bound by the First Amendment. They can restrict speech and protests in ways that their public counterparts cannot. But many private schools choose to abide by free speech principles to promote civil discourse and academic freedom. In addition, state or local rules might grant protestors broader protections. For example, California’s “Leonard Law” prohibits non-religious private universities from making or enforcing rules that discipline students based solely on speech or conduct that is protected from governmental restrictions under by the First Amendment.

Antidiscrimination Laws

Even when schools are compelled or otherwise choose to respect free speech rights, they must balance that with their obligation to protect students from discrimination and harassment. Civil rights laws can apply to both private and public schools. For example, Title VI of the Civil Rights Act protects individuals from discrimination or harassment based on race, color, or national origin in programs or activities that receive federal financial assistance. And states and localities in your jurisdiction may have their own applicable anti-discrimination laws.

Finally, colleges and universities have to be careful with their own policies. If you have promised freedom of expression in your promotional materials, then you will be obligated to provide what you promised. 

But where do you draw the line between protected speech and harassment? This tends to be a legal gray area and depends on the specific facts at hand. The U.S. Department of Education issued a “Dear Colleague” letter last year after campus tensions and hate crimes began to rise. It clarified that harassing conduct under Title VI “can be verbal or physical and need not be directed at a particular individual” and creates a hostile environment if it is objective offensive and “so severe or pervasive that it limits or denies a person’s ability to participate in or benefit from the recipient’s education program or activity.” You should work with your legal counsel if you believe conduct on your campus has crossed or is approaching this line. 

Other Considerations

Beyond the legal implications, colleges and universities should consider other factors when handling campus protests.

Campus Identity

What is the identity or character of your institution? How your school prepares and ultimately responds to a protest should be reflective of the values it claims and the type of student it intends to cultivate. Does your school stress compassion? Does it value intellect above all? Do you place focus on personal integrity and community service? By using your school’s identity to frame your plan for a protest, your actions and reactions will be authentic to your institution.

Public Attention

Regardless of whether your school is public or private, any restriction on protests or disciplinary action on protesters can very quickly attract substantial negative attention from both mainstream media and social media. To lower the risk of outside scrutiny and unwanted attention for your school and faculty, you should think carefully before putting out overly broad statements. This can include, for example, a statement that any involvement in a school protest will automatically lead to suspension. You’ll also want to take disciplinary action only when the behavior is truly disruptive.

How a Protest Policy Can Help

No school is immune from a campus protest. Today’s students can mobilize quickly and, especially in the current climate, many are prepared for intense clashes and unafraid of confrontation. Your school can benefit from proactively thinking about these issues and establishing clear policies.

A protest policy can help your institution:

  • create a roadmap for handling issues related to campus protests, enabling you to respond quickly and fairly;
  • distance itself from the views of students or outsiders who are using school facilities to express ideas that do not reflect the school’s identity;
  • end activities that interfere with your operations or create safety risks for your campus;
  • protect the rights of your students and faculty; and
  • promote civil discourse and academic freedom.

The key is crafting a policy that can balance of all these important – and often competing – interests.

7 Tips for Higher Ed Policies on Campus Protests

If a protest policy is right for your college or university, here are seven tips to keep in mind:

1. Set the Tone

A protest policy is a great opportunity to establish your campus identity and encourage free expression while making it clear that some conduct – such as actual or threatened violence – will never be tolerated.

2. Plan for the Worst

Brainstorm some worst-case scenarios and play them out under your school’s policy to determine whether it would be effective, and how you might control your campus identity if the situation cannot be prevented.

3. Keep it Neutral

Public colleges and universities must ensure that their protest policies are content-neutral so that they do not infringe upon free speech rights. This means that your policies cannot single out only certain viewpoints for censorship or discipline. Private colleges and universities have more leeway here but may want to consider viewpoint neutrality in their policies to promote academic freedom and civil discourse. 

4. Enforce it Consistently

On a similar note, you will want to ensure that your protest policy is enforced consistently so that no particular viewpoint is targeted or disproportionately punished.

5. Define the Scope

What is the extent of the activities you want your policy to cover? Do you want to address lower-risk actions, such as students placing flyers around campus, as well as higher-risk actions, such as student picketing, encampments, and other occupations of school facilities?

6. Detail Your Response Plan

Your policy can provide procedures for how your institution will respond to obstructive or disruptive demonstrations. The procedures might begin a tiered warning system and end with police involvement as a last resort.

7. Prepare Your Communication Strategy

Campus protests and the way you respond to them can result in negative reporting, both internally and externally. If your institution comes under fire, you will need to be ready with a communication plan. Our Crisis Communications and Strategy Practice Group can assist immediately to quickly minimize business risks and mitigate reputational damage.


Fisher Phillips will continue to monitor any further developments in this area as they occur, so make sure you are subscribed to Fisher Phillips’ Insight System to gather the most up-to-date information. If you have questions about how to handle campus protests or about implementing a protest policy, please contact your Fisher Phillips attorney, the authors of this Insight, or any member of our Education team or Higher Education team for more information.

Immigration associates George Thompson and Deepti Orekondy discuss the nuances and intricacies of filing of an H-1B visa application, including H-1B Cap petitions, and how to help employers maintain H-1B compliance. This podcast delves into common pitfalls and strategic considerations for an employer filing an H-1B petition.

Welcome to this edition of the FP Snapshot on Manufacturing Industry, where we take a quick snapshot look at a recent significant workplace law development with an emphasis on how it impacts employers in the manufacturing sector. This edition is devoted to the Federal Trade Commission’s (FTC) recently announced rule that bans non-compete agreements in almost all cases. The new rule will make it much harder for manufacturers to use these agreements to protect their interests. It will have a particular impact on manufacturers’ ability to prevent employees from leaving and working for a competitor, or from starting their own competing business. Read on to find out the five steps you should consider taking as a result.

Snapshot Look at the New Rule

The new rule is the result of years of advocacy by the FTC, which has long argued that non-compete agreements are anti-competitive and harmful to workers. The FTC’s new rule bans non-compete agreements in most cases, with a few exceptions. For example, the rule does not apply to non-compete agreements that are part of a business sale or to agreements that protect trade secrets. The FTC’s new rule bans not only new non-competes, but also existing non-competes in almost all circumstances. In addition, employers must provide explicit notice to both current and former employees that their non-competes are no longer enforceable.

For a deeper dive into the situation, you can read our full Insight here.

What Do Manufacturers Need to Know?

The rule defines “non-competition agreements” as any term or condition of employment that prohibits a worker from, penalizes a worker for, or functions to prevent a worker from seeking or accepting employment with another business or operating a business. This new rule will apply to almost all of your employees, from sales employees with key relationships and detailed know-how on how to move product to production engineers.

At the very least, you have a 120-day window before this rule takes effect. With plenty of lead time, these are the steps you should consider taking to ensure your company is ready if/when the rule takes effect:

1. Look at What You Have and Make a Plan Work with your legal counsel as soon as possible to craft an individualized strategy plan. It should take into consideration the size of your business, the number of non-competes in play, the importance of such agreements to your business, your risk tolerance levels, and the resources you have on hand.

Manufacturers should take immediate action to determine which of your employees present the highest risk of competition through the use of company know-how and information. Most often these employees will either serve in high level roles or have closely held information regarding production methods and designs.

2. Understand What the Rule Does Not Include

Importantly, the rule does not explicitly ban other forms of protection for employers, such as customer non-solicitation agreements or employee non-recruitment, confidentiality, or non-disclosure provisions. The validity determinations will be made on a case-by-case basis, but the provisions are valid so long as they do not prevent the employee from getting a job. Now is a great time to sync with your FP counsel to ensure these agreements are tailored to protect your legitimate interests.

3. Understand Who the Rule Does Not Include

One of the few circumstances where employers can still enforce non-competes under this rule is with Senior Executives. The final rule defines “senior executives” as workers earning more than $151,164 annually and who are in policy-making positions. Keep in mind that the FTC estimates “senior executives” make up fewer than 0.75% of all workers – make sure you determine which of your workers fall into this category.

4. Understand Alternative Options

A less burdensome covenant, such as a properly tailored customer non-solicitation or confidentiality provision, could achieve the same goals as a non-compete with less risk involved. Work with your legal counsel to bolster these covenants, particularly as they relate to production, design, and key sales employees.

5. Understand and Maximize Trade Secret Protection

The FTC cites the availability of trade secret protection as a factor that could mitigate the harm of abrogating non-competes. It will be critical to identify trade secrets and ensure that you have proper policies and procedures in place to protect them, limit trade secret access only to those who need it, train employees how to handle trade secrets and protect against theft and implement suitable technological controls.

Frequently, manufacturers will implement non-compete agreements that incorporate trade secret language in a “one size fits all approach.” If you maintain such an agreement, it is worth considering separating out trade secret from non-competition.

Want More?

We will continue monitoring workplace law developments as they apply to manufacturers, so make sure you are subscribed to Fisher Phillips’ Insight System to have the most up-to-date information sent directly to your inbox. If you have questions, contact your Fisher Phillips attorney, the authors of this Insight, or any attorney on our Manufacturing Industry Team.

In this pro bono podcast, Littler’s Lavanga Wijekoon speaks with Ellen Miller of the National Immigrant Justice Center, Jodi Ziesemer of the New York Legal Assistance Group and Laura Lunn of the Rocky Mountain Immigrant Advocacy Network about the work being done across the country to help immigrants and their families who are in desperate need of immigration protections.

Employers should review their handbooks and workplace conduct policies in light of a new development that could greatly expand the penalties for unfair labor practice charges. The NLRB’s General Counsel just issued a memo on April 8 directing the Board’s Regional Offices to seek full remedies for all employees harmed by an unlawful work rule or contract term – even if those employees are not identified during an unfair labor practice investigation. As we predicted last year in the aftermath of a Labor Board decision that dramatically changed the law on employee handbooks, employers will need to kick their compliance efforts into high gear. We’ll explain the key points and give you four steps you should consider taking next. 

Federal Labor Law and the Stericycle Standard

In its Stericycle, Inc. decision last year, the NLRB adopted a new legal standard for evaluating whether an employer’s work rule violates the National Labor Relations Act even if it does not expressly restrict employees’ right to engage in protected concerted activity under Section 7 of the act. The new standard examines whether a workplace rule or policy “has a reasonable tendency to interfere with, restrain, or coerce employees who contemplate engaging in protected activity.”

In the aftermath of that decision, common employer policies, such as those on confidentiality, moonlighting, at-will employment, dress code, and many others, have been struck down by administrative law judges (ALJ). For example, in United Electrical Contractors, Inc., an ALJ concluded that a prohibition on “disrespect toward supervision” and rules against dishonesty or falsification of company records (such as employment applications and time entries) were presumptively unlawful. And in General Motors Components Holdings, LLC, an ALJ struck down employer prohibitions on:

  • distracting the attention of others;
  • “wasting time” or loitering;
  • unauthorized soliciting or collecting contributions for any purpose whatsoever during working hours;
  • misusing or removing certain items from employer premises (such as employee lists, blueprints, company records, or confidential information) without proper authorization;
  • making or publishing of malicious statements concerning any employee, the company, or its products.

What the Recent Memo Means for Employers

Some recent post-Stericycle ALJ orders have arguably already expanded employee remedies for unlawful work rules. For example, in addition to cease-and-desist orders, remedies included:

  • reversal of the discipline, including reinstatement of the discharged employee (ExxonMobil Global Services Company);
  • removal of all references to the unlawful disciplinary actions from company files;
  • a “make whole” remedy for loss of earnings and other benefits, with interest compounded daily;
  • compensation for any other direct or foreseeable financial harms, including job-search and interim employment expenses, with interest; and
  • compensation for any adverse tax consequences of receiving a lump-sum backpay award.

As is typical, the employers were also ordered to post notices in obvious places for 60 days regarding the violations and ALJ order and distribute the notice electronically if the company regularly communicates to its employees in that manner.

But the General Counsel’s new memorandum appears to target another class of cases – which do not necessarily involve specifically identified affected employees. These types of cases previously have had less comprehensive remedies – but the memorandum suggests that those remedies fail to make impacted employees whole. So, the General Counsel is instructing Regional Directors to:

  • identify employees who were impacted by the unlawful work rules and order the employer to remove discipline from their record and provide backpay as part of the remedy;
  • obtain this information from the employer “during settlement efforts,” which could greatly expand the liability of any given case and make settlement more costly for employers; and
  • request legal fees and costs, if any, as part of the remedy for those eligible employees impacted by an unlawful contract term.

Because any work rule deemed unlawful could impact an employer’s entire workforce, the potential liability employers may face under such expanded remedies could be dramatic and ultimately detrimental to their business.

What Employers Should Do Next

Now, more than ever, you should consider taking the following four steps:

  1. Review your work rules for potential Section 7 violations, especially all too common rules on confidential information and disobedience.
  2. Seek legal counsel for questionable work rules and ensure they’re narrowly tailored or properly phrased in compliance with the law.
  3. Train managers and human resources staff to avoid chilling employees’ Section 7 rights.
  4. Review all other policies to ensure they are compliant with the NLRA and close the gap on potential liabilities.


We will continue to monitor developments as they unfold. Make sure you are subscribed to Fisher Phillips’ Insight System to get the most up-to-date information directly to your inbox. Should you have any questions on the implications of the GC Memorandum and how it may impact your current workplace rules and policies, please do not hesitate to contact your Fisher Phillips attorney, the authors of this Insight, or any member of our Labor Relations Group for additional guidance.

Businesses take heed: California state officials just warned that the law prohibits you from collecting unnecessary data and retaining data for longer than necessary. The California Privacy Protection Agency published its first Enforcement Advisory on data minimization under the state’s hallmark data privacy law on April 2, focusing on a very specific context: when businesses respond to consumer requests under the California Consumer Privacy Act (CCPA). Here is what you need to know and the four key steps you can take to avoid over-collecting data when you respond to CCPA consumer requests – including from employees and job applicants.

What is Data Minimization and Why Issue an Enforcement Advisory?

While an Enforcement Advisory is not meant to interpret the CCPA or make new law, it nevertheless provides insight into what a likely priority of the Agency will be going forward. And the April 2 Enforcement Advisory is very clear in providing a warning to businesses.

The Agency appears to have the impression that businesses are requesting too much information from consumers when they submit a CCPA consumer request. As it states: “Data minimization is a foundational principle of the CCPA.” This principle is undermined when you make it too hard for consumers to exercise CCPA rights that effectuate data minimization, or you ask for too much information to verify a consumer’s identity.

Data minimization is premised on the CCPA requirement that a business’s collection, use, retention, and sharing of consumer personal information be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.” Whether the collection, use, retention, and/or sharing of personal information is reasonably necessary and proportionate to achieve the purpose identified is based on the following:

  • The minimum personal information necessary to achieve the purpose identified, or any purpose for which the business obtains the consumer’s consent (meaning a use of the data that you’ve disclosed to the consumer at or before you collected the data from the consumer, or that you can prove was consented to by the consumer);
  • The possible negative impacts on consumers; and
  • The existence of additional safeguards for the personal information to specifically address the possible negative impacts on consumers.

To illustrate the concept, the Enforcement Advisory highlights this principle as seen in the CCPA rules regarding opt-out preference signals (aka global privacy controls), requests to opt-out of the sale/sharing of personal information, requests to limit the use and disclosure of sensitive personal information, and the general rules regarding verification of a consumer’s identity.

The Enforcement Advisory further provides two factual scenarios where a business should consider and implement data minimization: in a response to a consumer request to opt-out of the sale/sharing of personal information; and when verifying a consumer’s identify in response to a CCPA request to delete personal information.

Data Minimization Through Opting Out of Sharing and Selling of Personal Information

In the first scenario, the Enforcement Advisory reminds businesses that you cannot require a consumer to verify their identity in connection with a request to opt out of the sale or sharing of consumer personal information or a request to limit the use and disclosure of their sensitive personal information. That means your process for receiving, processing, and responding to these two types of requests cannot include an identity verification step. While you may need additional information to effectuate the opt-out, this is not the same as verifying a consumer’s identity. And, when you need additional information, you should ask for the minimum amount necessary to effectuate the request.

The Enforcement Advisory first posits the scenario of a consumer opting out of cross-context behavioral advertising through an opt-out preference signal. Certain web browsers enable users to set up such signals so that the browser sends an automatic signal to the website that the user has opted out of the sharing of data through cookies for targeted ad purposes. In such case, you would not need additional information to read, process, and comply with the out-out signal.

However, if you sold or shared personal information offline and were unable to connect the online user with their offline activities, you would need additional information to effectuate the offline opt-out. That being said, the information requested should only be sufficient to effectuate that offline request. Asking for unrelated personal information – for example, asking for a driver’s license to opt-out of having a business sell a consumer’s purchasing history – would likely be in excess of what you need (according to this Enforcement Advisory).

Data Minimization When Verifying a Consumer’s Identity

In the second scenario, the Enforcement Advisory walks through an example of how you may apply the principle when receiving consumer requests to delete personal information. Here, the Agency did not provide any easy or suggested answers – instead, it put forward a series of questions (without any suggested answers) that you can ask in evaluating what information to request when evaluating whether to delete consumer data.

Despite avoiding answers to its own questions, the questions themselves provide some insight into what you should consider when determining how to verify an identity:

  • Evaluate the harm of an unauthorized deletion to the consumer. While the example focuses on destruction of information of sentimental value, you should also consider whether the destruction of information could have economic or other significant negative impacts. Where the potential harm to a consumer is on the higher end of the spectrum, more stringent verification will be required. Where the information to be deleted is not significant, you need not overcomplicate the verification process. The key takeaway here is that the verification process cannot be a one-size fits all approach.
  • Evaluate the harm of asking for additional, new information from the consumer. If you ask for highly sensitive information such as a driver’s license or social security number, the consumer is at risk of identity theft if a data breach occurs. While not addressed in the Enforcement Advisory, you should also ask yourselves how requesting information from consumers that you do not already have (and thus cannot verify) helps you confirm the identity of the consumer.

It is important to emphasize that what is not at issue is any harm to your business. The Agency’s questions are consumer-centered, considering only the benefits and harms they face. When determining the appropriate verification process, you should view your processes through that lens.

Your 4 Next Steps: A Compliance Guide

In order to best position your organization for compliance, we recommend you consider the following four steps:

1. Review Your Practices

Review your mechanism for processing requests to opt out of selling/sharing of personal information and to limit the use or disclosure of personal information. If you are verifying identities to process these requests, you need to stop immediately. If you need additional information to figure out who a person is so that you can process the request (perhaps they have a common name!), you should only ask for the minimum amount of information needed to process or effectuate the request.

2. Determine if it’s Time for Global Privacy Controls

If your website utilizes third-party cookies, pixels, beacons, tags, or other tracking technology or discloses data to third parties that is then used for targeted advertising, and does not currently process or accept Global Privacy Controls (GPCs) as an opt-out preference signal, you must get this set up now.

3. Ensure Your Verification Processes are on Point

Review how you are verifying consumer identities for Requests to Know/Access, Delete, and Correct. You ideally should be verifying identities based on information already in your possession. That requires you to look at what you have and tailor the verification questions you ask based on that data. While it may be easier to just ask for a copy of a driver’s license or other government ID, you may end up collecting information which you do not already have (and information which is considered sensitive information under the CCPA to-boot), thus subverting the data minimization standards encompassed in the law.

4. Purge Stale Data

While not addressed specifically in the Enforcement Advisory, the CCPA prohibits you from retaining personal information longer than you have a legitimate business purpose to do so. If your business does not have a data retention schedule or does not follow its data retention schedule, you should make it a priority. This includes ensuring that vendors that process and store data on your behalf also follow through with deletion of stale data. “Our vendor won’t or can’t delete the data” is likely not a good excuse anymore. The law requires stale data to be deleted, so there has to be a workable solution whereby data that you are legally responsible for can be deleted – wherever it resides.


Fisher Phillips will continue to monitor CCPA obligations and enforcement efforts and provide updates as warranted, so make sure that you are subscribed to Fisher Phillips’ Insights to get the most up-to-date information directly to your inbox. For further information, contact your Fisher Phillips attorney, the authors of this Insight, or an attorney on the firm’s Consumer Privacy Team. You can also visit our firm’s CCPA Resource Center at any time.

The news that California regulators can immediately begin enforcing new data privacy regulations will have an outsized impact on the PEO community. A surprise February 9 decision from a state appeals court pressed fast-forward on California Consumer Privacy Act (CCPA) compliance that most employers thought wouldn’t hit home right away. As you’re reading this, prying eyes and website trolls are scouring the internet looking to take advantage of this new opportunity – and employees may become aware of their new rights and jolt you into this new era of exposure. Read on for a quick summary of what went down, why this news is particularly important to PEOs – and what you can do to protect your organization.

What Went Down

  • New CCPA regulations took effect in March 2023 that provide consumers additional data privacy rights – and in California, this also includes a PEO’s worksite employees. Along with these additional rights come additional obligations on businesses, including PEOs.
  • Just because your business is not located in California doesn’t mean you can ignore the CCPA. You could be a covered business if you have one client in California and collect personal information from even a single California worksite employee.
  • Regulators built in a grace period to start enforcing them until July 1, 2023.
  • On the eve of that date, a California court delayed enforcement and concluded they could not be enforced until March 29, 2024.
  • The California Privacy Protection Agency and the California Attorney General appealed the decision.
  • On February 9, an appellate court determined that the Agency and the AG have authority to immediately enforce the regulations and don’t have to wait until late March month to begin enforcement.

Why PEOs are in the Crosshairs

To be perfectly blunt, your average employer doesn’t have to worry about immediate enforcement of the new regulations. That’s because most employers are (relatively) small enough to fly under the radar of state regulators. They just don’t have the resources to scour the state (and country) looking for violators, so their focus will likely be on larger businesses.

But PEOs? That’s a different story. PEOs are not “most” employers. The nature of your operations means you support many different small businesses and have more worksite employees as your “consumers.” If you support 1,000 businesses, for example, each with somewhere between 30 and 100 employees, you now have tens of thousands of people under your portfolio. And that is bound to catch the attention of data privacy regulators – even if you are a local or regional PEO.

Put simply, the sheer number of worksite employees involved with the average PEO puts you at higher risk than most employers.

What Should You Do?

Fisher Phillips has created a seven-step compliance plan to help covered businesses prepare for this new era of enforcement and exposure. You can access that plan here. The best place to start is a gap assessment of your data privacy practices, which can be completed in one day by our consulting subsidiary fpSOLUTIONS, among other Data Privacy Compliance services.

 But the key step for PEOs? Immediately implement a worksite employee privacy policy.

  • The new regulations require businesses to make available to worksite employees a privacy policy that, among other things, informs them about how they can exercise their new CCPA rights.
  • They also require you to list each category of personal information and sensitive information collected, the purpose for each category, any category that is sold or shared, and the retention period for each category of personal information.
  • The policy must be simple and easy to understand with minimal to no “legalese.” It must be made available in other languages if you already provide worksite employees with legal notices in another language.

Since you are likely to be scrutinized by a regulator or opportunistic plaintiffs’ attorney at some point given your status as a PEO, you need to pay particular attention to the content of your privacy policy. The time is now to update your privacy policy. This means you need to do much work to put yourself in the best position to succeed.

The bottom line – if you have not updated your CCPA notices since 2022 or earlier – or if you have never provided such notices – you should act quickly to implement new notices and stay compliant with the ever-changing law.


Make sure to subscribe to the FP Insight System to make sure you don’t miss out on further developments of interest to the PEO community. For more information, reach out to your Fisher Phillips attorney, the authors of this Insight, or any member of our PEO and Staffing Team.

This article is reprinted with permission from PEO Insider where it appeared in the April 2024 edition, available here.