?Since the California Consumer Privacy Act’s (CCPA) 2018 passage, employers have been wondering how the law will apply to data collected and maintained about employees. Until now, employment data had been exempted from most of the CCPA’s requirements.
But the California Privacy Rights Act (CPRA) amendments to the CCPA took effect on Jan. 1, and the legislature failed to extend the employer exemptions, meaning many categories of human resources data will be subject to the requirements of the law.
Employee data now will be treated as any other commercial information, and covered employers will need to add such data to their ongoing compliance efforts. Indeed, under the CCPA, personal information is defined broadly and could include an employee’s contact information, insurance and benefits elections, bank information, emergency contacts, dependents, resume, performance evaluations, wage statements, time records, equity grants, compensation history, and other information routinely collected during the employment relationship.
Moreover, the CPRA introduces a new concept of sensitive personal information, such as financial information, social security numbers, communications content, health information, and biometrics, which must be considered and addressed by the employer.
First, employers must prepare and provide a privacy notice to employees and job applicants when personal information is collected or beforehand, potentially including on online applications. It can be in the employee handbook and/or on internal websites. The employee privacy policy may be similar to the one for consumers, though it may need revision to accurately reflect the categories of personal information collected, the retention period, and the categories of third parties with whom such information will be shared (e.g., payroll service providers, etc.)
As to those third parties, the employer must enter a Data Processing Agreement (DPA) with such vendors that governs their treatment of personal information. Specifically, the DPA must:
- Identify the purposes and services for which the vendor will process personal information.
- Prohibit the retention, use, or disclosure of information for non-specified purposes.
- Require CCPA compliance.
- Establish the employer’s right to take steps to ensure the vendor’s CCPA compliance.
- Require notification if the vendor can no longer comply;
- Establish the employer’s right to stop and address unauthorized use of personal information.
- Require the employer to inform the vendor of any employee request for information.
- Prohibit the sale and sharing of personal information.
- Require that any sub-processors be contractually bound to the vendor’s DPA obligations.
The CPRA amendments also give employees, job applicants, and contractors certain request rights, including:
- To access personal information, including any profiles and/or inferences collected or generated by the employer in or after 2022.
- To correct any inaccurate personal information.
- To have the employer delete personal information collected (subject to certain exceptions).
- To restrict the use of their sensitive personal information to specific business purposes or disclosures.
- To opt out of the sale of personal information to third parties.
The CCPA requires businesses to make available two or more designated methods for submitting requests, including a toll-free telephone number, and to disclose and deliver the required information within 45 days of the request, unless an exception exists. For covered employers, this will likely mean developing a system for submitting CCPA requests and a process for producing the required information.
Such disclosure requirements are not entirely new. Under the Labor Code, California employers already must produce personnel records to employees upon request. But the CCPA goes beyond these existing requirements and requires employers to disclose and deliver, free of charge, the personal information the business has collected, the sources from which it is collected, the business or commercial purpose for collecting the information, and the categories of third parties with whom it is shared.
The new right to demand deletion of employee information begs questions as to conflicts with certain legal requirements to retain such information. Recognizing this, the CCPA provides several exceptions to the data deletion requirement, such as where retaining the data is necessary to enable “solely internal uses” aligned with the expectations of the parties’ relationship or to comply with legal obligations.
Employers will have plausible arguments that most employee data falls within one of these exceptions, but they should think carefully about this issue. Indeed, following retention of data based on such an exemption, the employer may not use the data for any purpose unrelated to that exemption. For example, if an employer retains an employee’s personal information to comply with tax obligations, it may not use that data to contact the employee for marketing purposes.
Key Takeaways
To ensure compliance with the CCPA with respect to employment data, covered employers should take the following steps:
- Assess the categories of personal information collected, retained, and disclosed about employees, including whether the CCPA requires disclosures about that data, deletion of such data upon request, or other obligations.
- Review the business’s privacy policy to ensure it includes the required CCPA disclosures and notices.
- Implement a DPA to be included in all vendor relationships that involve employee data.
- Develop a mechanism for employees to make requests regarding their personal information.
- Identify the person to receive requests under the CCPA, and train staff on how to respond to such requests.
Nate Garhart are attorneys with Farella Braun + Martel in San Francisco. © 2023. All rights reserved. Reprinted with permission.