California employers, beware: The state’s top prosecutor just announced his office is conducting an investigative sweep of whether and how large California employers have complied with data privacy requirements for employees and job applicants.
The July 14 announcement came just two weeks after a court put a hold on enforcement of the updated California Consumer Privacy Act (CCPA) regulations that became final in March, which may have lulled some businesses into a false sense of security.
While this recent initiative targets large employers, all businesses nationwide that are subject to the CCPA and have one or more employees in California should heed this warning. Here’s a five-step action plan for employers subject to this law.
1. Understand the scope: Employees now have the same CCPA rights as other consumers. While employees were always consumers under the CCPA, their rights at the inception of the law in January 2020 were limited. However, as of Jan. 1, 2023, the CCPA provides California employees with the same rights that other consumers would have under the CCPA. This has nothing to do with your type of business or whether you are in the business of selling data.
If your business triggers any of the criteria for the CCPA to apply, then all of the following individuals are your consumers with full rights under the CCPA so long as they are California residents and you have any data about them:
- Current and former employees.
- Family members, dependents, beneficiaries, and emergency contacts of your current and former employees.
- Job applicants.
- Independent contractors.
Recognizing that your HR and recruiting teams are now at the epicenter of consumer privacy compliance is the first step to withstanding an AG investigation.
2. Provide employees and applicants with notices at collection and a privacy policy. At its core, the CCPA is all about transparency. One of the first things employers will be asked in an enforcement action is whether they provided all their employees and applicants with the right notices and disclosures at the right time.
Employers should review all their privacy notices and policies and ensure they have been distributed properly. The following can provide a starting point for an internal assessment:
- Do you provide a privacy notice to job applicants who are California residents at or before the point at which you collect any personal information?
- Since Jan. 1, 2023, have you provided all your current employees who are California residents with an updated privacy notice that identifies all categories of data you will collect from or about them during their employment and all the purposes for which you will use or disclose the data?
- Do you have your privacy notice included in your onboarding documents for new employees who are California residents?
- Do you have a privacy policy that employees who are California residents can access at any time?
- Does your privacy policy inform employees about what data you have collected from or about them in the last 12 months, where you got the data from, how you use and disclose the data, whether you sell or share their data for targeted ad purposes, whether you have done so in the last 12 months, to whom you sold/shared it for such purposes, and how long you intend to keep the data? Does your privacy policy also inform employees of what rights they have under the CCPA and how they can exercise those rights?
3. Implement an effective workflow to receive, respond to, and comply with CCPA requests from employees and job applicants. California employees and job applicants may exercise rights in relation to their personal information, and employers have strict deadlines to respond to such requests.
For example, a California employee or job applicant has a right to know what personal information is collected about them, the right to access such information, the right to correct such information, and the right to delete such information. An employer has 10 business days to confirm receipt of such a request and 45 calendar days to respond, which may be extended to 90 calendar days.
Employees and job applicants can request to opt out of the selling or sharing of their data with third parties for purposes of targeted ads. They also have a right to request that the employer limit the use or disclosure of certain data that the law defines as “sensitive,” but only where the employer is using or disclosing the sensitive data in certain ways. Businesses must respond to these requests within 15 business days.
It is critical that you implement a CCPA-compliant request process for employees and job applicants. Your process should address all of these types of requests and enable you to respond by the statutory deadlines, as well as maintain a record of all requests and how you handled them for at least two years. When implementing such a process, there are two key points to keep in mind:
- You must implement at least two methods for CCPA requests (a toll-free number and an electronic method) and adhere to the strict response deadlines discussed above.
- You must implement a verification process to verify the identity of the person making requests to access, know, correct, or delete. You cannot verify opt-out requests or requests to limit.
4. Update your contracts with vendors that collect, process, store, or access employee or applicant data.
Employers often have contractual relationships with vendors that collect and use employee or applicant data, including for payroll operations, benefit administration, employment and salary verification, and other uses. But employers are the stewards of this information, and employers must ensure CCPA compliance for that data. A third-party vendor’s improper use and storage of employee or applicant data can create potential liability for your business.
This requires you to exercise proper due diligence on your vendors to ensure their data usage complies with the CCPA, including the requirement to use “reasonable security measures.” In addition to exercising due diligence and asking the right questions when selecting a reputable vendor, you want to ensure your contract has strong language to address potential issues. The contract should clearly articulate the scope of acceptable data use and deletion requirements.
The state attorney general will likely seek to hold you liable for violations by your vendors, so reviewing your contracts with vendors is a critically important part of avoiding or reducing potential liability. The attorney general also will be looking at whether you have updated contracts with your vendors to include specific terms required by the statutory changes to the CCPA that took effect this year.
5. If you receive a letter from the attorney general, do not panic! The attorney general announced his office will initiate this investigative sweep by sending inquiry letters to large California employers and then scrutinizing their response. The AG’s investigation is meant to serve as a strong reminder to employers that, while there was a reprieve for the first three years of the CCPA’s existence as to employee and job applicant data, that grace period has ended. It is important that businesses expand their CCPA compliance efforts to fully include employees and job applicants who are California residents.
Benjamin M. Ebbink, Darcey M. Groden, Usama Kahf, Anne Yarovoy Khan are attorneys with Fisher Phillips. © 2023. All rights reserved. Reprinted with permission.