How Large Employers Can Prepare for CCPA/CPRA Obligations for “HR Data” in 2022
Get ready, large employers. After years of amendments exempting the personal information of employees and other personnel from the California Consumer Privacy Act (“CCPA”), covered employers now have a firm deadline by which to comply with the CCPA’s requirements in protecting employee and personnel personal information (“human resources data”). The deadline – January 1, 2023 – may appear far off, but certain provisions trigger obligations for 2022. Below are the steps large employers should take to comply with the CCPA.
Step 1: Be familiar with the rights afforded to consumers under the CCPA.
The CCPA was enacted on June 28, 2018, creating one of the most comprehensive frameworks for regulating digital privacy in the United Sates. The law currently grants California consumers the right to know what personal information is collected, used and processed by covered businesses; the right to access the personal information; the right to request that covered businesses delete the personal information; the right to know whether and to whom the personal information is sold or disclosed; the right to opt out of the sale of personal information; and, the right to the same quality of service as that provided to consumers who do not opt out. The CCPA’s effective date was January 1, 2020.
Step 2: Determine if the CCPA applies to the employers’ business.
The CCPA applies to for-profit companies that do business in California that either have an annual gross revenue of over $25 million; buy, sell, receive, or share the personal information of at least 50,000 California residents, households, or devices for commercial purposes; or derives at least fifty percent of their annual revenue from selling California residents’ personal information (“large employers”).
Step 3: Understand the extent of the CCPA’s current “employee” exemption.
Human resources data is largely exempt from the CCPA for the time being. Under the CCPA’s current “employee” exemption, the personal information of a job applicant, employee, owner, director, officer, medical staff member, or contractor of a covered business are exempt from the CCPA as long as the covered business collects and uses the personal information (1) in the context of the covered business’s relationship with the employee or personnel, (2) to maintain emergency contact information on file, or (3) to administer benefits.
Step 4: Understand the new obligations for human resource data under the CCPA.
Human resources data was exempt from the CCPA’s requirements until January 1, 2021. With the approval of Assembly Bill 1281 on September 29, 2020, the January 1, 2021 deadline was extended to January 1, 2022. California voters approved the California Privacy Rights Act (the “CPRA”) on November 3, 2020, which amended the CCPA and extended the employee exemption to January 1, 2023, the effective date of the CPRA.
The extra year is helpful for large employers, as the CPRA expands consumers’ rights. In addition to the CCPA rights, the CPRA grants California consumers the right to correct personal information; the right to limit the use and disclosure of sensitive personal information; and, the right to opt out of the sharing of personal information. Additionally, the CPRA has a 12-month “look-back” provision, meaning that employers should be tracking their collection, use, and disclosure of human resources data up to twelve months before the January 1, 2023 effective date. Thus, employers should be prepared to provide information going back to January 1, 2022.
Enforcement of these additional rights lies with the ability of employees and personnel to seek to assert a private right of action for data breaches. The CPRA adds an additional enforcement mechanism by establishing the California Privacy Protection Agency, which administratively enforces the CCPA as amended by the CPRA.
Step 5: Create an action plan to comply with the CCPA as amended by the CPRA.
Although the January 1, 2023 deadline seems far away, large employers should take steps to ensure compliance with the CCPA and CPRA concerning human resources data. These steps include: engaging in data mapping of human resources data; continuing to provide CCPA privacy notices to employees and personnel; ensuring the accuracy of privacy policies; evaluating physical, technical, and administrative safeguards concerning human resources data (which includes evaluating contracts with vendors such as payroll providers and benefit administrators); and implementing a plan to ensure the tracking of human resources data from January 1, 2022 and onwards.
These five steps provide a great starting point in working towards CCPA/CPRA compliance. Large employers should take advantage of the extra year granted under the CPRA to develop and implement California-compliant programs so that by January 1, 2023, employers can provide information about the collection, use, and disclosure of human resources data.
* A version of this blog post was originally published in the Orange County Business Journal on November 15, 2021.