The close of California’s legislative session on August 31 without amending the California Consumer Privacy Act (“CCPA”) means that CCPA will soon apply to personal information that many businesses process concerning their employees, contractors, and applicants. CCPA had been amended in November of 2020 by a ballot initiative known as the California Privacy Rights Act (“CPRA”). The amendments included a grace period until January 1, 2023 before CCPA would apply to employment information. Over the past year, some legislators proposed to extend the grace period further, but the close of the session means those proposals are now moot. As a result, businesses face a compressed timeline to bring their processing of employment information into compliance with CCPA.
What You Need to Know:
- Starting January 1, 2023, businesses that meet CCPA thresholds have to apply extensive CCPA requirements to personal information concerning their employees, contractors, and job applicants.
- There has been a grace period in place on CCPA’s applicability to this information, and the California legislature had been considering extending the grace period, but the end of the legislative session means no extension will be implemented.
- This will require data mapping, an assessment of privacy notices and vendor contracts, and a plan for responding to requests from employees, contractors, and job applicants to exercise their CCPA rights.
As a refresher, CCPA applies to “businesses” that operate for a profit, do business in California, and process the personal information of California residents, and to their service providers. As of January 1, 2023, “business” will be defined as an entity that:
- Had $25 million annual gross revenue in the preceding calendar year; OR
- Annually buys or sells, or shares, the personal information of 100,000 or more California consumers or households; OR
- Derives 50 percent or more of its annual revenues from selling or sharing the personal information of California consumers.
CCPA does not apply to not-for-profit entities, or to data that is governed by certain other privacy laws like HIPAA or GLBA, among other exceptions.
Since it became effective in 2020, businesses subject to CCPA have been focused on CCPA compliance with regard to personal information they collect from their customers or the public, but this shift may significantly broaden the scope of information they must assess. There are numerous obligations CCPA imposes on businesses and numerous rights CCPA grants to individuals, and working toward compliance can be a complex process.
Most businesses subject to CCPA will now need to account for the following additional key compliance areas and tasks when CCPA becomes applicable to personal information concerning employees, contractors, and applicants:
- The business should determine how many employees, contractors, or applicants the business has who are California residents.
- The business should identify the personal information the business collects and processes concerning those individuals, as well as identifying any third parties with whom the business shares that personal information (including service providers such as HR data management vendors, cloud storage providers, payroll processors, and benefits providers and administrators).
- This will also include determining whether any of this personal information is “sensitive” under CCPA, which requires some special treatment.
- To the extent that the business doesn’t currently provide a privacy notice to employees, contractors, or applicants, it will be necessary to prepare one that complies with CCPA requirements and ensure it is disseminated to those individuals.
- To the extent that the business does provide those individuals with a notice, it should assess the notice to determine whether it complies with CCPA requirements, which include:
- Disclosing the categories of employment-related personal information being collected and processed, and the business purposes for the processing
- Disclosing any sharing or sale of employment-related personal information
- Providing a means of opting out of certain sharing or sales of employment-related personal information
- Setting forth individuals’ CCPA rights such as the right to access personal information, the right to receive a copy of personal information, a limited right of deletion of personal information, and advising employees, contractors, and applicants how to exercise those rights
- After identifying any vendors who process employment-related personal information, the business should review the contracts with those vendors to determine whether they meet CCPA requirements or if they require an addendum to do so. The requirements include:
- Limiting the vendor’s processing of personal information to the context of providing the services contemplated by the agreement or certain other uses specified by the CCPA
- Restricting the vendor’s ability to share any personal information acquired pursuant to the agreement
- Restricting the vendor’s ability to combine personal information acquired pursuant to the agreement with personal information obtained from other sources
- Requiring the vendor to assist the business with responses to requests from employees/contractors to exercise their CCPA rights
- Requiring the vendor to make certain notifications to the business, such as in the event of a data breach or the vendor’s inability to meet CCPA requirements
Employee/Contractor/Applicant Rights Requests:
- The business will need to develop a process for responding to employees or contractors who request to exercise the rights described in the privacy notice section above.
- This will include the verification of the authenticity of such requests, as well as substantive assessments and responses.
The list above represents a general overview, but it is not exhaustive. Each business is likely to have distinct needs and priorities and should rely on legal counsel when planning and executing CCPA compliance tasks.
In addition to employment information, CCPA will become applicable to business-to-business information as of January 1, 2023. This is personal information that is collected and processed only in the context of transactions between businesses, as opposed to transactions with an individual consumer. The compliance steps for this data will be roughly the same, but this is likely to be a smaller volume of data than employment data for most businesses.
To the extent that a business has not yet grappled with the applicability of CCPA to employment-related personal information, the process might require some triaging and scoping. But when it comes to compliance, an old saying comes to mind: “The best time to plant a tree is twenty years ago. The second best time is now.” The sooner a business begins the process, the better opportunity it has to complete it efficiently before January 1, 2023 arrives. Saul Ewing’s cybersecurity and data privacy lawyers can help businesses identify their compliance obligations, prioritize their needs, and complete the necessary tasks.
This alert was written by Patrick M. Hromisin, Counsel in the Firm’s Cybersecurity and Privacy Practice. Patrick can be reached at (215) 972-8396 or Patrick.Hromisin@saul.com. This alert has been prepared for information purposes only.