As summer nears its end, uncertainty and complexity lie ahead for many companies as they evaluate how to operationalize compliance with the California Privacy Rights Act (CPRA), existing California employment laws and potentially the passage of a federal privacy law, the American Data Protection and Privacy Act, H.R. 8152 (ADPPA), that may preempt some but not all rights under the CCPA and the CPRA. To increase the headache for companies doing business in California, two business friendly exemptions are set to expire at the end of the year.
On August 31, 2022, the final day of the 2022 California legislative session, the legislature failed to extend exemptions that would have excluded certain employee and human resource (HR) related personal information collected within the business context from the scope of the California Consumer Privacy Act (CCPA) when the CRPA amendments to the CCPA go into effect on January 1, 2023. It should also be noted that similar CCPA exemptions for personal information collected in the course of certain business-to-business (B2B) transactions or communications were not extended. Thus, on January 1, 2023, the current CCPA exemptions for HR and B2B information will sunset and the CPRA will go into effect without such exemptions that businesses have relied upon for the last several years, making California the first state to have a comprehensive data privacy law covering HR data. In short, beginning next year, employers will have to honor the host of data privacy rights under the CCPA not only for consumer data, but also for HR data concerning employees, job applicants and independent contractors (unless another exception within the CCPA applies).
The CCPA is California’s landmark legislation that seeks to give California consumers the right to learn about and control certain aspects of how a business handles the personal information that a business collects about them. Namely, it gives consumers:
- the right to know about the personal information that businesses collect about them;
- the right to know what businesses do with that information;
- the right to delete personal information collected from them (with some exceptions); and
- the right to opt out of the sale of certain personal information if a business sells that personal information.
In turn, businesses that meet the thresholds of the CCPA, regardless of whether the business is physically located in California, must institute certain policies, practices, and methods that allow consumers to effectuate those rights. The law achieves this by requiring businesses to implement certain measures that enable consumers to exercise these rights. However, the CCPA applies to “consumers” and defines “consumers” so widely that it would presumably cover employees and job applicants, who are not ordinarily understood to be “consumers.” Thus, this ambiguity in the law prompted the legislature, on multiple occasions, to pass certain exemptions for HR and B2B data. Moreover, California employment laws already extend certain rights and data collection requirements with respect to employees, thus causing potential conflicting obligations on businesses.
Under the existing exemptions to the CCPA, California employers’ compliance obligations with respect to employee and human resources information are limited. Employers are required to provide a short form privacy notice that explains the type of HR data that is collected and the purposes of the collection. However, because of the exemptions, employers do not currently need to include data subject rights and retentions periods. The B2B exemption covers personal information reflecting communications or transactions between the business and individuals and outside businesses that occur solely for conducting due diligence on another business or in the context of a B2B transactions and basic operations.
So, barring action by the California legislature when it reconvenes in January 2023 California employers will have to add HR and B2B data to their ongoing CCPA compliance efforts. This is in addition to the current scramble to address the release of draft regulations to the CPRA released in May 2022 by the California Privacy Protection Agency, which was established by passage of the CPRA in 2020 and has assumed CCPA rulemaking authority. With businesses already complying with obligations under existing California employment laws, it’s going to be a mess. To add more confusion, some employers may be hoping that the proposed federal ADPPA privacy bill will preempt the CCPA and CPRA. However, as the ADPPA is currently proposed it does not include employee or HR data within its scope. Therefore, any California laws related to the privacy of employee or HR data may fall outside of the ADPPA jurisdiction and preemptions.
Some considerations on this impending compliance mess:
- Although California employment laws already extend more rights to employees than most states, the CPRA, without exemptions, will create additional operational challenges for employers. California employment laws, for example, permit employees to access their payroll records, employment agreements and a personnel file. However, under the CPRA “personal information” means “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In the employee context, this could pull in emails and data on employer networks and employee-issued laptops, and even include handwritten materials and employment records, as well as geolocation records for company vehicles. Placing such data within the ambit of the CCPA (and the various opt-out and other consumer rights under the law) will undoubtedly cause confusing or conflicting obligations, as state employment laws might mandate certain retention of information; in addition, requests under the CCPA to correct or delete certain HR documents, such as performance reviews, would seem to defy common sense and cause disruption of normal business operations.
- Businesses that fall under the CPRA will need take immediate steps to be prepared on January 1, 2023. Some recommendations:
- Conduct an updated data inventory that includes all HR-related data and also identifies any “sensitive personal information.” This map of internal data flows is necessary before taking any steps to modify existing privacy programs and achieve compliance.
- Determine whether any employee-related data is being sold to third parties or shared with providers. Existing agreements with vendors that process employee data should be amended to ensure new CCPA requests can be handled.
- Review and update employee and job applicant privacy policies and notices and related policies for independent contractors. Employee monitoring programs should also be reexamined. Recall that, under the CPRA, a business’s collection, use, retention, and sharing of a consumer’s personal information must be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed….”
- Modify existing CCPA compliance programs to include the capability to handle employee requests.
- Update data retention policy to take into account future requests by employees under the CCPA.
- Similar considerations should be undertaken regarding B2B transactions.
We will continue to track the CPRA and ADPPA updates and monitor the impacts that these laws will have on employers.