The so-called “HR exemption” taking employee and applicant personal information out of the control of the California Consumer Privacy Act (CCPA) is about to come to an end. Employers who are “businesses” for purposes of the CCPA and have employees who are California residents — including non-consumer facing businesses that have not previously been subject to the CCPA — will need to implement internal compliance policies and processes as the California Privacy Rights Act (CPRA) eliminates the exemption as of January 1, 2023. Compliance with CPRA is complex, and this checklist is intended only to assist with raising issues and questions.
#1 -- Is your business covered by the CCPA/CPRA?
An entity will be considered a covered business under the CPRA if it is a for-profit entity that determines the means and processing of consumers’ personal information, does business in California, and meets any one of the following conditions:
- Annual gross revenues (global) over $25 million, measured from January 1, for the previous calendar year.
- Annually buys, sells, or shares personal information of 100,000 or more consumers or households. This increased the threshold from 50,000 under the CCPA.
- Derives 50% or more of its annual revenue from selling or “sharing” personal information.
If you are a “business” for purposes of the CPRA, any employee, dependent, job applicant, independent contractor, and/or board member that is a California resident will be considered a “consumer” (“Covered HR Members”). Remote employees living in California will also be considered Covered HR Members under the CPRA regardless of whether the employer has a physical presence in California.
If the answer to question #1 is “yes,” employers will be required to provide the following:
-
This notice is required to be provided to Covered HR Members at the time the personal information is collected. The content requirements are specified in the CPRA and must detail (1) the categories of personal information to be collected by the company, and (2) the purposes of use for each category of personal information. If you provided a notice to Covered HR Members pursuant to CCPA, you will need to review and update that notice.
- Under the CPRA, businesses must now, at or before the point of collection, identify (a) whether collected information may be sold or shared, (b) any categories of the newly defined term “sensitive personal information” collected, and (c) any retention periods or, “if that is not possible, the criteria used to determine such period.”
- Under the CPRA, certain new rights and compliance burdens will attach to a new category of personal information called “sensitive personal information.” Sensitive personal information includes financial information, account log-in credentials, a consumer’s identification numbers (e.g., Social Security number, driver’s license number, etc.), precise geolocation, racial and ethnic information, personal communications (e.g., contents of an individual’s mail, email, and text messages unless the business is the intended recipient of the communication), and information about one’s sex life or sexual orientation, and genetic data, biometric, or health information. Many of these categories are commonly collected by employers.
Employers should audit the categories of sensitive personal information that are collected and document the reasons for such collection. For example, the CPRA does not require an employer to present the categories of personal information listed above as “sensitive personal information” in the notice at collection unless the information is collected or processed for the purposes of “inferring characteristics” about the individual.[i] Businesses generally do not collect or process sensitive personal information with the purpose of inferring characteristics of their employees. Such sensitive personal information would most typically be processed in order to fulfill traditional HR functions, such as processing payroll and providing benefits.
Privacy Notice for Human Resources Data
There is a subtle difference between the “notice at collection” and the “privacy notice” that should be posted to a company’s HR intranet or other policy documentation. The “notice at collection” is forward-looking. The “privacy notice” looks back to that information collected by the employer in the 12 months prior to the effective date of the policy and must be comprehensive. In other words, the CPRA policy that you publish as of January 1, 2023 must cover the collection and handling of personal information starting January 1, 2022.
Employers may be able to combine the employee notice at collection and the employee privacy policy, but consideration needs to be given to the statutory requirements for content and the relative audiences (e.g., employees vs. dependents vs. job applicants) for the documentation. Note in particular that attention should be paid to the crossover between privacy laws and other employment laws and how a combined notice might affect issues such as the classification of independent contractors.
Prepare to Respond to Requests to Exercise Rights
If the company has not implemented a process to respond to requests under CCPA because you have been relying on the “exemptions,” Covered HR Members will, as of January 1, 2023, have the right to request:
- Right to Know: includes the right to request disclosure of (i) categories of personal information collected, (ii) sources of personal information, (iii) third parties to whom the business disclosed the personal information, and (iv) what personal information was sold/shared and to whom. They may also request disclosure of specific pieces of personal information collected.
- Right to Delete: includes the right to request deletion of personal information collected from the individual.
- Right to Correct: includes the right to request that inaccurate personal information collected by a business be corrected.
- Right to Limitation: includes the right to direct a business that collects sensitive personal information (as defined in the CPRA) to limit the use of such information. If you are not collecting and processing sensitive personal information from employees for the purpose of inferring characteristics, as discussed above, you may not be required to extend this right. However, if your business uses some type of artificial intelligence to assist with hiring, including using automated decision systems, this right may be triggered.
- Right to Opt-Out: includes the right to direct a business that sells or shares (as defined in the CPRA) not to sell or share such information.
These new rights are in addition to the already-existing rights of employees under the California Labor Code to inspect and receive copies of personnel records and inspect signed documents and payroll records.
In order to respond to such requests, you will need to know where the data is (“data mapping”). It can live in many places within the organization – not limited to HR information systems or personnel files. The use of collaboration tools like Slack and Teams increases the possibility of collected personal information that can be subject to a rights request. You also are time-limited: requests to exercise rights to know, correct, and delete information must be responded to within 45 days.
It is not recommended that a business just apply its online website privacy policy to employees. The CPRA rights, as applied in the “consumer” context, may not apply in the same ways in the employment context. Also, different exceptions will apply when employers are responding to rights requests made by employees and must be carefully analyzed and applied. There is also the risk of misuse of CPRA rights by employees, former employees, and plaintiffs’ attorneys as a way to maneuver around traditional (and costly) discovery methods in litigation (or pre-litigation). Context matters.
The Anti-Retaliation Right
Under CCPA and the CPRA, California consumers have a right not to be discriminated against for exercising any of their data rights. In the HR context, the CPRA specifically outlines that this “non-discrimination” right means a right against retaliation for assertion of any of the CPRA’s data rights. There is no private right of action under the CPRA, however, the new enforcement agency created by the CPRA, the California Privacy Protection Agency, has authority to enforce the CPRA.
Data Retention and Governance
Good “data hygiene” and data governance can lessen a company’s compliance burdens. Because the CPRA requires that businesses not retain personal information for longer than reasonably necessary for a disclosed purpose, this is the time to assess internal data retention procedures to ensure that your company is retaining data (in all forms) for only the amount of time sufficient to meet requirements under other laws and set appropriate limits on the retention of personal information. Email retention policies and rules should be reviewed (and if your company does not have them, now is the time to establish same) as well as those for messaging and collaboration tools.
Regulations
The California Privacy Protection Agency is a new regulatory agency charged with drafting and implementing regulations under the CPRA. Draft and modified regulations have been published and are still in a state of flux. The next public hearings being held by the CPPA on the proposed/modified regulations will be on October 21 and 22. Because the final regulations may have some operational impacts, employers should continue to monitor and update policies and procedures if necessary.
[i] The act of “inferring characteristics” is not otherwise defined in the CCPA/CPRA. However, the definition of “personal information” includes “inferences, drawn from any of the information identified above [the complete definition of “personal information” at Cal. Civ. Code Section 1798.140(o)] to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
[View source.]