Legislative Updates

Current CCPA Requirements for Employers


Emptech's founder, Jeff Aleixo


Jeffrey Aleixo

CCPA Requirements Privacy Law Compliance

2020 was an eventful year when it comes to privacy laws in California. The California Consumer Privacy Act went into effect, the state attorney general issued final regulations for the CCPA, and California residents voted to pass the California Privacy Rights Act.

Different amendments, extensions, and exemptions have misled some businesses subject to CCPA into believing that they are completely exempt from privacy obligations until 2023 with respect to employees and applicants. However, this is not the case and businesses have to follow the existing CCPA requirements concerning the personal information of their employees and applicants, which became effective on January 1, 2020.

CCPA Overview

The CCPA was signed into law in 2018 by then-Governor Jerry Brown. When the CCPA passed, it was considered a landmark piece of consumer protection law, as it requires certain businesses to disclose whatever personal data they have about consumers whenever they request it.

To resolve some of the issues with this law, such as the definition of consumer, the California State Assembly introduced AB25, which originally tried to exempt businesses from having to comply with the CCPA for employees and applicants. However, AB25 was amended in the State Senate. The new version exempted businesses in their role as employers from most but not all of the CCPA requirements with respect to employment-related data.

Under the current CCPA requirements, employers have the following obligations:

  • Providing notices to employment-related data subjects of the categories of personal information being collected and the purposes for which the personal information will be used, and
  • Implementing reasonable security over certain categories of personal information to avoid a private right of action following a data breach.
Learn more about cybersecurity requirements introduced by CCPA and make sure to take necessary steps from both a data privacy and cybersecurity standpoint.

CCPA Compliance Is not Enough for CPRA Compliance

The CCPA granted data rights to California residents, but in their capacity as consumers, exempting HR Individuals from these rights. On the other hand, the CPRA extends its protections to California residents in their roles as HR Individuals. When the CPRA goes into effect on January 1, 2023, covered employers will be required to:

  • provide HR Individuals with extensive privacy notices, 
  • respond to requests to exercise new data rights, 
  • limit uses and disclosures of HR data, and 
  • obtain detailed contractual commitments from third-party recipients of personal information.

Many companies have already implemented policies and procedures to comply with the CCPA requirements that will need modifications to apply to HR data requests. Also, given the two sets of data, businesses will reject requests to exercise consumer data rights and HR data rights based on different exceptions within the CPRA.  Finally, CPRA introduces the rights to correct, to opt-out of sharing, and to restrict the processing of sensitive personal information that do not appear in the CCPA at all. Consequently, employers need to prepare to accommodate these new rights.

Preparing for Employees’ Return to the Workplace

As workers begin returning to work in person, many employers have to request their employees to provide certain health information before returning to the workplace. This may include information such as temperature checks, health surveys, COVID-19 test results, or proof of vaccination status. In the process of collecting this information, employers should take certain measures to ensure compliance with the CCPA requirements as their workplaces reopen.

Employers subject to the CCPA should provide employees with a notice, informing them about collecting health information in connection with their returning to the workplace. Employers should also take extra caution to not use the information collected for any other purpose unrelated to the employment context. Also, if CCPA-covered businesses collect COVID-19 or other related health information outside of the employment context, they need to include disclosures about the collection, use, and disclosure of that information in their privacy policy.

Use a range of industry-leading solutions designed to help you ensure constant compliance with different regulations and make a minimal impact on your company’s operations and bottom line.

Privacy Legislation Development

After the passage of the CCPA in 2018, multiple states proposed similar legislation to protect consumers in their states. While many of these bills are similar to the CCPA, they also impose new and different requirements on businesses and expand their compliance difficulties. Therefore, apart from remaining aligned with current CCPA requirements, companies should accept the fact that privacy rights are a growing concern and new legislation will be coming.

Given the complexities involved, ensuring compliance with privacy legislation may not be easy, but resolving this could save companies a lot of issues later. Furthermore, even though there is no privacy legislation on the federal level, many believe that when it comes, it will be modeled after California’s law. Consequently, even if businesses have managed to avoid the effects of the CCPA so far, paying attention to privacy compliance could pay off in the future.

Regardless of whether it is CCPA requirements or another piece of legislation, businesses need to prepare. To begin with, they have to update privacy notices on a company website, know where information is located within their systems, decide how to obtain and report customer information when requested, and establish a proper verification process. In addition to this, companies can use a proactive approach and outsource their privacy legislation processes. This way, they can put appropriate mechanisms in place and ensure compliance with CCPA requirements as well as prepare for new data privacy laws that may come in the near future.

The information contained within this document is general in nature and is not intended and should not be construed as legal, HR, or opinion by Emtpech. Please contact Emptech or another subject matter professional prior to acting on any information provided in this document. We recommend caution when contemplating acting on any information provided in this document as it may not be applicable or suitable for the specific viewer’s needs. Emptech assumes no obligation to update any viewer of any changes in law, rule, or regulation that could affect the information contained herein. Without express written permission from Emptech, no part of this document may be reproduced, retransmitted, or otherwise redistributed in any form or by any means, including, but not limited to photocopying, electronic, facsimile transmission, or using any other information storage and retrieval system.