2020 was an eventful year when it comes to privacy laws in California. The California Consumer Privacy Act went into effect, the state attorney general issued final regulations for the CCPA, and California residents voted to pass the California Privacy Rights Act.
Different amendments, extensions, and exemptions have misled some businesses subject to CCPA into believing that they are completely exempt from privacy obligations until 2023 with respect to employees and applicants. However, this is not the case and businesses have to follow the existing CCPA requirements concerning the personal information of their employees and applicants, which became effective on January 1, 2020.
The CCPA was signed into law in 2018 by then-Governor Jerry Brown. When the CCPA passed, it was considered a landmark piece of consumer protection law, as it requires certain businesses to disclose whatever personal data they have about consumers whenever they request it.
To resolve some of the issues with this law, such as the definition of consumer, the California State Assembly introduced AB25, which originally tried to exempt businesses from having to comply with the CCPA for employees and applicants. However, AB25 was amended in the State Senate. The new version exempted businesses in their role as employers from most but not all of the CCPA requirements with respect to employment-related data.
Under the current CCPA requirements, employers have the following obligations:
- Providing notices to employment-related data subjects of the categories of personal information being collected and the purposes for which the personal information will be used, and
- Implementing reasonable security over certain categories of personal information to avoid a private right of action following a data breach.
CCPA Compliance Is not Enough for CPRA Compliance
The CCPA granted data rights to California residents, but in their capacity as consumers, exempting HR Individuals from these rights. On the other hand, the CPRA extends its protections to California residents in their roles as HR Individuals. When the CPRA goes into effect on January 1, 2023, covered employers will be required to:
- provide HR Individuals with extensive privacy notices,
- respond to requests to exercise new data rights,
- limit uses and disclosures of HR data, and
- obtain detailed contractual commitments from third-party recipients of personal information.
Many companies have already implemented policies and procedures to comply with the CCPA requirements that will need modifications to apply to HR data requests. Also, given the two sets of data, businesses will reject requests to exercise consumer data rights and HR data rights based on different exceptions within the CPRA. Finally, CPRA introduces the rights to correct, to opt-out of sharing, and to restrict the processing of sensitive personal information that do not appear in the CCPA at all. Consequently, employers need to prepare to accommodate these new rights.
Preparing for Employees’ Return to the Workplace
As workers begin returning to work in person, many employers have to request their employees to provide certain health information before returning to the workplace. This may include information such as temperature checks, health surveys, COVID-19 test results, or proof of vaccination status. In the process of collecting this information, employers should take certain measures to ensure compliance with the CCPA requirements as their workplaces reopen.
Privacy Legislation Development
After the passage of the CCPA in 2018, multiple states proposed similar legislation to protect consumers in their states. While many of these bills are similar to the CCPA, they also impose new and different requirements on businesses and expand their compliance difficulties. Therefore, apart from remaining aligned with current CCPA requirements, companies should accept the fact that privacy rights are a growing concern and new legislation will be coming.
Given the complexities involved, ensuring compliance with privacy legislation may not be easy, but resolving this could save companies a lot of issues later. Furthermore, even though there is no privacy legislation on the federal level, many believe that when it comes, it will be modeled after California’s law. Consequently, even if businesses have managed to avoid the effects of the CCPA so far, paying attention to privacy compliance could pay off in the future.
Regardless of whether it is CCPA requirements or another piece of legislation, businesses need to prepare. To begin with, they have to update privacy notices on a company website, know where information is located within their systems, decide how to obtain and report customer information when requested, and establish a proper verification process. In addition to this, companies can use a proactive approach and outsource their privacy legislation processes. This way, they can put appropriate mechanisms in place and ensure compliance with CCPA requirements as well as prepare for new data privacy laws that may come in the near future.