Effective January 1, 2023, companies subject to the California Consumer Privacy Act (“CCPA”) will face heightened compliance requirements when collecting personal information about their workers, business partners, and job applicants. The partial moratoriums in the CCPA that had applied to these data sets are set to expire, meaning that the CCPA will now apply with full force come the new year. Further, the California Privacy Rights Act (“CPRA”), which amends and reenacts the CCPA, becomes fully effective on January 1, 2023, and enforced beginning July 1, 2023, with a look-back period to January 1, 2022. The CPRA provides additional obligations and consumer data rights that will further complicate covered businesses’ compliance efforts with regard to the personal information of their employees and business contacts.
What were the partial exemptions?
The exemptions relieved California businesses from the CCPA’s obligations, but only for certain data sets.
The so-called HR exemption relieved employers from having to comply with many of the CCPA’s obligations relating to their employees’ personal information, such as the requirement to offer consumer data rights to job applicants, employees, owners, officers, and independent contractors of a business, including where relating to employee benefits information and emergency contact information. However, this was only a partial exemption. Under the CCPA, businesses have been required to, at or before the point of collection, inform all employees and job applicants of the categories of personal information being collected about them and the purposes for which it will be used and a business could be held civilly liable by employees and applicants for data breaches of their personal information involving non-encrypted data.
The B2B exemption prevented businesses from having to engage in the puzzling task of providing a comprehensive privacy notice to business contacts at the point of collection and providing those types of individuals with CCPA data rights, except for the right to opt-out of sale of their personal information, which has applied since the CCPA went into effect on January 1, 2020.
What happened to these limited exceptions?
The CCPA’s exemptions for this type of data were never intended to be permanent: the original sunset date was extended to January 1, 2021, and then with the passage of Assembly Bill No. 335 in October 2021, extended to January 1, 2023. Legislative efforts to further extend the exemptions primarily manifested as two bills proposed in the California Assembly in February 2021, one to extend the exemptions until January 1, 2026, (AB 2891) and the other permanently (AB 2871). Both bills languished and then expired in committee. A last-ditch effort in mid-August to amend Assembly Bill 1102 to extend the moratoriums to 2025 also failed. The conclusion of the legislative session on August 31st (the last day for each house of the California State Legislature to pass bills) ended any real hope of a continued reprieve from the CCPA’s full application to these data sets.
An additional extension or permanent exemption appears to be outside the rule-making purview of the California Privacy Protection Agency (CCPA), and, at any rate, the CPPA’s current draft update of the CCPA’s regulations, although only partial at this time, indicates no attempt to forestall or prevent the CCPA’s application to HR and B2B personal information. Further, despite its initial momentum, the U.S. federal privacy bill now faces bigger roadblocks to passage, in part due to the California congressional delegation’s belief that ADPPA would put a ceiling on privacy protections via preemption.
What does this mean?
All of the CCPA’s onerous obligations, particularly the requirement to offer consumer data rights, will now apply to personal information from all consumers collected and held by a business, including employees and B2B contacts. Due to the differences between how a business treats the personal information of its employees, customers, and business relationships, the upcoming compliance obligations present new challenges and pose a busy fourth quarter for companies that are subject to these new CCPA requirements. The same policies and procedures that a business currently utilizes to respond to consumer data requests are likely ill-suited to handling the same requests from that business’s employees or business contacts, some of whose personal information will reside in various data systems.
Under the current CCPA regulations, a business can accommodate a request to obtain specific pieces of personal information by directing employees to existing HR sites where they can look up their own data. However, if there is personal information about employees that is inaccessible to them (such as reviews, employee files, etc.), a business may need to develop a process to provide that information. With regard to requests to delete, the CCPA has exceptions that allow a business to maintain the personal information of current employees for a variety of reasons. For rejected job applicants and former employees, there are likely fewer exceptions that would apply, so a business may need to delete employment records, resumes, interview notes, or other materials upon request.
Many businesses do not maintain B2B contact personal information in a centralized structured database or standard format like they might with customer or employee data. Names, emails, and other types of personal information could be distributed in e-mail folders, internal documents, and a personally maintained virtual ‘Rolodex.’
Note, however, that the scope of employees’ and business contacts’ data rights under the CCPA will be heavily influenced by the inevitably updated CCPA regulations. While currently still in draft form, the updated regulations may provide leeway (or not) regarding how far a business must go in complying with a consumer data request that seeks unstructured personal information not used for commercial purposes.
There are currently four other U.S. states with comprehensive privacy bills on the books: Colorado, Connecticut, Virginia, and Utah. All are currently slated to come into effect at various points in 2023, with Virginia kicking in first on January 1, 2023, but each of these other states has permanently excluded HR and B2B personal information from their scope.
Key takeaways and Q4 action items to consider:
- Update data inventory to include employee, job applicant, and business personal information now fully subject to CCPA.
- Update consumer facing disclosures/notices to comply with the new CCPA requirements.
- Evaluate third-party/vendor contractual relationships that may be impacted by these changes.
- In particular, employers should begin preparing for changes by mapping data flows, updating employee forms and notices, reviewing privacy policies and incident response procedures, and training managers and supervisors on these changes to ensure compliance.
- Also, employers should use caution regarding the collection of sensitive personal information of California employees as CCPA has heightened requirements as to that category of personal information.