Following our recent post concerning complaints that the California Consumer Privacy Act (CCPA) is “vague” and “confusing”, we find there is yet another aspect of the new law, which appears to be in need of some clarification.
Up until recently, many organizations that are preparing for CCPA compliance, have held the belief that personal information about employees is subject to the new privacy regulation.
However, the CCPA may not apply to employers’ HR data at all.
As businesses play a frustrating waiting game for further amendments, employers are counting the cost of time and effort spent on implementing CCPA compliance measures for HR data, that could end up being a complete waste of time.
Uncertain times: Does the CCPA actually apply to employee data?
In some of our previous posts, we have mentioned that while the CCPA’s plain language refers to HR data, the entire statute itself is devoid of such words as “employee” and “employer”, which suggests that the California legislature never actually intended to include HR data within the scope of the new law.
When we consider the huge disconnect between the Act’s plain language and the probable legislative intent, it should come as no surprise that a new bill (AB 25) has been proposed. This amendment would expressly exclude employees from the definition of a “consumer” under the CCPA.
As currently drafted, the CCPA governs the personal information (PI) of “consumers,” who are broadly defined as California residents. This would, in effect, provide California employees – if their employer is a covered business under the CCPA – a broad range of rights similar to the Eu’s GDPR, when it comes to their PI. These rights would include the right to request that their employer provide them with a transportable copy of their PI, delete their PI, and provide them with specific information about the collecting and sharing practices for their PI (subject to certain exceptions).
AB 25 proposes to amend the CCPA by clarifying that the meaning of the term “consumer” does not include a “natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or as an employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of that person’s activities for the business as a job applicant, employee, contractor, or agent of the business.”
Right of notice within the context of employment
The CCPA includes several provisions which, when applied together, require companies to provide consumers with a detailed explanation of how their personal information is handled. This must be included in the companies’ privacy policy, as well as directly to the consumer, upon request, as relevant to that consumer. Moreover, the company must provide the following information within 45 days of receiving a verifiable request:
-
The specific pieces of personal information collected about the consumer;
-
The categories of sources from whom the personal information was collected;
-
The purpose for collecting the consumer’s personal information;
-
The third parties to whom the personal information has been disclosed;
-
The categories of personal information, if any, sold during the preceding 12 months – and the categories of third-party recipients; and
-
The categories of personal information disclosed for business purposes during the preceding 12 months.
The collection of this information concerning HR data stored in databases such as the employer’s HR system should be reasonably manageable. However, there are likely to be considerable challenges compiling this information from other storage locations, such as local hard drives, email inboxes, and paper-based files.
Right of access within the context of employment
The right of access requires businesses to repond to a verifiable request within 45 days, with the “specific pieces of personal information the business has collected” about the consumer during the 12 months preceding the request. Therefore, providing employees with the right of access could be an arduous task for most employers. Firstly, the definition of “personal information” includes “professional or employment-related information.” This effectively means virtually every piece of data in an employee’s personnel file.
As well as typical information contained within basic employment records, “personal information” includes other categories of information, in addition to the employment relationship. For example:
“internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application or advertisement.”
Another example is “geolocation data,” which could potentially include information collected via GPS technology installed in company-owned vehicles, as well as location information collected via apps installed on employees’ company-issued smartphones. The gathering of this information, to be included in facilitating an access request could be technically challenging for employers.
Employers should be aware that the CCPA’s provision that compliance with the act “shall not adversely affect the rights and freedoms of other consumers.” This provision is particularly important within the context of employment because it provides employers with the right to refuse to disclose information that could be potentially damaging to co-workers of the employee who is making an access request.
Right to deletion within the context of employment
Since PI includes all “professional or employment-related information,” employees could, at first glance, exercise the right of deletion as a weapon against the employer. For example, an employee might try to demand the deletion of a negative performance appraisal.
However, the CCPA contains a number of exceptions to the right to deletion. This right does not apply when retention of a consumer’s PI is necessary for compliance with legal obligations, or for internal purposes consistent with a consumer’s expectations. Also, the CCPA does not apply where compliance would “restrict a business’s ability to … exercise and defend legal claims.”
The exceptions contained within the CCPA should enable an employer to reject requests to delete most types of HR data during the employment relationship period – and thereafter for the length of relevant statutes of limitation.
Sources and credits: IAPP, Lexology