What Does The CCPA Mean For Employers? [UPDATED 15, JULY]
As any company that does business in California knows (or should know), the California Consumer Privacy Act (CCPA) comes into effect in January 2020. The new law will be enforced by California's attorney general, who has the power to impose severe financial penalties on businesses that are found to be in violation of the CCPA.
The new law contains several provisions which, when applied together, require companies to provide consumers with a detailed explanation of how their personal information is handled. This must be included in the companies’ privacy notice, as well as directly to the consumer, upon request. Moreover, the company must provide the following information within 45 days of receiving a verifiable request:
The specific items of personal information collected about the consumer;
The categories of sources from whom the personal information was collected;
The purpose for collecting the consumer’s personal information;
The third parties to whom the personal information has been disclosed;
The categories of personal information, if any, sold during the preceding 12 months - and the categories of third-party recipients, and;
The categories of personal information disclosed for business purposes during the preceding 12 months.
How Does The CCPA Affect HR Data?
[See important update at the foot of this article]
By virtue of it's name, the Act is implicitly designed to protect the privacy interests of "Consumers". But the big question on the lips of many business owners is... Are employees also "Consumers"?
This question is most likely driven by the absence of such words as "employer" and "employee", indicating that HR data was never intended to be a part of the act's scope. Indeed, there is currently a bill pending (AB 25) in the California Legislature to clarify that the CCPA does not apply to employers' own human resources data, therefore excluding HR data from the CCPA's scope.
AB 25 would add the following exclusion to the act's definition of "consumer" as follows:
Consumer does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of ... the business, to the extent the person's personal information is collected and used solely within the context of the person's role as a job applicant to, an employee of, a contractor of ... the business.
In other words, if enacted, AB 25 will remove HR data from the CCPA.
In the meantime, a degree of uncertainty means that employers are playing a waiting game, and must decide whether to risk the cost, time and resources required to implement a CCPA compliance program for HR data, when such a strategy might not be needed at all.
Access Rights: Consumers -vs- Employees
Providing employees with the same rights of access as consumers could be a tough nut to crack. The employer would still be required to fulfill the request within the statutory 45 days, and provide the "specific pieces of personal information the business has collected" about the employee during the 12 months preceding the request.
The CCPA’s definition of “personal information” includes "professional or employment-related information." Therefore, in the case of an employee, this category would have to include practically everything stored in an employee's HR file.
This in itself could be a time-consuming task when one considers the number of disparate storage locations where an employee’s data could exist. Local hard drives and departmental servers are just the tip of the iceberg. Employee data can also be found in numerous email in-boxes, as well as in paper form.
To make the task even more onerous, “personal information” is also defined in the statute as:
internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application or advertisement.
Any employer that monitors its information systems would be hard pressed to collate this amount of information over a 12-month period. Collecting such a broad variety of data to facilitate an access request from an employee would represent a challenging task, even for the most technically competent.
Right to Deletion
An employee’s right to deletion could cause a potential conundrum for any employer, since “personal information” includes “professional or employment-related information”. For example, an employee could demand the erasure of a negative performance assessment.
Fortunately for employers, there are a number of exceptions to the right of deletion. If compliance with the law would effectively "restrict a business's ability to ... exercise and defend legal claims" then the CCPA would not apply. Therefore, the exceptions provided should enable a business to decline a request to delete HR data while the requestor is employed by the company and after the employment ends, for the length of relevant statutes of limitation.
“Do Not Sell My Personal Information”
Consumers have a right to opt out of the sale of their personal information. However, within the context of employee data, it would be extremely unlikely that a business would wish to sell such data to a third party. However, the CCPA defines the term “sale” as:
…selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
It could be argued therefore, that this definition gives employees the right to prevent their employer sharing their personal information with HR related services such as a payroll outsourcing company.
But once again, the CCPA provides certain exceptions to the rule, by stipulating that disclosing personal information is not deemed as a “sale” if a contract has been agreed by the service provider not to retain, use or disclose the personal information other than to provide the services specified within the contract. The business must also state in its privacy notice that it shares consumers’ personal information with service providers.
It would therefore be prudent for the business to review all existing contracts and service agreements and update them where necessary, as a vital part of an employer’s CCPA compliance strategy.
Planning Amid Present Uncertainty (opinion)
The current uncertainty around a new consumer privacy law, that will no doubt undergo further amendments before going into effect in January 2020, forces employers to make a tough decision. It might appear that there are only two options on the table.
OPTION #1: Go all-in and implement a comprehensive CCPA compliance model that includes provisions for HR data. Not such a great option if HR data is ultimately deemed out-of-scope for the CCPA, as a lot of time, money and resources could be potentially lost in the process.
OPTION #2: Sit on the fence and wait to see what happens with HR data. The risk here is that employers could end up waiting for too long and end up cramming to achieve compliance if no legislative relief arrives.
Okay, there is a third option. This is our best recommendation for employers that want to be in a position to facilitate data access requests made by their employees - however unlikely that turns out to be.
Keep an eye on the the progress of AB 25, while taking some steps toward CCPA compliance, without risking too much time and resources , in case HR data is ultimately excluded.
Put together a team of department stakeholders who will be responsible for implementing a compliance strategy that includes provisions for HR data.
Engage your IT department in a review of all your data security measures.
Determine what information you will need in order to respond to data access requests by both consumers, as well as employees past and present.
Create processes and policies to; verify requestors’ identities, respond to access requests, and document responses.
List any third-parties that provide HR services and update service contracts where required.
Create a Privacy Notice, or update your existing Privacy Notice.
Formulate a rapid response plan to remedy a potential data breach.
Provide training for all employees who handle personal information. Ensure that your staff understands their responsibility to protect the personal data of California residents.
At the time of writing this article, the California Senate Judiciary Committee passed Assembly Bill 25 (AB 25), after pressure from organized labor groups forced some changes.
Originally, the bill was drafted to exclude employees and job applicants from the Act’s definition of the term “consumer”.
The changes adopted by the judiciary committee mean that AB 25 no longer excludes employees and job applicants from the definition of “consumer”. Instead, these will remain subject to the law, and businesses will be required to disclose the types of employee data collected, with whom it is shared, and the reasons for doing so. However, under this latest amendment, businesses will not be required to provide employees with the rights of data access and deletion.
Since AB 25 includes a January 1, 2021 sunset clause*, leaving the Bill open for further debate concerning handling of employee data under the CCPA, we could expect further changes during 2021. Therefore, AB 25 will still face significant hurdles before it receives approval by the state senate.
We feel this latest amendment significantly reduces the risk of deploying time and resources to implement a comprehensive CCPA compliance model that includes provisions for HR data and appropriate employee rights, as described above.
The Bill now in the hands of the Senate Appropriations Committee. If it passes, future updates to policies and processes should be relatively easy to integrate into your existing model.
*A sunset clause is a measure within a statute, regulation or other law that provides that the law shall cease to have effect after a specific date, unless further legislative action is taken to extend the law. Most laws do not have sunset clauses and therefore remain in force indefinitely, except under systems in which desuetude applies.