California law will soon require businesses to treat their employees and business partners as consumers under the California Consumer Privacy Act (CCPA). The CCPA and its successor legislation, the California Privacy Rights Act (CPRA), grant California consumers dignitary rights over their personal information collected and processed by commercial entities that do business in California. The CCPA applies to to such entities that do business in California and collect California consumers’ personal data, have annual gross revenues over $25 million, possess the personal information of 100,000 or more consumers, or earn more than half of their yearly income from brokering data.
Employee, Job Applicant and 1099 Contractor Data
Previously, the CCPA excluded employee data; however, this exemption is set to expire on December 31, 2022. The California State Legislature defied expectations by ending the 2022 legislative session without passing an extension. While the legislature may pass a new exemption in its next legislative session, businesses subject to the CCPA should prepare to process employee CCPA requests as of January 1, 2023.
Fortunately, most businesses already have HR processes to allow employees to access and correct their personal data. Existing OSHA and EEOC record-retention-requirements will also cover most employee data, meaning that it will likely be exempt from deletion requests under the CCPA (i.e., the data cannot be deleted in order to “comply with a legal obligation”). However, companies must now also allow job applicants to know, view, delete, and correct personal information, and EEOC regulations require businesses to retain applicant records for one year. Businesses must keep close track of when that obligation ends and allow applicants to delete their data as soon as that is legally permissible.
The CCPA also included an exemption for business-to-business (B2B) data collected from agents or representatives of other businesses. However, this exemption also is set to expire on December 31, 2022. As of January 1, 2023, California B2B contacts have the right to know, view, correct, and delete personal information. Some personal information may be exempted as necessary to “complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated by the consumer within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.” However, companies will need to think outside the box when responding to these requests. Unlike employee and general consumer data, which companies typically collect in a centralized system, B2B data might be scattered across systems tracking emails, contracts, accounts payable, and countless other business processes.
How Can You Prepare?
- Inventory Your Employee + B2B Data: Businesses should review employee and applicant information (as well as 1099 contractors) to confirm that their privacy notice correctly describes the categories of personal information they collect and process in order to identify “sensitive personal information” subject to the new CPRA right. Businesses should pay special attention to B2B data and clearly document which categories of personal data are stored and on which systems.
- Enter into Data Processing Agreements with Service Providers: Businesses that use third-party HR software such as Workday and ServiceNow should add data processing addendums that include specific required terms to their contracts. The CCPA requires these agreements with all service providers, including providers that process employees’ personal information.
These are just basic steps. However, if you haven’t assessed whether the CCPA applies to your business, now is the time. And, after that assessment is done, it could mean implementation of a compliance program to avoid fines and penalties and private actions against your business.
This post was authored by Linn Freedman, Kathryn Rattigan, and Blair Robinson (non-lawyer intern) and is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.