In 2018, the California Legislature passed the California Consumer Privacy Act (CCPA) and became the first state to enact comprehensive legislation designed to protect the privacy of consumers’ personal information. Businesses subject to the CCPA are required to, among other things, respond to consumers who wish to review personal information collected by the business, delete personal information, and opt out of the sale of personal information. The CCPA was amended in 2020 when California voters approved the California Privacy Rights Act of 2020 (CPRA), which added additional requirements and restrictions regarding the collection, use, sale, and sharing of personal information.
Personal Employee and Company Information
While the CCPA aims to protect the personal information of consumers, the terms of the law extend to the personal information of employees and business contacts. The California Legislature responded by exempting “business-to-business” (B2B) employment and personal information from most CCPA provisions until January 1, 2021, which was extended in the CPRA until January 1, 2021. on January 1, 2023.
Exemption and its end
The broad consensus after passage of the CPRA was that the California legislature would expand the employee and B2B personal information exemptions. Although there were a number of attempts to reach an agreement, ultimately the California Legislature adjourned on August 31, 2022 without passing an extension. Accordingly, it is certain that all consumer rights will apply to personal information obtained from employees or as a result of a B2B relationship.
The expiry of the exemption will be difficult. While many consumer-facing businesses have adopted policies and procedures that can be tailored to employee and B2B personal information, many businesses that have little or no consumer contact will be particularly impacted by significant privacy issues. disclosure, policy and procedure that must be resolved by the end of 2022.
For all businesses, employee information will raise issues, as employers are forced to collect large amounts of personal information, including sensitive personal information (such as financial, health, and intimate characteristics) to conduct their activities. These companies will need to address what information they collect, where it is stored, who has access to it, and how it is used. Companies will need to determine how consumer rights apply to employee and B2B personal information, and be prepared to provide employees and B2B contacts with CCPA rights, including the right to know what personal information is being collected, the right to delete personal information, the right to opt out of the sale or sharing of personal information, the right to limit use and disclosure of sensitive personal information, and protection against retaliation for exercising opt-out or other rights.
Personal information obtained from employees is of particular importance. California companies should assess the differences and similarities between the rights afforded to employees under the CCPA (including how the disclosure and deletion exemptions apply) and those provided under California labor laws. California employers have, or should have, adopted many of the processes required under the CCPA. For instance:
- The right to know – The CCPA gives consumers the right to ask a business to disclose (i) the categories of personal information collected, (ii) the sources of that personal information, (iii) the third parties to whom the business disclosed the personal information , and (iv) what personal information was sold/shared and to whom. California law has several statutes granting employees the “right to know” certain types of information the employer has collected, including the employee’s personnel file, documents signed by the employee, and payroll records. In contrast, the CCPA is broader in scope and requires employers to disclose geolocation, biometrics, internet activity, inferences drawn, and other information that employers might collect. Additionally, the timelines for complying with a request are different under the CCPA and California labor laws.
- Right to deletion – The right to ask a company to delete the personal information collected from the individual. Employers should evaluate federal, state, and local retention requirements for employment records, including but not limited to the Age Discrimination in Employment Act, the Americans Act Disabilities, Civil Rights Act of 1964 (Title VII), Fair Labor Standards Act, Family Medical Leave Act, Occupational Health and Safety Act, Government Code Section 12946 California and California Labor Code Section 226 to determine potential exemptions to a deletion request under CCPA Section 1798.105(d)(8), which exempts a business from deleting information necessary “to comply with a legal obligation”. These exemptions may also apply to B2B personal information.
- Right to Refuse Sale or Sharing – Under the CCPA, consumers have the right at any time to order a company that sells or shares personal information not to sell or share that information. Employers should not only reassess their disclosure agreements with vendors, but also consider whether their vendors are service providers, contractors, or third parties under the CCPA, because disclosing an employee’s personal information to a supplier may be considered a “sale” in certain circumstances. .
- Right to limit use and disclosure of sensitive personal information – Employers should assess whether they are processing an employee’s personal information and whether this includes sensitive personal information. For example, if an employer processes sensitive personal information (such as racial or ethnic origin) for diversity and inclusion purposes, this may be permitted under an exception. However, if an employer processes sensitive personal information for the purpose of inferring the characteristics of its employees and uses artificial intelligence to assist in hiring, including by using automated decision systems, this right may be triggered.
While this development has emphasized the impact on employers, B2B personal information is now subject to the same regime as employee personal information. Businesses must analyze their B2B collection and use of personal information, as well as provide the same rights as a consumer’s rights under the CCPA, including the right to know, the right to delete, the right to refuse the sale or sharing, and the right to limit the use and disclosure of sensitive personal information.
Companies subject to the CCPA must immediately take steps to comply with these new requirements, including:
- Update CCPA processes and controls for handling employee and B2B data.
- Perform a review and inventory of HR processes to see where employee data may exist, what data the company retains, and whether that data is submitted to the CCPA.
- Update notices upon collection and privacy policies for employees, applicants and contractors.
- Update existing processes to respond to employee requests under the labor code and engage stakeholders to design new policies and procedures to respond to privacy rights requests in 2023, including addressing potential exemptions under the CCPA.
- Review and update contract terms with service providers, contractors and third parties to incorporate new requirements under ACRP and mitigate risk.