Laws like the California Consumer Privacy Act (CCPA) do much more than protect consumer information. They also require businesses to protect information about their employees.
Employment information was initially excluded from many of the legal requirements of the CCPA. With the passage of Prop. 24, the California Privacy Rights Act of 2020 (“CPRA”) extended this and other exemptions until January 1, 2023. However, the extension of exemptions has led to confusion among businesses about just what employment information remains exempt and what employment information is currently covered under CCPA.
As Sean Paisan explains it in the Jackson Lewis law blog, “It appears that this labyrinth of amendments, extensions, and exemptions has misled some businesses subject to CCPA…into believing that they are completely exempt from privacy obligations until 2023 with respect to job applicants, employees, owners, directors, officers, medical staff, and contractors (collectively “employees and applicants”). This is not the case! In short, businesses have existing obligations under the CCPA concerning the personal information of their employees and applicants, which became effective on January 1, 2020.”
So what information about employees and job applicants do business’s have to manage in compliance with CCPA requirements? The following compliance areas are currently covered by CCPA:
- Under Section 1798.145(h)(3), notice must be provided to employees by employers, at or before the point of the collection of personal information.
- Providing reasonable safeguards for personal information to avoid data breach caused by a business’s negligence.
- Providing disclosure in the event personal information is shared with third parties.
- Right of correction.
Importantly, employees can exercise their private right of action in cases where HR departments and businesses handle non-exempted personal information in a way that violates the CCPA.
Concerns are mounting over how best to understand and implement CCPA and CPRA compliance strategies for employment data. Industry groups and privacy lawyers are requesting the California Privacy Protection Agency to add clarifications that would align existing employment rights with privacy rights.
Given the complexity and costs required to handling personal data for employees and job applicants in a way that is separate and distinct from a business’s other data systems, some HR departments may ultimately opt to err on the side of caution and treat employment information like consumer information.