The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) gives consumers increasingly more control over their personal information when collected by businesses subject to the law. We have previously discussed the compliance requirements of these data privacy laws on organizations doing business in California. Significantly, CCPA/CPRA defines the term “consumer” to mean any California resident; which from a business perspective, such a broad definition encompasses not only the business’s individual customers, but also its employees, job-applicants or even business-to-business (B2B) contacts. With the moratoriums currently in place for B2B and employee/applicant data sunsetting on January 1, 2023 and not likely to be extended, and the prospect for federal data privacy legislation with wide preemptive effect of state law looking less likely, businesses should be actively preparing to meet these expanded statutory obligations.
It is easy to see how such an expansive definition can create compliance and operational challenges for businesses. In the day-to-day course of operations, businesses may collect large amounts of personal information about current employees and job applicants which can be sourced from any number of locations and reside in any number of places or systems —information can be generated from any division or department of the business and can be stored in the cloud, local network drives, as hard copies or all three. Indeed, the information may be collected as structured data (e.g., databases, HRIS systems) or in unstructured form in email and may be stored/shared with third party vendors. Locating this data and fulfilling an access, right to know or deletion request from an employee seeking to exercise rights under the CCPA/CPRA could present significant logistical challenges and a failure to fulfill a request can have both reputational and financial consequences. Knowing where, how and why personal information is maintained is critical in evaluating the intersection in the statute (see, e.g., Cal. Civ. Code § 1798.145) between data privacy notice obligations, employee requests and business’s other obligations (e.g., to preserve evidence, defend legal claims).
Further, the information exchanged day-to-day between businesses (whether they be competitors, vendors, customers, or partners) can also be voluminous and an obligation to delete, access, correct, or otherwise provide notice regarding the personal information collected during those exchanges can also be complex and burdensome.
What are the existing employee and B2B data exemptions included in the California Consumer Privacy Act and the California Privacy Rights Act (CPRA)?
The CCPA contains a limited exemption for personal information collected by a business about an individual who is a job applicant or employee, owner, director, or independent contractor of the business. The employee exemption is limited, in part, in that it only applies when such information is collected and used “solely within the context of [the individual’s] role or former role” as a job applicant, employee, owner, director, or independent contractor. In the context of a B2B relationship, businesses are exempt from the requirement to provide notice of the collection, and the broadly defined “consumer” does not have a right to know or right to delete.
When do the exemptions currently expire and what attempts have been made to extend the exemptions?
These exemptions were included in the original version of the CCPA but were set to expire in January 2021. In September 2020, legislation was enacted to further extend these exemptions by one year (as the COVID-19 pandemic had inhibited businesses’ compliance efforts). Finally, the CPRA, which passed as a ballot initiative in November 2020, furthered the extension to January 1, 2023.
Over the course of the year, California state legislators proposed a number of legislative initiatives to further extend the exemptions beyond the January 1, 2023 deadline. However, the legislation failed to garner enough support to advance through the state assembly. And with the legislative session having coming to a close, the prospects for an extension are even further diminished as attempts to include an extension as a ballot initiative in November 2022 have also fallen short.
Given that it’s unlikely the exemptions will be extended beyond the January 1, 2023 deadline, how should businesses be preparing?
Europe’s General Data Protection Regulation (GDPR) already applies to B2B and employee data; thus businesses already subject to (and compliant with) GDPR should be in a good starting position to further comply with the requirements of CCPA/CPRA. All businesses who are nonetheless subject to CCPA/CPRA should consider the following compliance measures:
- Starting with the Human Resources, Benefits and Information Technology departments, employers should map the collection, use, and disclosure of personal data of California residents within the organization and any sharing or disclosure of that data with third parties.
- Document the commercial purposes for collection and use of each category of personal information collected or processed, including as required by applicable law (g., laws that require the maintenance of certain employment and business records).
- Assess the value of personal information collected and follow sound data minimization principles (e., do not collect what is not needed to achieve the commercial purpose).
- Update employee and/or job applicant notices beyond the currently required short form notice to provide additional required information, including communicating individual rights under CCPA/CPRA, information concerning any collection of sensitive information (e.g., race, ethnicity, government identifiers), any disclosure of personal information to third parties and the business’s information retention policies.
- Ensure that the business’s mechanism and policies for responding to employees’ requests to exercise their privacy rights (including expanded rights under CPRA) is expanded to include human resources and other personal data.
- Develop policies and operational procedures for responding to CPRA rights’ requests (including rights to know, delete, access) in light of the organization’s collection and use practices.
- Ensure that all employee and other personal information is reasonably safeguarded against hacking and other anticipated cybersecurity threats.
- Review contracts with downstream service providers and contractors that hold employee or B2B data for cooperation and other downstream data protection clauses.
- Review contracts with business partners as to B2B information to address CCPA/CPRA compliance responsibilities.