After more than a year of remote work during the coronavirus pandemic, and with vaccines being more widely available, many businesses are now at a crossroads: Should they move their employees back to the office or continue working from home? Of course there are many considerations to take into account — everything from data security measures to how it changes the work environment — but for those businesses that fall under the requirements of the California Consumer Privacy Act (CCPA), one of those considerations should be how working from home affects CCPA compliance.
The CCPA gives consumers more control over and access to the personal information that businesses collect about them. It also defines “consumers” very broadly. According to the CCPA, a consumer is simply any California resident; there is no need for a customer relationship with the business. This means that even a business’s employees are considered consumers and are covered by the data privacy law, though there is currently a limited exemption for personal information collected in the course of employment.
CCPA compliance has two main branches: (1) making the required disclosures about how personal information is collected and used, and (2) responding to consumers’ privacy requests. Employment-related data is exempted from the second branch, meaning employees cannot make privacy requests regarding their personal information. This is likely because extending full CCPA consumer rights to employees could cause significant disruption (allowing them to request the deletion of all their information from company records, for example). However, businesses are still required to make privacy disclosures to employees. Namely, they must be told what personal information is being collected about them and for what purpose. They also still have a private right of action against the business if their personal information is compromised during a cybersecurity breach.
This exemption is a temporary provision that was added by the legislature before the law went into effect. The California Privacy Rights Act (CPRA), which made significant changes to the CCPA, extended the exemption until January 1, 2023. It may be further extended, made permanent, or allowed to expire at that time.
Because employees are not completely exempted from the CCPA requirements, businesses that have implemented any kind of remote work plan should examine their personal data collection practices. Ideally, if a business is covered by the CCPA it should already be disclosing to employees what personal information it collects about them and for what purpose; now they must determine if remote work technologies are capturing any consumer data that was not covered by the original disclosure.
For example, video conferencing is potentially a type of data collection. It may be covered by the original disclosure, but other technology such as productivity-tracking software, especially if installed on the employee’s personal computer, may not be. Some companies are now tracking their workers’ geolocation data, which would need to be disclosed. Businesses must make a list of all new technologies that have been deployed in support of remote work, and then check the data collection by these products against the original employee disclosures. If there is any additional information that must be included, it is just a matter of updating those disclosures.
The complexities of CCPA compliance can be a major hassle for businesses that don’t have the staff or the expertise to manage it full time. They generally have to choose between an in-house solution, which drains productivity and is likely to lead to mistakes, and expensive legal consulting fees, which easily run into the tens of thousands of dollars.
TrueVault Polaris combines the convenience and savings of an in-house solution with the expertise of hiring outside consultants. It provides a guided experience, taking businesses step-by-step through the whole process of getting fully CCPA compliant and staying that way. Contact our team today to learn more.