Why CCPA Compliance Matters to HR

Since it was passed in 2018, the California Consumer Privacy Act (CCPA) has been seen as mainly an issue for marketing and eCommerce teams—i.e., people who deal with customers and website visitors. Even though they handle large volumes of personal information, human resources departments have been spared many of the privacy law’s requirements because they deal exclusively with internal data from job applicants, employees, and contractors.

On January 1, 2023, all that will change. The CCPA’s long-standing exemption for employment-related data is expiring at the end of the year, meaning applicants, employees, and contractors will be treated exactly the same as any other consumers. HR departments at any business covered by the CCPA will have to get their operations fully compliant by 2023.

Privacy Disclosures for Applicants and Employees

Privacy disclosures are central to CCPA compliance, and businesses have already had to provide some information to job applicants and employees. Specifically, businesses are required to identify what types of personal information they collect from these groups and for what purposes. 

As the new provisions of the California Privacy Rights Act (CPRA) take effect and the employee-data exemption expires in 2023, these disclosures must be expanded significantly.

Here’s some of the new information that must be disclosed:

• Categories of “sensitive personal information” being collected and processed
• The period of time each category of personal information will be retained
• The categories of third parties to whom the personal information is disclosed
• Whether the business is using their personal information in a way that could be considered “selling” or “sharing”
• A description of their privacy rights as well as instructions on how to exercise those rights

Job applications and employee agreements will need to be updated to include the new disclosures, but it’s not as simple as copying and pasting boilerplate language from a generic privacy policy. 

Businesses should first create a data map in order to understand their own information practices (i.e., where personal data is collected, how it’s used, and who else may have access), and potentially make policy changes to bring those practices in line with the law.

Contractors

Independent contractors make up a significant part of the workforce for some businesses. To the extent that a business is collecting and processing individuals’ personal information, the CCPA does not distinguish between contractors and employees. Accordingly, businesses will need to make full privacy disclosures to any contractors they hire, just as they would with employees.

However, if the contractors are receiving personal information as part of their job, there is a new contractual requirement that must be met. They need to have a written contract with the business that does the following:

• Specifies that the personal information is being disclosed by the business only for limited and specified purposes
• Obligates the contractor to comply with the CCPA and provide the same level of privacy
• Grants the business the right to take reasonable and appropriate steps to help ensure that the contractor is using the data in a compliant manner
• Requires the contractor to notify the business if they determine that they can no longer meet their CCPA obligations
• Grants the business the right to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information

Fortunately this requirement should be relatively simple for businesses to meet. They will just need to draft an agreement with the necessary language for any contractors they hire.

CCPA Privacy Requests for Employees

Because job applicants, employees, and contractors will be treated the same as any other consumer, they will have the same privacy rights as other consumers. This means businesses are likely to get privacy requests from those individuals, a situation which may present special challenges.

• Request to Know - A request to know is probably the trickiest CCPA request for employers. Employers tend to have large amounts of personal information about their employees. It may be mixed together with personal information from other people (which needs to be redacted), or it might contain awkward information like performance reviews. Because a request to know from an applicant, employee, or contractor has a significant chance of being a precursor to litigation, it is probably best to consult with an attorney throughout the process.

• Request to Delete - Individuals may request the deletion of employment-related personal information, but businesses may still retain the data for certain reasons (such as to comply with a legal obligation or enable solely internal uses). Because of these exceptions, businesses are unlikely to be required to delete much of the data from workers.

• Request to Opt-Out - It is unusual for a business to sell employment-related personal information or use it for behavioral advertising, but if it does then it must honor opt-out requests.

• Request to Correct Inaccuracies - Businesses must correct inaccurate personal information upon request. They generally have an interest in maintaining accurate information about their workers, so these requests should not be an imposition.

• Request to Limit - Consumers can request that businesses limit the use and disclosure of “sensitive personal information.” Categories of sensitive personal information include social security numbers, biometric data, and race or ethnicity data—the kind of information that HR departments regularly collect. However, there are numerous exceptions to this right, and if businesses restrict their use of sensitive personal information to what is necessary for limited purposes, they may not have to offer this request type.

Incorporating CCPA Compliance into Daily Operations

With employee data covered by the CCPA, and the CPRA expansions, starting in 2023, privacy compliance is more important than ever. The complexities of privacy law present challenges to smaller businesses, however, and without an in-house privacy expert it is difficult to keep up with the latest regulatory changes.

TrueVault simplifies the process, helping companies get compliant—and stay that way—all on their own. Designed by attorneys, TrueVault guides you at every step along the way, from onboarding vendors to processing privacy requests. Once set up, TrueVault functions as a single privacy-management platform for all departments, helping avoid the redundancies, gaps, and internal miscommunications that can hamper compliance.

Learn more about TrueVault by contacting our team.