As an employer that has workers in California, you may be scratching your head about how to comply with the California Consumer Privacy Act (CCPA) now that it applies not only to personal data you collect about ordinary consumers but also to the personal data you collect about your employees (and if you weren’t scratching your head about that, you probably need to take a look at this update regarding changes to California privacy law in 2023).
Although the CCPA already applied to your HR data in a limited fashion (before 2023, you had to give employees notice about your data collection and use practices, and they had a right of action against you for data breaches), it now applies to your employees in its complete form. That means employees have new privacy rights, including the right to request that you delete their information, inform them what information you have collected about them and who you have shared it with and for what purposes, as well as the right to request that you limit the use of their sensitive personal information.
Sounds pretty daunting when you put it like that. And every HR representative and business owner out there has the same immediate reaction: delete their data?! Impossible! I HAVE to collect that data if they want a job. How else can I run payroll and benefits or comply with my legal reporting obligations?
Good news—there are a lot of exemptions available that could apply to important pieces of employee data that will save you from having to actually delete it. If you are legally obligated to process a piece of data, such as an employee’s social security number, in order to employ them, you do not have to delete that data. Other exemptions may also apply. However, if you are also processing the same piece of employee personal data for non-exempt reasons, you will have to start restricting your uses of the data if an employee submits a deletion request.
You collect your employees’ clothing sizes because you provide them with uniforms they are required to wear while on shift. You also use the shirt size to periodically send them employee appreciation gifts, including shirts that are not part of the uniform. If an employee submitted a deletion request, you could claim an exemption for maintaining their size so you can provide them with uniforms as part of their contract of employment, but that same exemption would not apply to the gifts, so you would need to stop processing that employee’s shirt size for that purpose. Since you need the size for the uniform, though, you would not have to delete the data completely.
The California Personnel Records Act
Now that you’re thinking about your legal obligations regarding Californian employees’ data, you may also be thinking about the California Personnel Records Act (referred to as the “PRA” in this article) and how it interacts with the CCPA. Under both laws, California employees have the right to request copies of certain records held by their employers. So in this article we will ignore deletion requests under the CCPA (the scary elephant in the room that is addressed in more depth here) and focus on access requests, which might come in under either law.
The PRA applies to more companies than the CCPA. All public and private entities operating in California must comply with the PRA, while the CCPA only applies to for-profits that meet at least one of its thresholds. However, the PRA only covers current and former employees; the CCPA on the other hand covers current and former employees, as well as prospective employees and independent contractors. That expands the scope of individuals companies must afford disclosure rights to if the company is subject to the CCPA.
The PRA is also more limited than the CCPA in the sense that the PRA only grants covered individuals the right to request access to personnel records related to a grievance or employee performance. Those records include things like job applications, performance reviews, and records related to disciplinary actions. Conversely, the CCPA right to access would require a company to disclose all of the personal data it has about an employee, from their name, address and age, to their beneficiary and insurance elections. In addition to the information itself, under the CCPA the employer would need to disclose how it uses and discloses the information to others.
Number of requests
Both laws also limit the number of disclosure requests a company must respond to. Under the PRA, a company is not required to respond to more than 50 requests in a 1-month period. The PRA has a separate rule for former employees, limiting them to one disclosure request annually. The CCPA requires a company to respond to two disclosure requests in a year from the same individual, regardless of their relationship with the company.
Both laws exempt a number of records that would otherwise be included in their disclosure requirements. Under the PRA, employers do not have to disclose any records prepared by identifiable committee members (for example, of a promotions committee), any records obtained before the individual became employed, letters of reference, or any records related to investigation of possible criminal offenses. The CCPA exempts disclosure of any personal data where disclosure might prevent or obstruct the company’s ability to comply with other legal obligations or to exercise or defend its legal claims or rights. There is some, but by no means complete, overlap between the exemptions.
How requests are submitted
The PRA requires requests to be made in writing, and employers are allowed to provide forms for those requests. The CCPA generally requires the majority of companies to offer at least two methods for submitting requests, one of which must be via a toll-free number. When deciding which methods to use for accepting access requests under the CCPA, employers should consider how they interact with employees, former employees, prospective employees, and contractors to determine how it will receive requests. For example, publishing a request portal on an employee intranet would give current employees the ability to make requests, but it would not be helpful to former or prospective employees and would therefore be insufficient to fulfill all the CCPA’s requirements.
However employers choose to receive access requests, they should consider clearly differentiating between CCPA and PRA requests since the employer will have different obligations depending on the request type. The deadlines for response are different (one month for PRA and 45 days for the CCPA), and the information included in the responses will be quite different, with much more information required for CCPA disclosure requests than for PRA requests. Employers might make this differentiation up front in their notices, giving employees clear direction about how to submit a PRA request versus how to submit a CCPA request. Or an employer might follow up with the employee after a disclosure request has already been made understood which kind of request was intended.
Keep in mind that the goal of both laws is transparency, and the CCPA in particular punishes organizations that try to reduce their disclosure requests by making the process for submitting them difficult to find, navigate, or understand. Now that the CCPA applies to personnel data and records, your organization should take the opportunity to review your data collection practices throughout the employees lifecycle, beginning with prospective employees. Map out that lifecycle and ensure that your notices are full and accurate, can be understood by your personnel, and are posted in appropriate places so that everyone is receiving notice at or before the point at which you collect their information. Once your notice and request submission processes are clear and available, you are in a much better compliance posture and are properly prepared to receive and process any employee disclosure requests.
Keeping up with US privacy laws is a time-consuming task, especially when individual states keep passing separate laws. Fortunately, SixFifty’s comprehensive privacy documents will help your company stay compliant. Our proprietary legal technology combines automation technology with real legal expertise: just answer a few questions, download the generated document, and have your lawyers review. Best of all, we’ll stay on top of changes to privacy law, and notify you when it’s time to make a change. Schedule a free demo today!