Despite expectations that California’s legislature would pass a bill exempting employee data from the reach of California’s Consumer Privacy Act, the legislative session closed at the end of August without any action. And now, employers have to deal with the fallout of that inaction. 

Until the end of 2022, California employees’ personal data remains largely exempt from the requirements of the CCPA, but that exemption sunsets on December 31. On January 1, employers will wake up with a brand new compliance headache if they fail to get ahead of it in the next few months. Starting on that day, employers will have to respond to privacy requests from their employees as well as consumers, and the nuanced nature of human resources data will make that a tricky process.

What stays the same?

Most companies already have some level of security measures in place to protect employee data. In fact, the CCPA already requires that employers take reasonable steps to protect and secure employee personal information, so if you have not put any security measures in place, hop to it. Don’t wait for January 1, 2023. The sunsetting of the “employee exemption” simply reinforces what the security rules already were–companies will be liable under the CCPA if they fail to protect employees’ personal information and they suffer a data breach.

So, what changes?

The notice requirements. Under the CCPA, employers were already required to give employees, job applicants, and contractors notice regarding the collection and processing of their personal information, but now the notice requirements will be the same as those companies have to comply with for consumers generally. The notices for consumers include more information than what companies have been required to provide to their employees under the “employee exemption.” This means, for example, that employees will receive notice regarding their right to request deletion of their information because that is a new right that will be afforded to them starting January 1, 2023.

That means, of course, that employers will have to prepare to receive these types of requests. Even companies with robust privacy programs for consumers’ personal information will have to implement a number of changes in order to process requests for the more regulated, sensitive information contained in employee personal information. Unless employers can rely on an exemption, they will have to honor employee requests including the right to delete, know, correct, access, port, limit the use and disclosure of sensitive personal information, and the right to opt out of the sharing and selling of personal information. 

Of course, a number of exemptions will apply to privacy requests from employees. For example, you cannot fulfill your part of the employment contract if you delete the employee’s personal information, preventing you from processing payroll. Similarly, an employee or job applicant may request a data correction that you do not have to honor. Perhaps they self-reported their educational information, informing you they had graduated college with a degree in a certain field. Upon doing a background check, you discovered they did not actually graduate. You could note the dispute but ultimately determine that the background check, not the applicant, had provided the correct information. 

The good news is that your company probably does not engage in some of the high risk processing activities for employee data as it does for consumer data. While you might engage in targeted advertising for consumers, you do not need to target your employees with ads, so the additional operational compliance needs connected to target advertising will not apply. You may, however, engage in different high risk activities, such as collecting sensitive information regarding an employee’s sex life because you collect partner information to provide dependent benefits. Getting your notices in order and reviewing your processing activities before January 1 is incredibly important so that you have time to adjust your processing and put policies in place for how to fulfill and, as appropriate, deny privacy requests from your California employees.

SixFifty can help!

SixFifty’s California Privacy toolset helps businesses navigate these complex and dynamic privacy laws. With SixFifty, your privacy documents will never be out of date, even as the laws change. Schedule a demo today.


Avatar

Written by Marie Kulbeth

Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income. Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as...

Full Bio and other articles by