On August 31, 2022, the California legislative session ended without any applicable amendment that would further extend the existing limited exemption for human resources (HR) and business-to-business (B2B) personal information under the California Consumer Privacy Act (“CCPA”).
Without a further extension, the HR and B2B exemptions are set to expire on January 1, 2023, when the California Privacy Rights Act (“CPRA”), which amends the CCPA, will take effect. While rulemaking to address the CPRA amendments is underway, businesses relying on the exemption to omit HR data should evaluate their existing compliance programs and what changes, if any, may be needed to address the upcoming changes.
Is Your Organization Subject to the CPRA?
First and foremost, it is important to go back to the beginning and understand whether the CPRA applies to your business. The CPRA applies to any for-profit business operating in California, regardless of whether the business is actually based in California, that collects consumers’ personal information (or on whose behalf such information is collected) and that alone, or jointly with others, determines the purpose and means of processing that information, and satisfies one or more of the following thresholds: a) has an annual gross revenue exceeding $25 million; b) process the personal information of at least 100,000 California residents; or c) derives at least 50% of its revenue from the sale or sharing of California residents’ personal information.
Businesses that do not meet these criteria could still be subject to the CPRA if they: a) own or control a business defined by the CRPA; or b) share common branding (such as a shared name, servicemark, or trademark) with a business and with whom the business shares (or receives) consumers’ personal information for cross-context behavioral advertising purposes.
It is worth noting that the threshold for compliance for the CPRA differs from that for the CCPA. While CCPA applies to any business collecting the personal information of at least 50,000 California residents, the CPRA raises that threshold to 100,000.
What the New Obligations Concerning Employee Data under CPRA?
- Notice Requirement before Collection of PI and SPI: Businesses must notify employees and/or job applicants before or at the point of collecting their personal information (“PI”) or sensitive personal information (“SPI”).
- The notice must include the following details: the categories of PI to be collected; the purposes for which the PI is to be collected; whether the collected PI is sold or shared (the employee must be given the option to opt-out); and the retention period of PI, or the method for determining a reasonable period.
- Businesses must not collect additional employee PI or SPI, or use the already collected employee PI for any purpose that is incompatible with the earlier disclosed purpose unless they provide a new notice to the employee.
- Assessment and Response Requirement to Employees’ Rights Requests: Businesses should develop a detailed process to verify and respond to employee rights requests. Unless businesses can rely on a statutory exception, they will need to be able to honor employee data rights requests.
- California employees of all businesses subject to the CPRA will have the following rights: the right to know, the right to delete, the right to correct inaccurate information, and the right to no retaliation for exercising their rights under the CPRA.
- On the other hand, the following rights are more business dependent: the right to limit the use and disclosure of sensitive personal information, the right to opt-out of sale and sharing, the right to access, and the right to opt-out of automated decision-making.
- Transparent Privacy Policy Requirement: Businesses should provide a transparent and accessible privacy policy to their employees containing the following information: the categories of PI collected in the preceding 12 months; the categories of sources from where the PI was collected; the purposes for which the PI was collected, sold, or shared; whether the collected PI was sold, shared, or disclosed for a business purpose; and employees’ data privacy rights under the CPRA and the methods to exercise them.
- If the business sells or shares employees’ PI, the privacy policy should also contain a list of the PI categories it sold or shared in the preceding 12 months.
- If the business discloses employees’ PI, the privacy policy should also contain a list of the categories of employees’ PI iit disclosed for a business purpose in the preceding 12 months; and categories of third parties to whom the business discloses employees’ PI.
- Contracting Requirements: Under the CPRA, businesses are required to include specific provisions within their service agreements with service providers and contractors that have access to employees’ personal information for a business purpose. The required provisions include the following language:
- Specify the limited purposes for which employee personal information can be used by the service provider.
- Prohibit the service provider from selling and sharing of employee personal information.
- Prohibit the service provider from retaining, using, and disclosing employees’ personal information other than for the purposes specified in the service agreement.
- Prohibit the service provider from using or disclosing employee personal information outside the parties’ direct business relationship.
- Prohibit the service provider from combining an employee’s personal information with personal information received from another party or directly from the individual unless permitted by regulation.
- Require the service provider to notify the business if any subcontractors are used to process employee personal information.
- Require the service provider to comply with the applicable obligations under the CPRA and provide the same level of privacy protection for employee personal information.
- Require the service provider to notify the business if it cannot comply with such obligations.
- Grant the business the right to ensure that the service provider meets its obligation under the CPRA.
- Grant the business the right to take remedial actions to stop unauthorized use of personal information.
What Can You Do to Prepare for the CPRA?
First, understand your HR data flows. Your organization can accomplish this task by mapping the collection, use, and disclosure of your employees’ personal information. Specifically, your organization should identify and evaluate the categories of personal information involved, how the information is processed, where the information is stored and accessed from, whether service providers are involved in the process, and the retention period of such information. This information will serve as a starting point for building a strategy for CPRA compliance.
Second, draft or revise collection notices and privacy policies. Compared to the CCPA, the CPRA requires much more detailed collection notices and privacy policies. Your organization should provide additional information such as retention periods in collection notices, and further information mandated by the CPRA such as data subject rights created by the CPRA in privacy policies.
Third, review and update contracts to include CPRA-compliant provisions. Your organization should confirm that contracts with service providers meet the obligations for agreements under the CPRA, and that the service providers have implemented technical infrastructure to assist your organization in meeting the CPRA obligations. Your organization should review the standard agreements and amend them as needed.
Finally, review and update incident response policies and procedures. Breaches of employee personal information might qualify for a data breach that can trigger a civil action. Your organization should review your incident response processes and procedures to ensure that the policies are updated. More importantly, your organization should build a technical and organizational infrastructure to decrease the risk of exposure.
Octillo regularly monitors the data privacy landscape and will continue to provide updates on enforcement trends related to the CPRA, CCPA, GDPR, and other global and domestic privacy regulations. Our team routinely works with clients to update their external policies and data collection practices to work towards compliance with the growing list of privacy regulations.
*Attorney Advertising. Prior results do not guarantee similar outcomes.