Many thanks to Lothar Determann and Jonathan Tam for this post.
Some of your job applicants and employees in California may be alarmed if you tell them you sell their personal information. But you will have to say you sell their personal information if you disclose their personal information to third parties after January 1, 2022 without including certain data processing clauses in your contracts, as required by the California Consumer Privacy Act (CCPA). So we recommend reviewing these contracts to ensure they include the prescribed clauses if you wish to avoid being a “seller” of personal information.
You should also get ready to field data access, deletion, correction, portability and other requests from your employees and other personnel in California starting January 1, 2023. This will require implementing new protocols and training up your human resources and compliance teams. We also recommend tightening up your data retention and deletion protocols to limit the amount of information you have to review when handling data subject requests.
Do you use employee monitoring software or algorithms to help you evaluate job applicants? You should ensure that your use of these and similar tools address upcoming requirements regarding automated decision-making, risk assessments and the use of sensitive personal information. Note that the CCPA also currently requires employers to issue privacy notices to their California employees pursuant to a California Privacy Rights Act (CPRA) amendment that took effect on December 16, 2020.
There is an HR exception under the CCPA but it is not comprehensive and expires January 1, 2023. When the CCPA originally passed in 2018, it included a limited, temporary carve-out for personal information of job applicants, employees, independent contractors and other personnel, who only needed to receive a brief “notice at collection.” The CPRA extended the limited carve-out until January 1, 2023 and immediately expanded the list of disclosures that employers have to provide to employees and candidates at or before the time of collecting their personal information.[1] Such “notices at collection” must include details about the types of personal information collected, the purposes for which the information is collected, and how long the personal information is retained or the criteria for determining the same. The California Attorney General’s CCPA Regulations also require notices at collection to indicate whether the business sells California residents’ personal information and a notice of the their right to opt-out of sales if so, and a link to the business’s privacy policy.[2] You should begin to address these requirements immediately if you have not done so already.
Starting in 2023, you will be fully subject to CCPA requirements with respect to your California job applicants and personnel.
Here are some key recommendations.[3]
- Review your agreements with third-party recipients of personal information. The CCPA prescribes certain types of clauses that will have to appear in agreements between parties exchanging personal information, and you will have to include certain data processing clauses if you do not want to be considered to be “selling” or “sharing” (which the CCPA defines to mean disclosing for the purposes of cross-context behavioral advertising) personal information. We recommend broaching these requirements with your business partners as soon as possible if you have not already done so, given the time needed to negotiate contracts and the fact that you have to disclose your practices in the prior 12 months, i.e., after January 1, 2022.
- Implement data subject request protocols and tighten up record retention and data deletion protocols. California job applicants and personnel will gain data access, portability, correction, deletion and other rights in 2023. You should implement protocols and training to ensure that your HR, compliance and similar teams can deal with their requests in a consistent, timely and compliant manner. Any email, spreadsheet, contract or other document that refers to a California-based employee constitutes their “personal information” which you may have to produce in response to an access request, free of charge. To keep track of where information is stored while reducing the amount of data potentially subject to data access requests, you should work on tightening your data retention and deletion protocols. This will also help you comply with CCPA’s new data minimization requirements.[4]
- Consider whether and the extent to which you process “sensitive personal information”, such as if you use employee monitoring software, and address related CCPA requirements. California residents will have the right to request that businesses stop using their “sensitive personal information” for purposes outside of various narrow exceptions.[5] CCPA defines “sensitive personal information” to include, among other things, government identifiers, precise geolocation data, information on racial or ethnic origin, religious or philosophical beliefs, and the contents of a California resident’s mail, email and text messages addressed to someone other than the business. If you process sensitive personal information outside of the excepted purposes, you have to post a link titled “Limit the Use of my Sensitive Personal Information” online. CCPA may also require you to engage in privacy risk assessments and allow California residents to opt-out of automated decision-making activities in certain situations. The newly established California Privacy Protection Agency will clarify these requirements when it promulgates its CCPA regulations later this year, and we recommend that you stay abreast of such developments to ensure that your HR data processing activities comply.
- Update privacy policy and privacy notices. Your privacy policy will have to reflect your processing of HR data. You should consider preparing a privacy policy that is specific to CCPA and separate from any privacy policy you might use to address privacy laws in other jurisdictions, since California laws establish unique requirements and use unique terms that may be difficult to reconcile with those of other jurisdictions. At the same time, you have to be mindful of setting or negating privacy expectations. If you issue privacy notices to job applicants and personnel that merely address CCPA disclosure requirements, the recipients of such notices may develop limited privacy expectations that could later hinder you in conducting investigations or deploying monitoring technologies intended to protect data security, co-workers, trade secrets and compliance objectives.[6]
Outlook and Practical Guidance
The California Privacy Protection Agency has started the process of drafting regulations by July 1, 2022 specifying how certain requirements under the revised CCPA apply. Most large and medium-sized companies that do business in California will be impacted. Compliance with the European Union General Data Protection Regulation (GDPR) or other jurisdictions’ privacy or data protection laws is not sufficient to meet requirements under the revised CCPA, which are prescriptive and require companies to use counterintuitive terminology on website links and in privacy notices.
The California Attorney General’s Office currently enforces CCPA, and the California Privacy Protection Agency will have the power to bring administrative enforcement actions under CCPA starting July 1, 2023. The authorities can investigate violations, hold hearings, issue cease-and-desist orders, and impose administrative fines of up to $7,500 for each intentional violation. Currently, CCPA requires the California Attorney General’s Office to give a business a 30-day cure period before bringing enforcement actions. Starting July 1, 2023, the California Attorney General’s Office and California Privacy Protection Agency will be able to bring enforcement actions without delay.
For more details see, Lothar Determann, California Privacy Law and Determann’s Field Guide to Data Privacy Law.
[1] See Section 31 of the CPRA (“Subdivisions (m) […] of Section 1798.145 [of the California Civil Code …] shall become operative on the effective date of the [California Privacy Rights Act]”). Subdivision (m) of Section 1798.145 of the California Civil Code sets forth the HR exception but also states that the exception “shall not apply to subdivision (a) of Section 1798.100”. One of the original drafters of the CPRA clarified that this reference is intended to refer to subdivision (a) of Section 1798.100, as amended by the CPRA. Subdivision (a) of Section 1798.100 of the California Civil Code, as amended by the CPRA, sets forth a requirement to provide California residents with a privacy notice at or before collection of their personal information. See also California Privacy Experts Break Down the CPRA, the Recorder, December 28, 2020, available at: https://www.law.com/therecorder/2020/12/28/california-privacy-experts-break-down-the-cpra/?slreturn=20211129180107.
[2] 11 CCR § 999.305.
[3] For an in-depth breakdown of new CCPA requirements, please see “United States: The California Privacy Rights Act of 2020 – A broad and complex data processing regulation that applies to businesses worldwide”, Lothar Determann and Jonathan Tam, https://insightplus.bakermckenzie.com/bm/data-technology/united-states-the-california-privacy-rights-act-of-2020-a-broad-and-complex-data-processing-regulation-that-applies-to-businesses-worldwide.
[4] Cal. Civ. Code § 1798.100(c). For general guidance on developing personal information retention protocols, please see How to Develop a Privacy -Enriched Data Retention Policy, Theo Ling and Jonathan Tam, Canadian Privacy Law Review, Volume 17, Number 8, July 2020, available here (last accessed October 31, 2021).
[5] Cal. Civ. Code § 1798.121.
[6] Lothar Determann and Robert Sprague. Berkeley Technology Law Journal Intrusive Monitoring: Employee Privacy Expectations are Reasonable in Europe, Destroyed in the United States.