On January 1, 2024, businesses must post updated Privacy Policies under the California Consumer Privacy Act (CCPA), which requires annual updates of disclosures and fully applies in the job applicant and employment context since January 1, 2023.
With respect to job applicants and employees, businesses subject to the CCPA are required to:
- Issue detailed privacy notices with prescribed disclosures, terminology, and organization;
- Respond to data subject requests from employees and job candidates for copies of information about them, correction, and deletion;
- Offer opt-out rights regarding disclosures of information to service providers, vendors, or others, except to the extent they implement qualified agreements that contain particularly prescribed clauses; and
- Offer opt-out rights regarding the use of sensitive information except to the extent they have determined they use sensitive personal information only within the scope of statutory exceptions.
If employers sell, share for cross-context behavioral advertising, or use or disclose sensitive personal information outside of limited purposes, numerous additional compliance obligations apply. For more: see also our related previous post: Employers Must Prepare Now for New California Employee Privacy Rights.
Key recommendations to heed now
- Review contracts with parties to whom you disclose personal information about applicants and personnel. The CCPA prescribes certain types of clauses that have to appear in agreements between parties exchanging personal information, and you will have to include certain data processing clauses if you do not want to be considered to be “selling” (which the CCPA defines to mean disclosing in exchange for monetary or valuable consideration) or “sharing” (which the CCPA defines to mean disclosing for the purposes of cross-context behavioral advertising) personal information and offer related opt-out processes. It is not practical for employers to offer opt-out rights in most scenarios, due to the CCPA’s non -discrimination requirements. The CCPA regulations, which are currently being revised by the California Privacy Protection Agency (latest as of this publication is available here), include additional requirements. Businesses should continue to update such contracts with parties it discloses personal information to.
- Prepare/revise notices at collection and include HR data in your online CCPA Privacy Policy. As collection notices in the employment context have been required under the CCPA since 2020, but new specific disclosure requirements apply since January 1, 2023. Your comprehensive online CCPA privacy policy will also have to reflect your processing of HR data. You should consider updating/preparing a privacy notice at collection that is specific to the CCPA and separate from any privacy notice you might use to address privacy laws in other jurisdictions, since California laws establish increasingly unique requirements and use unique terms that may be difficult to reconcile with those of other jurisdictions (since January 1, 2023, businesses must use specific terms from the CCPA to describe categories of personal information in all “notices at collection,” including context-specific, real-time notices about specific data processing activities, such as security cameras, computer monitoring, and job application processes). At the same time, you have to be mindful of setting or negating privacy expectations. If you issue privacy notices to job applicants and personnel that merely address CCPA disclosure requirements, the recipients of such notices may develop privacy expectations that could later hinder you in conducting investigations or deploying monitoring technologies intended to protect data security, co-workers, trade secrets and compliance objectives.
- Prepare/update and document your data subject request program and train HR professionals. Your job applicants and personnel who reside in California have gained data access, portability, correction, deletion and other rights in 2023. You should implement protocols and training to ensure that your HR, compliance and similar teams can deal with their requests in a consistent, timely and compliant manner. Any email, spreadsheet, contract or other document that refers to a California-based employee constitutes their “personal information” which you may have to produce in response to an access request, free of charge. To keep track of where information is stored while reducing the amount of data potentially subject to data access requests, you should work on tightening your data retention and deletion protocols. This will also help you comply with CCPA’s new data minimization requirements. Documenting your program is important because the draft regulations also define the concept of “disproportionate effort” within the context of a business responding to a consumer request. Disproportionate effort is defined as the time and/or resources expended by a business to respond to an individualized request significantly outweighing the reasonably foreseeable impact to the consumer by not responding, taking into account applicable circumstances. Under the draft regulations, a business can only claim disproportionate effort as an exemption to the duty to respond to a data subject request if they have in place adequate processes and procedures to receive and process consumer requests in accordance with the CCPA and its regulations. The draft regulations give examples of circumstances that may amount to disproportionate effort and businesses should consider as part of the fact-gathering involved in preparing required privacy notices to also document when it would amount to a disproportionate effort to identify particular information in response to a data subject request and why.
- Consider whether and the extent to which you process “sensitive personal information,” such as if you use employee monitoring software, and address related CCPA requirements. California residents will have the right to request that businesses stop using and disclosing their “sensitive personal information” outside of specific purposes. CCPA defines “sensitive personal information” to include, among other things, government identifiers, precise geolocation data, information on racial or ethnic origin, religious or philosophical beliefs, and the contents of a California resident’s mail, email and text messages addressed to someone other than the business. If you process sensitive personal information outside of the specific purposes, you have to post a link titled “Limit the Use of my Sensitive Personal Information” online. CCPA may also require you to engage in privacy risk assessments and allow California residents to opt-out of automated decision-making activities in certain situations. Diversity and Inclusion data often contains sensitive personal information and employers should consider if they run programs that could trigger rights to limit use or disclosure of such information (see our thoughts on Running a privacy compliant inclusion and diversity program globally). The California Privacy Protection Agency has clarified and expanded some of these requirements in prescriptive and wordy regulations that the agency enacted in March 2023 and will start enforcing in March 2024 (after a court prohibited earlier enforcement as the authority had planned). Meanwhile, the California Attorney General, who also enforces CCPA in parallel, announced an initiative in July 2023 to demand information from employers regarding their compliance measures concerning CCPA. Visit our California privacy law blog for our take on developments.
Enforcement
Both the California Attorney General’s Office and the California Privacy Protection Agency enforce the CCPA. The authorities can investigate violations, hold hearings, issue cease-and-desist orders, and impose administrative fines of up to USD 7,500 for each intentional violation. Businesses no longer enjoy a 30-day cure period. Sign up for our Privacy Webinar Series for more information.