HR departments and in-house legal teams should be aware that a change is coming to US privacy laws in 2023 that may affect their employee relations. The California Consumer Privacy Act of 2018 (CCPA), as amended in 2020 by a ballot initiative approved by California voters (CPRA), will apply equally to both consumer data and to internal employee data beginning January 1, 2023. This will be the first time in the US that a consumer privacy law is explicitly applied to employees, but it has been in the works for some time. Any business with employees or contractors in California could be affected.
WHO IS COVERED?
The CCPA applies to businesses that collect personal information from California residents and meet certain size thresholds; the most common is a requirement that they make at least $25M annually in revenue (measured across the enterprise, not just revenue attributable to California).
In practice, this may play out several ways:
- Companies that already comply with the CCPA will have to consider which of their compliance measures should be extended to HR data for employees in California.
- Companies that already comply with the European privacy laws (GDPR) will have to consider whether the protections offered their EU employees must be extended to employees in California.
- Companies that have not put a privacy program in place because they do not collect any consumer data may need to assess whether their employee data requires new compliance efforts, if they have any employees in California.
WHAT IS REQUIRED?
For any business that meets the CCPA criteria, the CPRA will require them to treat employees much like external consumer stakeholders for privacy purposes. Companies will have to ensure at least the following for their California employees:
- Detailed notice at or before the point of collecting “personal information” that includes at least the following disclosures:
- Statutory categories of information collected, including “sensitive” personal information
- Business purpose for collection
- Whether any personal information is “sold” or “shared” within the meaning of the CCPA
- Retention period, or retention criteria applied, for personal information collected from employees
- Employees will have the right to opt out of any “sale” or “sharing” of personal information as those terms are defined by the CCPA and CPRA
- Employees will have the same rights of access, deletion, and correction to their personal information as consumers would
As under the CCPA, a “data breach” under the CPRA may give rise to an employee direct right of action and statutory damages Practically speaking, this means that companies whose workforce is entitled to CCPA/CPRA will need to consider several steps, including these:
- Drafting and rolling out an employee privacy notice
- Workflow and training to respond to employee requests to access/update their personal information
- Workflow and training to enable opt-out for any “sale” or “sharing” of personal information and to limit use of “sensitive” personal information in certain ways
- Reviewing service provider agreements to ensure that vendors are appropriately bound by CCPA/CPRA obligations, including appropriate security and restrictions on downstream use/reuse of employee personal information
- Verifying that employee personal information is secure and that this is documented
- Evaluating why employee information is being gathered, to eliminate information-gathering that is not likely to be for a permitted business use or that exceeds the scope of what is actually necessary
For any companies already used to privacy compliance through either CCPA or GDPR, the extension of CCPA/CPRA to employees in California should not require widespread changes to existing procedures. For companies that do not already address privacy at all, the changes are bound to feel large. In either case, there are quite a few nuances to the law’s new requirements that will depend heavily on the particulars of the business’ operations, and are beyond the scope of any general summary. Starting now to ensure plenty of time to meet the deadline of January 1, 2023 is advised for any business that thinks it may be affected by the coming changes.
 The original CCPA exempted employee data from many of its compliance requirements, but specifically contemplated covering employees in the future. That coverage was confirmed by the voter action on the CPRA.