[co-author: Blair Robinson]*
California law will soon require businesses to treat their employees and business partners as consumers under the California Consumer Privacy Act (CCPA). The CCPA and its successor law, the California Privacy Rights Act (CPRA), give California consumers dignified rights over their personal information collected and processed by commercial entities doing business in California. The CCPA applies to such entities that do business in California and collect personal data of California consumers, have annual gross revenues of more than $25 million, possess personal information of 100,000 or more consumers, or earn more in half of their annual income from data brokering.
Employee, Job Applicant and 1099 Contractor Data
Previously, the CCPA did not include employee data; however, this exemption is set to expire on December 31, 2022. The California State Legislature defied expectations by ending the 2022 legislative session without passing an extension. Although the legislature may pass a new exemption in the next legislative session, businesses subject to the CCPA must prepare to process employee CCPA requests beginning January 1, 2023.
Fortunately, most businesses already have HR processes in place to allow employees to access and correct their personal data. Current OSHA and EEOC record-retention-requirements also cover most employee data, meaning it is unlikely to be deleted upon deletion requests under the CCPA (ie, data cannot be deleted to “comply with a legal that obligation”). However, companies must now also allow job applicants to know, view, delete, and correct personal information, and EEOC regulations require businesses to maintain applicant records internally. a year. Businesses should carefully monitor when that obligation ends and allow applicants to delete their data as soon as legally permitted.
B2B data
The CCPA also includes an exemption for business-to-business (B2B) data collected from agents or representatives of other businesses. However, this exemption is also set to expire on December 31, 2022. Beginning January 1, 2023, California B2B contacts have the right to know, view, correct, and delete personal information. Certain personal information may be exempt if necessary to “complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted pursuant to federal law, provide product or service requested by the consumer, or reasonably expected by the consumer within the context of an ongoing business relationship of a business with the consumer, or otherwise to perform a contract between the business and the consumer.” However, one has to consider companies out of the box when responding to these requests. Unlike employee and general consumer data, which companies typically collect in a centralized system, B2B data can be scattered across systems that track emails , contracts, accounts payable, and countless other business processes.
How Do You Prepare?
- Your Employee Inventory + B2B Data: Businesses should review employee and applicant information (as well as 1099 contractors) to confirm that their privacy notice properly describes the categories of personal information they collect and process to determine “sensitive personal” that information” subject to the new CPRA rights. Businesses should pay close attention to B2B data and clearly document which categories of personal data are stored and in which systems.
- Enter into Data Processing Agreements with Service Providers: Businesses using third-party HR software such as Workday and ServiceNow must add data processing addendums that include specific required terms to their contracts. The CCPA requires these agreements with all service providers, including providers that process employees’ personal information.
- B2B Portals or Websites: If your business collects B2B contact information through a portal or website, you may need to update your privacy policy and include specific provisions required under the CCPA/CPRA.
These are just basic steps. However, if you haven’t yet assessed whether the CCPA applies to your business, now is the time. And, after making that assessment, it may mean implementing a compliance program to avoid fines and penalties and private actions against your business.
*Non-Lawyer Intern
[View source.]