in a nutshell
In less than two months on January 1, 2023, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), will take full effect in the context of job seekers and employment.
In addition, with respect to job applicants and employees, companies subject to the CCPA must (i) issue a further revised privacy notice, (ii) be prepared to respond to data subject requests, and (iii) ) have decided whether to sell or share. Personal information for cross-context behavioral advertising; and (iv) deciding whether to use or disclose sensitive personal information for purposes other than those specified. A number of additional compliance obligations apply when an employer sells, shares for cross-context behavioral advertising, or uses or discloses sensitive personal information other than for limited purposes. See also our related previous post: Employers Must Prepare Now for New Employee Privacy Rights in California.
1. Confirm the contract with the person to whom personal information regarding applicants and personnel is disclosedThe CCPA stipulates certain types of clauses that must be included in agreements between parties exchanging personal information, and must include specific data processing clauses if you do not want it to be considered a “sale.” Yes (the CCPA defines this to mean disclosure). (in exchange for monetary or valuable consideration) or “shared” (which the CCPA defines to mean disclosure for the purposes of cross-context behavioral advertising) personal information and provide a relevant opt-out process. Due to the CCPA’s non-discrimination requirements, it is impractical for employers to provide an opt-out right in most scenarios. The CCPA Rules, currently under revision by the California Privacy Protection Agency (the latest draft at the time of this publication is available here), contains additional requirements. Businesses must keep their contracts updated with those to whom they disclose personal information.
2. Prepare/amend notice at time of collection and include HR data in online CCPA privacy policyBeginning in 2020, the CCPA will require employment-related pick-up notices, but beginning January 1, 2023, certain new disclosure requirements will apply. A comprehensive online CCPA privacy policy must also reflect the processing of HR data. Because California law increasingly establishes its own requirements and uses its own terminology, a privacy notice that is specific to the CCPA and may be used to address privacy laws in other jurisdictions , you should consider updating/preparing a privacy notice at the time of collection. (Beginning January 1, 2023, businesses will be required to use specific CCPA terminology to describe categories of personal information in all notices of collection). At the same time, we must be careful about setting or denying any expectations of privacy. If we issue a privacy notice to a job applicant or employee that only addresses the disclosure requirements of the CCPA, the recipient of such notice will be subject to investigations aimed at protecting data security, colleagues and trade secrets. privacy expectations that may later hinder the implementation of security measures and the deployment of surveillance technologies. Compliance objectives.
3. Prepare/update and document data subject requests program and train HR professionalsJob applicants and employees residing in California will get data access, portability, correction, deletion, and other rights in 2023. Protocols and training should be in place to ensure that HR, compliance, and similar teams can consistently address requests. in a timely and compliant manner. Any email, spreadsheet, contract, or other document that refers to a California-based employee constitutes “Personal Information” that must be produced free of charge upon request for access. To reduce the amount of data that can be subject to data access requests, while tracking where information is stored, data retention and deletion protocols need to be strengthened. This also helps you comply with the CCPA’s new data minimization requirements. Documenting the program is important because the draft regulation also defines the concept of “disproportionate effort” in the context of businesses meeting consumer demands. A disproportionate effort is the time and/or Defined as a resource. Under the draft regulation, businesses would be exempted from the obligation to respond to data subject requests by exempting them from excessive scrutiny only if they had appropriate processes and procedures in place to receive and process consumer requests in accordance with the CCPA and its regulations. effort can be claimed. The draft regulation provides an example of a situation that could lead to excessive effort, in which businesses identify certain information in response to data as part of the fact-gathering relevant to preparing the required privacy notice. You should also consider documenting any undue effort required to do so. Subject request and reason.
4. Consider whether and to what extent you process “sensitive personal information”, such as when using employee monitoring software, and address relevant CCPA requirements;California residents have the right to request that a company stop using and disclosing “Sensitive Personal Information” except for its specified purpose. The CCPA defines “sensitive personal information” as government identifiers, precise geolocation data, information about racial or ethnic origin, religious or philosophical beliefs, and other California residents. We define it to include the content of mail, e-mail and text messages addressed to you. from business. If you would like to process sensitive personal information for purposes other than those specified, you must post a link online with the title “Restrict Use of Sensitive Personal Information”. The CCPA may also require you to participate in privacy risk assessments and allow California residents to opt out of automated decision-making activities in certain circumstances. Diversity and inclusion data often contain sensitive personal information, and employers may run programs that may give rise to rights to restrict the use or disclosure of such information. should be considered (see our thoughts on running privacy-compliant inclusion and diversity programs globally). The newly formed California Privacy Protection Agency is in the process of clarifying some of these requirements, some of which are addressed in draft revisions to the CCPA rules (without triggering the right to restrict confidentiality The limited purposes for which sensitive personal information may be used and disclosed are set forth in subsection 7027(m) of the November 2022 Draft Regulations). We encourage you to keep abreast of such developments to ensure that your HR data processing activities are compliant. For progress, see the California Privacy Act blog.
The California Attorney General’s Office is currently enforcing the CCPA, and beginning July 1, 2023, the California Department of Privacy Protection will have authority to take administrative enforcement action under the CCPA. Administrative fines of up to USD 7,500 per intentional violation. CCPA now requires the California Attorney General’s Office to give the company her 30-day remediation period before taking enforcement action. Beginning July 1, 2023, the California Attorney General’s Office and the California Privacy Protection Agency will be able to take enforcement action without delay.
