Welcome to the backstitch HR law blog, a series where we provide the latest updates on upcoming and recently in-effect legislation. Our blog series will provide short snippets of State, Federal, and Global changes in HR and employment law, so your organization can continue to stay up to date in the legal world.
The California Consumer Protection Act (CCPA), colloquially referred to as "California GDPR," brings about a wide variety of privacy laws. While the law itself targets how businesses handle the data of customers, they will still need to take care when dealing with the personal information of their employees.
Does Your Organization Fall Under CCPA Jurisdiction?
To fall under CCPA, your organization must do business in the State of California and collect data. It must also either have: over $25 million in annual revenues; receive 50% or more of those revenues from the sale of personal data; or process the personal data of 50,000 people, households or devices. As a company does not have to be physically located in California, it is important to examine if your organization has any California employees or customers.
Make Privacy A Part of Your Employee On-boarding
CCPA does have business exemptions, where information collected of representatives of businesses may be exempt from CCPA, as the information is not tied to an individual in a personal capacity.
However, the law is new and there is currently a variety of different interpretations of the business exemption. It may be better to begin by being overly compliant before a precedent is set.
As an employer, you collect a lot of information about your employees, including employment status, hours worked, payroll, family and dependents and even direct contact information. Notifications and permissions to collect and process this data should become a natural part of your new employee on-boarding. Your company should also provide privacy notices for everyone currently working through system wide notifications or paperless on-boarding documentation.
Fortunately, there is a one year exemption for the collection of employee data if it is relevant to their employment. However, there is no guarantee that the law will be renewed beyond January 1, 2021. The exemption is also far more limited, and a lot of the information collection should still be disclosed.
Determine If Your HR Vendors are Compliant
The CCPA denotes several regulation over the sale of personal data. However, even if your organization does not sell any of your own employees' data, your HR vendors, like those that provide your HRIS or intranet system, may aggregate that data and sell it. If that is the case, make sure that your vendors are also compliant, as CCPA states that as someone who still determines the usage of personal data, you have a joint responsibility. Your vendors will not only need to disclose what information is being collected and sold, they must also offer your employees a method to opt out of any data transfer. Finally, they should also make sure their systems are reasonably secure against data breaches and security leaks.
As with the exemption in the previous section, some of this may fall under employment usage and will not fall under CCPA. However, care should still be noted in what kind of information your vendors collect and share to third parties because anything that does not relate specifically to employment is still under their jurisdiction.
Be Wary of the Right to be Forgotten
Individuals may request that their data is fully deleted within 45 days, or 90 days with an extension. CCPA also requires that the organization maintain a log of the request and the deletion action. This would be important in the event that a former employee, or another individual with no current ties to your company, requests their information be deleted and reapplies to the organization afterwards. However, if your employee's personal data exists across multiple systems, and it is overly burdensome to fully delete the data, you may request a one year stay, and determine every year whether you are now capable of complying with the deletion.
CCPA will change how a lot of organizations collect and handle personal data. For the full text, read the following link.