<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

A Look at CCPA Regulations and Employment Related Data

photo of the Golden Gate Bridge

On March 29th, 2023 the long awaited CCPA regulations became effective, after the CPRA’s amendments to CCPA, California’s privacy law, went into effect on January 1 of this year. Among the many clarifications they offered, these regulations removed the exemption of employment related information with the privacy law, instead covering the information of California employees, job applicants, and independent contractors, collectively called HR Data Subjects, same as that of California consumers. 

Under the law, ‘employment-related information’ is defined as “personal information that is collected by the business about a natural person” and ‘employment benefits’ means “retirement, health, and other benefit programs, services, or products to which consumers and their dependents or their beneficiaries receive access through the consumer’s employer.” These two definitions are connected to each other and are relevant when thinking about who is covered, since, per the regulations, “the collection of employment-related information, including for the purpose of administering employment benefits, shall be considered a business purpose.” What this means is that not only employees themselves are covered, but also their dependents.

As such, employers are required to post an online privacy policy, establish means for HR Data Subjects to exercise their data rights, and ensure that there is a written contract mandating CCPA obligations between themselves and any third party service providers. This is a new approach to the previous brief notice at collection which was the only requirement before as it entails that California employers will now have to put in place a data privacy program that contains both the notice at collection and the privacy notice.

Each of the two has disclosure agreements, as listed below: 


Notice at Collection Privacy Notice 
  • A list of the categories of personal information, including categories of sensitive personal information, to be collected. 
  • The purpose(s) for which the categories of personal information, including categories of sensitive personal information, are collected and used. 
  • Whether each category of personal information identified in the previous is sold or shared.
  • The length of time the business intends to retain each category of personal information identified or if that is not possible, the criteria used to determine the period of time it will be retained.
  • If the business sells or shares personal information, the link to the Notice of Right to Opt-out of Sale/Sharing or in the case of offline notices, where the webpage can be found online.
  • A link to the business’s privacy policy, or in the case of offline notices, where the privacy policy can be found online.
  • the categories of personal information the business has collected in the preceding 12 months
  • the categories of sources from which the personal information is collected
  • the specific business or commercial purpose for collecting or sharing personal information 
  • the categories of personal information, if any, that the business has sold or shared to third parties in the preceding 12 months
  • the categories of third parties to whom the information was sold or shared
  • the categories of personal information, if any, that the business has disclosed for a business purpose to third parties in the preceding 12 months.
  • the categories of third parties to whom the information was disclosed.
  • the specific business or commercial purpose for disclosing personal information.
  • A statement regarding whether the business uses or discloses sensitive personal information for purposes other than those specified in the law.
  • A list of the data rights and how employees can exercise these.

Because of the overlapping requirements, the Notice at Collection and the Privacy Notice may be combined by employers and the final regulations of the CCPA confirms this, but mandates that HR Data Subjects must be directed to the relevant section of the privacy policy where the information that has to be included in the notice at collection is included.  

There are a few additional pieces of information that have to be included in the privacy policy by employers such as “a statement regarding whether the business has actual knowledge that it sells or shares the personal information of consumers under 16 years of age,” instructions on how an authorized agent can submit a request under the CCPA, or how HR Data Subjects can use an opt-out preference signal and how this will be processed by the employer. Given the fact that employers do not generally engage in the selling or sharing of personal information of HR Data Subjects, opt-out preference signals will rarely apply. 

As regards data rights, HR Data Subjects have the following rights: 

  • The right to know, which includes (1) the right to disclosure about how the business collects, uses, and discloses the requestor's personal information and (2) the right to access the specific pieces of personal information obtained by the business.
  • The right to delete.
  • The right to correct.
  • The right to opt out of the sale of personal information.
  • The right to opt out of sharing of personal information, meaning disclosure of personal information to third parties for behavioral advertising.
  • The right to limit the use and disclosure of sensitive personal information.

When responding to a request to know, correct, or delete, employers have to confirm the receipt of the request within 10 business days, and in case the request is denied, they are required to explain the basis for the denial. Responding to a request has a deadline of 45 calendar days with the option of extending this to an additional 45 calendar days.

The regulations also mandate that in the case of a Data Access Request (the Right to Know), the company has to provide the requestor with “all the personal information it has collected and maintains about the [data subject] during the 12-month period preceding the receipt of the request.” HR Data Subjects may request that they be provided with personal information collected beyond the 12 month period, “as long as it was collected on or after January 1, 2022,” and the employer has to provide this information “unless doing so proves impossible or would involve disproportionate effort,” in which case it will not be required to provide the information “as the business provides the consumer a detailed explanation that includes enough facts to give a consumer a meaningful understanding as to why the business cannot provide personal information beyond the 12-month period. The business shall not simply state that it is impossible or would require disproportionate effort.”

With the effective date for CPRA enforcement, July 1, 2023, only a few days away, businesses should hopefully be well on their way to implementing the new regulations as well as be prepared to respond to consumer requests, whether it be a general California consumer, or one of their HR Data Subjects. 

 

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • Ready Compliance: Covering 30+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.