A Look at CCPA Regulations and Employment Related Data
On March 29th, 2023 the long awaited CCPA regulations became effective, after the CPRA’s amendments to CCPA, California’s privacy law, went into effect on January 1 of this year. Among the many clarifications they offered, these regulations removed the exemption of employment related information with the privacy law, instead covering the information of California employees, job applicants, and independent contractors, collectively called HR Data Subjects, same as that of California consumers.
Under the law, ‘employment-related information’ is defined as “personal information that is collected by the business about a natural person” and ‘employment benefits’ means “retirement, health, and other benefit programs, services, or products to which consumers and their dependents or their beneficiaries receive access through the consumer’s employer.” These two definitions are connected to each other and are relevant when thinking about who is covered, since, per the regulations, “the collection of employment-related information, including for the purpose of administering employment benefits, shall be considered a business purpose.” What this means is that not only employees themselves are covered, but also their dependents.
Each of the two has disclosure agreements, as listed below:
|Notice at Collection
As regards data rights, HR Data Subjects have the following rights:
- The right to know, which includes (1) the right to disclosure about how the business collects, uses, and discloses the requestor's personal information and (2) the right to access the specific pieces of personal information obtained by the business.
- The right to delete.
- The right to correct.
- The right to opt out of the sale of personal information.
- The right to opt out of sharing of personal information, meaning disclosure of personal information to third parties for behavioral advertising.
- The right to limit the use and disclosure of sensitive personal information.
When responding to a request to know, correct, or delete, employers have to confirm the receipt of the request within 10 business days, and in case the request is denied, they are required to explain the basis for the denial. Responding to a request has a deadline of 45 calendar days with the option of extending this to an additional 45 calendar days.
The regulations also mandate that in the case of a Data Access Request (the Right to Know), the company has to provide the requestor with “all the personal information it has collected and maintains about the [data subject] during the 12-month period preceding the receipt of the request.” HR Data Subjects may request that they be provided with personal information collected beyond the 12 month period, “as long as it was collected on or after January 1, 2022,” and the employer has to provide this information “unless doing so proves impossible or would involve disproportionate effort,” in which case it will not be required to provide the information “as the business provides the consumer a detailed explanation that includes enough facts to give a consumer a meaningful understanding as to why the business cannot provide personal information beyond the 12-month period. The business shall not simply state that it is impossible or would require disproportionate effort.”
With the effective date for CPRA enforcement, July 1, 2023, only a few days away, businesses should hopefully be well on their way to implementing the new regulations as well as be prepared to respond to consumer requests, whether it be a general California consumer, or one of their HR Data Subjects.
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.