A Look at CCPA Regulations and Employment Related Data

On March 29th, 2023 the long awaited CCPA regulations became effective, after the CPRA’s amendments to CCPA, California’s privacy law, went into effect on January 1 of this year. Among the many clarifications they offered, these regulations removed the exemption of employment related information with the privacy law, instead covering the information of California employees, job applicants, and independent contractors, collectively called HR Data Subjects, same as that of California consumers. 

Under the law, ‘employment-related information’ is defined as “personal information that is collected by the business about a natural person” and ‘employment benefits’ means “retirement, health, and other benefit programs, services, or products to which consumers and their dependents or their beneficiaries receive access through the consumer’s employer.” These two definitions are connected to each other and are relevant when thinking about who is covered, since, per the regulations, “the collection of employment-related information, including for the purpose of administering employment benefits, shall be considered a business purpose.” What this means is that not only employees themselves are covered, but also their dependents.

As such, employers are required to post an online privacy policy, establish means for HR Data Subjects to exercise their data rights, and ensure that there is a written contract mandating CCPA obligations between themselves and any third party service providers. This is a new approach to the previous brief notice at collection which was the only requirement before as it entails that California employers will now have to put in place a data privacy program that contains both the notice at collection and the privacy notice.

Each of the two has disclosure agreements, as listed below: 

Because of the overlapping requirements, the Notice at Collection and the Privacy Notice may be combined by employers and the final regulations of the CCPA confirms this, but mandates that HR Data Subjects must be directed to the relevant section of the privacy policy where the information that has to be included in the notice at collection is included.  

There are a few additional pieces of information that have to be included in the privacy policy by employers such as “a statement regarding whether the business has actual knowledge that it sells or shares the personal information of consumers under 16 years of age,” instructions on how an authorized agent can submit a request under the CCPA, or how HR Data Subjects can use an opt-out preference signal and how this will be processed by the employer. Given the fact that employers do not generally engage in the selling or sharing of personal information of HR Data Subjects, opt-out preference signals will rarely apply. 

As regards data rights, HR Data Subjects have the following rights: 

• The right to know, which includes (1) the right to disclosure about how the business collects, uses, and discloses the requestor's personal information and (2) the right to access the specific pieces of personal information obtained by the business.
• The right to delete.
• The right to correct.
• The right to opt out of the sale of personal information.
• The right to opt out of sharing of personal information, meaning disclosure of personal information to third parties for behavioral advertising.
• The right to limit the use and disclosure of sensitive personal information.

When responding to a request to know, correct, or delete, employers have to confirm the receipt of the request within 10 business days, and in case the request is denied, they are required to explain the basis for the denial. Responding to a request has a deadline of 45 calendar days with the option of extending this to an additional 45 calendar days.

The regulations also mandate that in the case of a Data Access Request (the Right to Know), the company has to provide the requestor with “all the personal information it has collected and maintains about the [data subject] during the 12-month period preceding the receipt of the request.” HR Data Subjects may request that they be provided with personal information collected beyond the 12 month period, “as long as it was collected on or after January 1, 2022,” and the employer has to provide this information “unless doing so proves impossible or would involve disproportionate effort,” in which case it will not be required to provide the information “as the business provides the consumer a detailed explanation that includes enough facts to give a consumer a meaningful understanding as to why the business cannot provide personal information beyond the 12-month period. The business shall not simply state that it is impossible or would require disproportionate effort.”

With the effective date for CPRA enforcement, July 1, 2023, only a few days away, businesses should hopefully be well on their way to implementing the new regulations as well as be prepared to respond to consumer requests, whether it be a general California consumer, or one of their HR Data Subjects. 

CCPA Compliance Checklist

Here is a checklist to facilitate compliance for your business with the California Consumer Privacy Act: 

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

• All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
• Seamless integration into your website;
• Adaptability to your users’ location and applicable regulation;
• Customizable branding;
• ReadyCompliance: Covering 30+ data privacy regulations;
• Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.