Since the California Consumer Privacy Act (“CCPA”) was passed in 2018, employers have been watching carefully to see how the law will apply to data collected and maintained about their employees. Up until now, employment data had been exempted from most of the CCPA’s requirements. But the new amendments to the CCPA embodied in the California Privacy Rights Act (“CPRA”) come into effect on January 1, 2023, and that, coupled with the fact that the legislature failed to extend the employer exemptions, means that many categories of human resources data will be subject to the requirements of the law.
The Current CCPA Employer Exemptions Are Expiring
As it stands (and through the end of 2022), covered employers are only obligated to notify employees of the categories of data being collected and the purposes for which the data will be used. In the event of a security breach involving employee data, employers are required to notify affected individuals and could be liable for statutory damages. In response to these requirements, most covered employers developed privacy notices with the required disclosures and reviewed their data security policies and protocols to ensure consistency with best practices.
But starting in 2023, employee data will be treated as any other commercial information, and covered employers will need to add employee and human resources data to their ongoing compliance efforts. Indeed, under the CCPA, “personal information” is defined broadly to include information that “identifies, relates to, describes, is reasonably associated with, or could reasonably be linked, directly or indirectly, with a particular consumer household.” Cal. Civ. Code § 1798.140(o)(1). In the employee or human resources context, personal information could include an employee’s contact information, insurance and benefits elections, bank and direct deposit information, emergency contacts, dependents, resume and employment history, performance evaluations, wage statements, time punch records, stock and equity grants, compensation history, and many other forms of data routinely collected in the context of the employment relationship. Moreover, the CPRA introduces a new concept of “sensitive personal information” (such as financial information, social security numbers, communications content, health information, and biometrics) that must be considered and addressed by the employer.
New Requirements Take Effect in 2023
As to those third parties, the employer must enter a Data Processing Agreement (“DPA”) with such vendors that governs the vendors’ treatment of personal information. Specifically, the DPA must:
- identify the specific business purposes/services for which the vendor will process personal information;
- prohibit the retention, use or disclosure of the personal information for any other than the specified purposes;
- require the vendor to comply with the CCPA;
- give the employer the right to take reasonable appropriate steps to ensure the vendor’s use of personal information is consistent with the employer’s obligations under the CCPA;
- require the vendor to notify the employer if it can no longer comply with applicable privacy obligations;
- give the employer the right to stop and address the vendor’s unauthorized use of personal information;
- require the business to inform the vendor of any employee request (as discussed below);
- prohibit the sale and sharing of personal information; and
- require that any sub-processors engaged by the vendor be contractually bound to the vendor’s obligations under the DPA.
The CPRA amendments also give rise to certain request rights vis-à-vis personal information. These rights, along with the expiration of the CCPA exemptions, enable employees to make requests with regard to their personal data. Specifically, employees may request:
- to access the specific pieces of personal information the employer holds about them (including any profiles and/or inferences) collected or generated in or after 2022;
- to correct any inaccurate personal information;
- that the employer delete personal information collected (subject to certain exceptions);
- to restrict the use of their sensitive personal information to specific business purposes or disclosures; and
- to opt out of the sale of personal information to third parties.
Unless an exception exists, such request received from an employee, contractor, or job applicant must be honored within 45 days (extendable for one additional 45-day period). To facilitate compliance, the CCPA also requires businesses collecting personal information to make available two or more designated methods for submitting requests for information (including, at minimum, a toll-free telephone number), and to disclose and deliver the required information to a consumer within 45 days of receiving a request. Cal. Civ. Code § 1798.130. For covered employers, this will likely mean developing an online form, hard copy form, app, and/or telephone hotline for employees to submit CCPA requests, and also implementing a process for production of the required information.
Such disclosure requirements are not entirely new. Under the Labor Code, California employers already have some obligations to produce personnel records (such as wage records and the employee’s personnel file) to employees upon request. But the CCPA goes beyond these existing requirements and would require employers to disclose and deliver, free of charge, the personal information the business has collected about them, as well as the sources from which the information is collected; the business or commercial purpose for collecting the information; and the categories of third parties with whom the business shares personal information. Cal. Civ. Code §§ 1798.100, 1798.110. Given the broad definition of “personal information,” this requirement likely encompasses much more personal information than was previously required to be maintained and disclosed, and may be quite burdensome for employers to collect and produce.
The new right to demand deletion of employee information begs questions as to conflicts with certain legal requirements to retain such information. Recognizing this, the CCPA provides several exceptions to the data deletion requirement, including where retaining the data is necessary to “enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business;” to “comply with a legal obligation;” or to “otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.” See Cal. Civ. Code §§ 1798.105(d)(7)-(9). While employers will have plausible arguments that most employee data falls within one of these exceptions, it is unclear how a reviewing court would apply these exceptions in the employment context. Employers should therefore think carefully about the categories of employee data collected and whether they may have an obligation to delete any of that data upon employee request. It should also be noted that, following retention of data based on such an exemption, the employer may not use the data for any purpose unrelated to that exemption. For example, if an employer retains a past employee’s personal information to comply with tax law obligations, it may not use that retained data to contact the employee for marketing purposes.
To ensure compliance with the CCPA once it becomes broadly applicable to employment data, covered employers should take the following steps:
- Assess the categories of personal information collected, retained, and disclosed about employees, including whether the CCPA requires disclosures about that data, deletion of such data upon request, or other obligations.
- Implement a DPA to be included in all vendor relationships that involve employee data.
- Develop a mechanism for employees to make requests regarding their personal information.
- Identify the person to receive requests under the CCPA, and train staff on how to respond to such requests.
 Further references to the CCPA will refer to the law as amended by the CPRA.