In 2018, the California Legislature adopted the California Consumer Privacy Act (CCPA) and became the first state to enact a comprehensive law designed to protect the privacy of consumers’ personal information. Businesses that are subject to the CCPA are required, among other things, to respond to consumers who wish to view the personal information collected by the business, delete personal information, and opt-out of the sale of personal information. The CCPA was amended in 2020 when California voters approved the California Privacy Rights Act of 2020 (CPRA), which added additional requirements and restrictions regarding the collection, use, sale and sharing of personal information.
Employee and Business Personal Information
While the CCPA is aimed at protecting consumers’ personal information, the terms of the law extend to the personal information of employees and business contacts. The California legislature reacted by exempting employment information and “business to business” (B2B) personal information from many of the provisions of the CCPA until January 1, 2021, which was extended in the CPRA to January 1, 2023.
The Exemption and its Demise
The broad consensus after the adoption of the CPRA was that the California legislature would extend the exemptions of employee and B2B personal information. While there were a number of attempts to come to an agreement, ultimately, the California Legislature adjourned on August 31, 2022 without adopting an extension. As a result, it is a certainty that full consumer rights will apply to personal information obtained from employees or as a result of a B2B relationship.
The expiration of the exemption will be challenging. While many consumer-facing companies have adopted policies and procedures that can be adapted to employee and B2B personal information, many companies that have little or no consumer contact will be particularly impacted by the significant disclosure, policy and procedure issues that need to be addressed by the end of 2022.
For all businesses, employee information will raise issues, since employers are obligated to collect vast amounts of personal information, including sensitive personal information (such as financial, health and intimate personal characteristics) to conduct businesses. These businesses will need to address the information they collect, where it is held, who has access to it and how it is used. Businesses will need to determine how consumer rights apply to employee and B2B personal information, and prepare to provide employees and B2B contacts with CCPA rights, including the right to know what personal information is collected, the right to delete personal information, the right to opt out of the sale or sharing of personal information, the right to limit use and disclosure of sensitive personal information, and the protection against retaliation following the exercise of opt-out or other rights.
Business Challenges
Personal information obtained from employees presents particular significance. California businesses need to evaluate the differences and similarities between the rights afforded to employees under the CCPA (including how the exemptions from disclosure and deletion apply), and those provided under the California labor laws. California employers have, or should have, adopted many of the processes required under the CCPA. For example:
- Right to Know – The CCPA gives consumers the right to request that a business disclose (i) the categories of personal information collected, (ii) the sources of such personal information, (iii) third parties to whom the business disclosed the personal information, and (iv) what personal information was sold/shared and to whom. California law has several laws affording employees the “right to know” certain types of information the employer has collected, including the employee’s personnel file, documents signed by the employee, and payroll records. In contrast, the CCPA is broader in scope and requires employers to disclose geolocation, biometric, internet activity, inferences drawn, and other information that employers might collect. Additionally, the timelines for compliance with a request are different under the CCPA from California labor laws.
- Right to Delete – The right to request that a business delete personal information collected from the individual. Employers should assess federal, state and local retention requirements pertaining to employment records, including but not limited to the Age Discrimination in Employment Act, the Americans with Disabilities Act, the Civil Rights Act of 1964 (Title VII), the Fair Labor Standards Act, the Family Medical Leave Act, the Occupational Health and Safety Act, California Government Code Section 12946, and California Labor Code Section 226 to determine potential exemptions to a deletion request under CCPA Section 1798.105(d)(8), which exempts a business from deleting information necessary “to comply with a legal obligation.” These exemptions may also apply to B2B personal information.
- Right to Opt Out of Sale or Share – Under the CCPA, consumers have the right, at any time, to direct a business that sells or shares personal information not to sell or share such information. Employers should not only reassess their disclosure agreements with vendors but also ascertain whether their vendors are service providers, contractors or third parties under the CCPA, since the disclosure of an employee’s personal information to a vendor may be viewed as a “sale” under certain circumstances.
- Right to Limit Use and Disclosure of Sensitive Personal Information – Employers should assess whether they are processing an employee’s personal information, and whether that includes sensitive personal information. For example, if an employer is processing sensitive personal information (such as racial or ethnic origin) for diversity and inclusion purposes, it may be permitted under an exception. However, if an employer is processing sensitive personal information for purposes of inferring characteristics of its employees and using artificial intelligence to assist with hiring, including using automated decision systems, this right may be triggered.
B2B Implications
While the emphasis of this development has been the impact on employers, B2B personal information is now subject to the same regime as employee personal information. Businesses need to analyze their collection and use of B2B personal information, as well as provide the same rights as the rights to a consumer under the CCPA, including the right to know, right to delete, right to opt out of sale or share, and right to limit use and disclosure of sensitive personal information.
Next Steps
Businesses subject to the CCPA should immediately take steps to comply with these new requirements, including:
- Update CCPA processes and controls to address employee and B2B data.
- Conduct a review and inventory HR processes to see where employee data may exist, what data the business maintains and whether such data is subject to the CCPA.
- Update notices at collection and privacy policies for employees, applicants, and contractors.
- Update existing processes to respond to employee requests under the labor code and engage stakeholders to design new policies and procedures for responding to privacy rights requests in 2023, including the treatment of potential exemptions under the CCPA.
- Review and update contract terms with service providers, contractors and third parties to incorporate new required terms under CPRA and mitigate the risk.
Jeffer Mangels Butler & Mitchell, working through its Cybersecurity and Privacy Group, address privacy and security issues and assist with compliance, both with state, federal and international data protection laws. For more information, contact Robert Braun (RBraun@jmbm.com) or Michael A. Gold (MGold@jmbm.com).
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.