Keypoint: Businesses subject to the CCPA will need to revise their compliance programs before the exemptions expire on January 1, 2023.
As previously reported, the California legislature had been considering multiple bills to extend the employee and business-to-business data exemptions under the California Consumer Privacy Act (CCPA). On August 31st, however, the California legislature adjourned without extending the exemptions which automatically expire on January 1, 2023 – the same day the California Privacy Rights Act (CPRA) goes into effect.
Generally speaking, the current exemptions apply to (1) personal information of job applicants, employees, owners, directors, officers, and independent contractors in the context of the individual’s employment or application for employment and (2) personal information reflecting written and verbal communications or a transaction where the consumer is acting in a business-to-business commercial transaction. With the exemptions set to expire, California will become the first state to apply comprehensive restrictions on the collection and use of such information.
Businesses subject to the CCPA and that have California employees or deal with other California companies will need to engage in substantial efforts to update their privacy programs. We outline some of the necessary steps below.
- Data Inventory
Businesses should start by inventorying their employee and business-to-business data collection activities to determine what personal information the business collects, how it handles personal information, and the necessary steps to comply with California law by January 1, 2023. Note the CPRA includes a 12-month “look-back” provision that requires businesses to map out all information retained since January 1, 2022.
In the employee context, the CCPA’s definition of “personal information” is much broader than employers may anticipate. This means that the employee data subject to California’s restrictions will go beyond personnel files and payroll data to include metadata and usage data, photos, audio and video recordings, biometric data, key swipe records, network logs, geolocation data, and much more.
- Privacy Disclosures
Businesses will need to prepare and distribute more detailed privacy notices for employees that explain what categories of personal information, including sensitive personal information, the business collects, how that information is handled and for what purpose, and what rights an employee has with respect to that information.
Although the CPRA regulations are still not finalized, draft § 7011 provides a window into the types of detailed disclosures the CPRA regulations will require, including identifying the length of time the business will retain personal information or, if that is not possible, the criteria used to determine that period. Businesses will also need to ensure that existing privacy notices incorporate disclosures relating to business-to-business data processing.
In the employee context, any employee monitoring activities will need to be closely scrutinized. For example, in addition to the CPRA’s notice requirements, § 1798.100(c) provides that a “business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.” Section 7002 of the draft CPRA regulations provides that, to be reasonably necessary and proportionate, the business’s processing “must be consistent with what an average consumer would expect when the personal information was collected.” Businesses will want to consider how any employee monitoring activities comply with these – and other – CPRA requirements.
- Employee Requests
Businesses must develop internal and external policies and procedures for accepting, verifying, and responding to employee requests to access, correct, and delete personal information collected on the employee. They also will need to analyze whether they are “selling” or “sharing” employee personal information and, if so, allow employees to opt out of the same. Finally, businesses will need to consider whether they are collecting sensitive personal information as the CPRA defines the term and, if so, whether they must provide employees with the right to limit the business’ use of such sensitive personal information.
Employee access requests will prove to be especially sensitive and challenging as they can be a precursor to litigation. Businesses should treat any such requests like discovery requests in litigation and ensure that the information provided is limited to the statutory requirements, reflects a complete search of company records, and that any necessary redactions are made.
- Data Transfers
As of January 1, 2023, businesses will need to have data processing agreements for all transfers of personal information to other entities. This includes transfers to service providers, contractors and third parties. Businesses will need to negotiate new data processing agreements with vendors that process employee or business-to-business data to include specific California provisions. We discussed the CPRA’s data processing agreement requirements in further detail here.