Businesses located in California or with employees who live in the Golden State may face new regulatory compliance challenges starting January 1, 2023. That is a result of the passage of the California Privacy Rights Act (CPRA) which amends the California Consumer Privacy Act (CCPA) to regulate human resources data in addition to personal consumer data. HR data was exempt from the reach of the CCPA but the change to include employee data in privacy protection has been percolating in recent years.
The following article briefly describes the two related consumer privacy laws and explains what HR departments need to know before January 1, 2023.
What is the California Consumer Privacy Act (CCPA)?
Lawmakers introduced the California Consumer Privacy Act (CCPA) into the California Civil Code in January 2018. The governor signed the legislation into law in June of that same year.
The CCPA gave consumers more control over the types of personal and sensitive information that businesses may collect on them and to whom they may sell or distribute that information. The CCPA regulations guide businesses on how to carry out the law. The CCPA went into effect in January 2020.
How does the California Privacy Rights Act change the CCPA?
The California Privacy Rights Act (CPRA) broadens the CCPA's impact on consumer and employee rights. For this reason, you may also hear people refer to the law as CCPA 2.0. The law imposes new data security requirements concerning the:
- Processing of personal and sensitive financial consumer information;
- Deletion of data related to personal consumer information; and
- Access to such personal information concerning California employees, job applicants, and third-party service providers the law defines as contractors.
For the law's purposes, data under the CPRA includes employee performance reviews, attendance records, and other HR records not previously considered personal information by the CCPA.
Taken together, the CCPA and the CPRA are the first far-reaching consumer privacy laws in the U.S to include employee privacy rights. As such, the laws change the way companies must conduct business. California's privacy laws apply to businesses:
- Doing business in California,
- With employees living in California, and
- Contractors.
Employers in states other than California should pay heed to these important changes because other states are likely to follow California's lead.
What Do Human Resources Professionals Need to Know?
The CPRA defines Sensitive Personal Information (SPI) as information that reveals the following consumer or employee data:
- Social Security numbers, driver's license numbers, state identification cards, and passport numbers;
- Account numbers, debit card/credit card numbers, and login information, passwords, or codes;
- A consumer or employee's exact location, genetic information,
- Race or ethnic origins, religious affiliations, union membership, or
- Content of the consumer's mail, email, or text messages.
CPRA enhances privacy rights to allow consumers/employees to delete, correct, and review information collected about them. It also allows them to request businesses to produce data collected about them.
Employees may block the sale and sharing of their SPI and forbids employers to punish or retaliate against them for exercising these rights. Data under CPRA includes sensitive internal employee data and gives employees the same rights under CPRA as the rights provided to consumers.
What Is a "Data Breach" under the CPRA?
A data breach under the CPRA is any type of consumer/employee data theft. A data breach under CPRA provides employees with the right to file legal action to redress the violation of their rights. The last thing an employer needs is to take risks with compliance. Also, the data breach may result in statutory damages.
CCPA and CPRA apply to the following businesses:
- For-profit companies doing business in California that collect, share, or sell private consumer information;
- Earn $25 million in gross revenue in the prior year;
- Process consumer data of 100,000 or more consumers;
- Earn more than 50% of revenue from the sale of personal consumer information.
Penalties for violations of CPRA depend on whether the breach is unintentional ($2,500 a day) or intentional ($7,500 a day).
How Can CCPA-Compliant Businesses Become CPRA-compliant?
The easiest way for HR departments to become CPRA compliant is to treat all internal employees the same way they would treat external consumers when it comes to privacy issues. This means taking the following steps:
- Providing all employees and consumers with privacy notices;
- Train employees on how to access/update/delete their personal information and how to opt out of sharing personal information;
- Review all service provider contracts to make sure they comply with CCPA/CPRA requirements; and
- Determine whether employee personal data is secure and whether HR collects only appropriate information.
Businesses that already comply with CCPA do not need to make major changes to their privacy protocols. Multi-state employers, however, will want to consider whether to extend CPRA rights to employees in all states or to limit the privacy protection to California residents.