California legislative session ends without extending CCPA employee-data exemptions: Next steps for businesses

At a glance

• On 31 August 2022, the California legislature adjourned without extending the temporary exemptions under the California Consumer Privacy Act (CCPA) for workforce and business-to-business data.
• As a result, companies must take steps to comply with the CCPA with regard to such data by 1 January 2023, when the California Privacy Rights Act (CPRA) amendments take effect.

On 31 August 2022, the California legislature adjourned without extending the temporary exemptions under the California Consumer Privacy Act (CCPA) for workforce and business-to-business data. As a result, companies must take steps to comply with the CCPA with regard to such data by 1 January 2023, when the California Privacy Rights Act (CPRA) amendments take effect.

Workforce privacy rights and obligations

Under current law, the CCPA’s limited workforce data exemption imposes limited obligations on covered businesses with respect to personal information collected from job applicants, employees, and contractors (the workforce) in employment contexts.

Specifically, upon collecting personal information, such businesses are only required to provide notice to workforce members of the categories of personal information collected and the purposes for which such personal information will be used. The businesses are still subject to the private right of action for data breaches that occur due to failure to implement reasonable security practices and procedures appropriate for the particular type of personal information.

With this exemption now set to expire – and the CPRA amendments due to take effect – on January 1, 2023, workforce members will have the following privacy rights, subject to several exceptions:

• The right to request that a business disclose (i) the categories of personal information collected; (ii) the sources of such personal information; (iii) third parties to whom the business disclosed the personal information; and (iv) what personal information was sold / shared and to whom (the Right to Know Categories);
• The right to request that a business disclose the specific pieces of personal information collected (the Right to Know Specific Pieces);
• The right to request that a business delete personal information collected from the individual (the Right to Delete);
• The right to request that a business that maintains inaccurate personal information correct such information (the Right to Correct);
• The right, at any time, to direct a business that collects sensitive personal information to limit use of such information (the Right to Limit); and
• The right, at any time, to direct a business that sells or shares personal information not to sell or share such information (the Right to Opt-Out).

These new CCPA rights supplement well established rights to which certain workforce members are entitled under the California Labor Code, including to inspect and receive a copy of personnel records, to request and receive a copy of signed documents, and to inspect payroll records.

CCPA enforcement

The CCPA currently charges the California Attorney General with issuing regulations and enforcing the CCPA. However, the CPRA amendments created a new California Privacy Protection Agency to promulgate implementing regulations and enforce provisions of the CCPA. To date, the Agency has issued draft regulations and is still proceeding through the formal rulemaking process.

While CPRA and its implementing regulations take effect on January 1, 2023, the Agency’s enforcement of the provisions added or amended by the CPRA will not begin until July 1, 2023. In the meantine, the provisions originally contained in the CCPA will remain in effect and enforceable by the California Attorney General.

Next steps for employers

Employers preparing for 1 July 2023, should consider the following next steps:

• Examine your existing CCPA processes. Many companies have already had to create control frameworks and processes for CCPA from a consumer data perspective. They should now undertake to import / adapt those controls and processes to address workforce data.
• Examine business processes that have significant HR data. Conduct a review and inventory HR processes to see where workforce data may exist, what data the business maintains and whether such data is subject to the CCPA / CPRA. This review will also provide insight into the assets and technology used by Human Resources to maintain workforce data.
• Privacy notices. To account for new privacy rights and disclosure requirements, update notices at collection and privacy policies for employees, applicants, and contractors.
• Prepare for privacy rights requests. Review existing processes and workflows leveraged by Human Resources to respond to employee requests under the labor code and engage stakeholders to design new policies and procedures for responding to privacy rights requests in 2023.
• Update contracts. Review Human Resources vendors and update contract terms with service providers and contractors to incorporate new required terms under CPRA and mitigate the risk.

Learn more about the implications of these legislative developments by contacting any of the authors or our Data Protection, Privacy and Security team via PrivacyGroup@dlapiper.com.