What is CCPA?
The California Consumer Privacy Act (CCPA) is an act passed in 2018 that relates to the access to, deletion of, and sharing of personal information being collected by businesses. It came into full effect from 1 January 2020 and companies still have a grace period of 6 months to ensure that they comply with the regulations, before they are penalized.
The Act empowers California consumers with the right to know what personal information is collected, and how it is being used, shared, or sold. They can ask businesses to not sell their personal information or delete their information entirely. Also, California consumers should not to be discriminated against for enforcing their right to privacy.
The Act is not limited to sales of products or services; it also applies to employee data, though with some caveats for the companies, which we will come to later in this article.
Read More: What is Compliance Management
So, How Does CCPA Relate to HR Data?
First of all, let’s understand the scope of CCPA. For-profit businesses located in or outside of California, “doing business” in California, and fulfilling any of the three conditions are bound to follow the CCPA:
- Firms having gross annual revenues of more than $25 million
- Companies involved in buying, receiving, or selling of personal information of 50,000 or more consumers, households, or devices
- Firms generating 50% or more of their annual revenues from selling personal information of consumers
If your company ticks any of these points, it’s time for you to have a CCPA policy in place. For instance, even if a company is dealing with California consumers without having a physical office in California, or if a company is hiring Californian residents, there is a good chance that it comes under the scope of this Act.
Now, coming to the question that concerns HR leaders of today, will CCPA impact HR data? The short answer is, YES. While the focus stays primarily on consumer data, HR data is no exception to the expanse of CCPA. However, it’s not applicable to medical information governed by the Confidentiality of Medical Information Act (CMIA). Furthermore, protected health information collected by a covered entity or business associates governed by the privacy, security, and breach notification rules of HIPAA/HITECH is also outside the scope of CCPA.
Any personal information collected by companies as part of their recruiting or training procedures does come under the banner of CCPA. But signed into law on 11th of October, 2019, the Assembly Bill 25 grants a short-term and limited reprieve for employee data by establishing an exemption to the CCPA’s requirements to provide rights of access, correction, and opt-out of sale of personal information for California employees. “Employees” here is the collective term used for California residents who are job applicants, officers, directors, owners, employees, medical staff, or contractors. So, up until December 2020, employers can be exempted from the regulations of CCPA as long as the information collected is used solely within the context of such an individual’s position as an employee. Upon request, a company may need to disclose the personal information collected, shared and sold in the previous 12 months (with some exceptions).
But there are two catches!
- Companies need to notify California resident employees of the categories and purpose of collecting their personal information at or before the point of collection of any information.
- If a data breach is caused by the company’s failure to implement and maintain proper security measures, California resident employees have a private right of action if their personal information is affected by any unauthorized means.
Read More: How Will the Updated Form W-4 Impact American Workforce and Non-resident Aliens
What to Do in Order to Comply?
The Act requires companies to update Internal and External notices with respect to CCPA. These documents will clearly mention what personal employee data a company collects, and what it intends to do with the information. In a nutshell, HR departments need to be very transparent with the collection and use of data, and every employee needs to be clearly made aware of their personal information being collected, and the purpose of doing so, in advance.
In order to stay compliant, companies need to update their privacy policy every 12 months and add it to internal notices such as written policies, employee handbooks, training manuals, offer letters, employee agreements, service agreements, and wherever else possible.
Quite evidently, the same rule applies for consumers who need to be notified of the same via external notices (privacy policies).
The Bottom Line
While collecting employee data is an important function for companies, employers need to understand that compiling and storing huge amounts of sensitive data and producing the same when requested may be an uphill task overall. HR teams should audit their policies and make sure to only collect extremely important personal and performance data of their employees to stay away from the hassles that may present themselves in the future. In addition, even though CCPA is quite relaxed with regards to HR data at this moment, the scenario may change very soon. For this reason, companies should start creating a procedure to manage employee disclosure and deletion requests when there still is time.
Read More: Using Virtual Reality to Make Sexual Harassment Training More Realistic and Effective