With that, however, comes a need for HR to keep an eye on state and local laws. One particularly notable law is California's sweeping California Consumer Privacy Act of 2018, as amended by the November 2020 California Privacy Rights Act.
The law stands out for a few reasons. For starters, "it's the first comprehensive state data privacy law in the United States," according to Ashley Shively, a data privacy attorney who represents management.
Generally, the CCPA governs the collection, use and disclosure of broadly-defined "personal information" that covered businesses collect — online or offline — from California residents, Shively, a partner with Holland & Knight in San Francisco, added.
It gives California residents the right to request that a business identify personal information collected about them in the last 12 months. With some exceptions, it also gives California residents the right to have the information deleted and to opt out of the sale of the information to others. In addition, the law prohibits businesses from discriminating against California residents for exercising CCPA rights.
Attorney Usama Kahf, a partner with Fisher Phillips in Irvine and chair of his firm's CCPA task force, points out that, "at its core, the CCPA provides California residents with the right to be notified at the point of collection of: (1) categories of personal information that businesses collect about them; and (2) the purposes for which the information will be used." The other rights flow from this core notice, Kahf explained.
Notably, the CCPA covers information related to the job setting. That is, "subject to certain limited exceptions, the CCPA applies to most employers that collect or use the personal information of their California employees, applicants and contractors," Shively said.
Another eye-opener? The scope of personal information covered.
On its website, the Office of the California Attorney General explains that personal information under the CCPA is information that "identifies, relates to, or could reasonably be linked" to a California resident or their household.
Shively said this includes traditional identifying information such as: name, physical address, Social Security number, email address, passport number and financial account information, as well as categories such as employment history, education information, signature and insurance policy numbers.
It also includes new categories, such as: IP address, internet or network activity information like browsing history and search activity, purchasing preferences and other identifying inferences that can be gleaned from the above information, she pointed out.
And it can include biometric data, such as what's used in employee time cards, when an employee swipes an access key card or fob; data related to when employees log onto a computer and what they did; and data from phones that have GPS-activated software, Kahf added.
And importantly, an alleged data breach can land a business in court. The CCPA gives California residents — including employees — the right to sue a business if nonencrypted and nonredacted personal information was stolen because the business failed to maintain reasonable security practices to protect the information. Plaintiffs can sue only for actual damages and can be awarded up to $750 per incident.
Shively explained that the law applies to for-profit businesses, regardless of where they are located, if they have a gross annual revenue of $25 million or touch the personal information of 50,000 California residents per year.
For example, employers located outside of California that meet the revenue threshold and have an employee working remotely from California may be covered, said attorney Lauren Daming, a member of the privacy and data security group at Greensfelder, Hemker & Gale in St. Louis.
The obligation is only to California residents, so the employee must be a resident of the state, Kahf pointed out; generally speaking, California residents are individuals who maintain a primary residence in the state or have spent more than six months out of the last 12 months in California.
Compliance first steps
Right now, employers must to do a few things to comply.
First, they must provide a "notice of collection" to all employees, job applicants and independent contractors who are California residents, Kahf said. The notice must describe all categories of personal information the company collects about them from any source and identify all the business purposes for which the information will be used.
The notice can be disseminated through such formats as an employee handbook or during the onboarding process, Daming said. She suggested employers get a signed acknowledgment. For job applicants, the notice must be provided at the point of collection, such as on the application they submit for the job.
Second, employers must implement reasonable security measures to safeguard information from unauthorized access or disclosure. Shively said these measures can include: "inventory and control of hardware and software assets; secure configuration of network devices; continuous vulnerability management; mail and web browser protections; incident response and management plans, and data recovery capabilities."
Employers also must give employees notice of the business' privacy policies and practices, Shively added; "Generally, this is done in the form of an internal-facing policy distributed to employees."
Data mapping is fundamental
Drafting a proper notice takes time. It's a "cross-disciplinary, cross-department exercise," Kahf explained. It should involve subject matter experts — such as human resources and IT staff, legal counsel and privacy specialists — in every function that involves collecting and using information about employees.
He and Daming pointed out that companies can get in trouble if they rely solely on input from HR or IT. HR may be a central repository for a lot of the information, Kahf explained, but IT will have other data. That's where data mapping and data inventory come in.
Kahf recommended this as a fundamental step toward CCPA compliance, not just with the notice but with other CCPA requirements as well.
Privacy consultant Jodi Daniels, CEO of Red Clover Advisors, explained that data inventory and data mapping are "all about understanding what you have, where it's stored, how it's used and how it flows through the business." The process also helps a business figure out what data it needs to protect, Daniels added. Data mapping is a visual map of the data, she explained; it helps understand the flow of the data.
Data inventory is your homework, Kahf added; "If you don't do it, your ability to comply with the law is in jeopardy."
And there's this: Under the CCPA, the "sale" of information can take place when data is shared with third parties for monetary or "other valuable consideration," Daniels pointed out. If the individual did not consent to sharing the data with a third party and the third party is able to use the information for other purposes, it can be considered "sold".
Because of that, employers need to make sure third-party vendors are using information shared with them only for that specific purpose, she emphasized. Daniels suggested employers have a contract with the vendors to that effect. For instance, if there's an employee survey conducted, the contract with the survey company should make clear the data can be used only for the company.
Conducting a data map or data inventory can help businesses identify which data is being shared and to what vendors, she said.
More obligations in 2023
As of January 1, 2023, California employees will have the right to request access to a copy of personal information an employer collected about them in the last 12 months.
They'll also have the right to request that personal information be deleted or corrected and to opt out from the sale and certain sharing of personal information with third parties.
In addition, an employer will have to provide a mechanism for employees to submit these requests. And employees will have the right not to be discriminated against for exercising these rights.
All this can raise other concerns. For example, CCPA regulations list several reasons why a request to delete can be denied, including complying with a legal obligation. That may include the obligation to maintain the confidentiality of covered records, such as employee reviews and complaints, Shively pointed out.
Also, even if employers have legal grounds to deny a request, they can't automatically do so, Kahf said. Instead, HR must make an individualized determination as to each request. Each response must identify what's being deleted, what's not being deleted and the reason why it's being retained, he explained. Data mapping and data inventory will help simplify this process, Kahf noted.
Another issue: Firing someone without considering the impact of the CCPA's anti-discrimination provision. For example, an employee who files a request to have personal information deleted and is then fired may claim they were wrongfully terminated in violation of the CCPA, Kahf said. He suggested that before taking action, HR confirm it has a good reason to terminate the employee and then identify the risks involved with the termination.
Two more states on board
This year, Virginia and Colorado passed similar laws, but employee information remains outside their scope.
In March, Virginia gained the Consumer Data Protection Act. "Like the CCPA, the VCDPA aims to protect consumers' privacy rights," Shively said. Also like the CCPA, the VCDPA "dictates how businesses must protect personal data in their possession and respond to consumers exercising their privacy rights."
And then in July, Colorado Gov. Jared Polis signed the Colorado Privacy Act into law. Similar to the CCPA and the VCDPA, it gives consumers the right to access, correct and delete their information, Shively explained.
Both laws are set to take effect in 2023.