Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
California regulators and policymakers seem to go out of their way to talk about why their state's consumer privacy law is the "strongest." This is debatable. But there's at least one area where they are indisputably correct: the application of the law to employee data.
That's right. As hard as it may be for some businesses to believe, personal data across the employment cycle has been subject to the California Consumer Privacy Act since 1 Jan. 2023, when the an exemption excluding employee data from the law was allowed to expire.
In the U.S., data privacy is rooted in consumer protection law, so privacy rights are generally viewed through the lens of data subjects' relationships with organizations as consumers of goods and services. This is reflected in the lack of application of comprehensive privacy laws to nonprofit organizations — with the important exceptions of Colorado and Oregon and only very narrow exemptions in New Jersey, Maryland and Minnesota. And, generally, it translates to a lack of application of privacy rules when a data subject is acting as an employee.
Though California's exemption for employee data is now firmly expired, operationalizing the requirements of the CCPA for an organization's job applicants and employees can still be a little tricky. For example, how do data rights like the right to delete translate from the consumer context to the employee context? Much personal data that a business collects through the employee relationship is likely subject to exemptions from the obligation to delete on request, as the use of such personal data is "reasonably anticipated within the context of a business's ongoing business relationship with the consumer" or for security or legal compliance obligations.
In the newly finalized regulations from the CPPA — now rebranded as "CalPrivacy" — the agency provides another example when clarifying the security purpose for which sensitive data may be processed, even if opted out. Specifically, "a business may scan employees' outgoing emails to prevent employees from leaking sensitive personal information outside of the business. However, scanning the emails for other purposes would not fall within this exception to the consumer's right to limit." This is an important example because it shows there may be many uses of an employee's data that fall squarely outside of the exceptions — and would trigger additional compliance obligations, such as providing a notice about the employee's right to limit such processing.
The regulations also provide plenty of clarity for the application of California's automated decision-making rules to the employment context, where decisions related to hiring, assignment of work, compensation, promotion and termination are all subject to the clarified rules.
Nevertheless, the application of a law written consistently to refer to "consumers" presents numerous opportunities for interpretive disagreement when applied to employees.
But one more aspect of California's employee privacy requirements should be crystal clear: businesses that meet thresholds to comply with California law must provide privacy notices to job applicants and employees that meet CCPA requirements.
This is one of the reminders from the California Privacy Protection Agency’s recent settlement with Tractor Supply. In the stipulated final order, CalPrivacy includes a screenshot of a "deficient notice to job applicants." Although the company included a section titled "California Consumer Privacy Act Disclosure," the notice did not specify the data rights available under the CCPA or how the job applicant could exercise them.
This, and other alleged deficiencies, put Tractor Supply on the hook for USD1.35 million.
It is a simple but potentially impactful lesson. Privacy pros need to make sure they have applied California's privacy law across the employment context, from basic notices and disclosures to considerations of data uses and rights.
Please send feedback, updates and employee notices to cobun@iapp.org.
Cobun Zweifel-Keegan, CIPP/US, CIPM, is the managing director, Washington, D.C., for the IAPP.
This article originally appeared in The Daily Dashboard and U.S. Privacy Digest, free weekly IAPP newsletters. Subscriptions to this and other IAPP newsletters can be found here.