On Aug. 31, hopes were dashed when the California legislative session ended without enacting Assembly Bill 1102. The bill would have extended grace periods for certain business-to-business and human resources personal information under the California Consumer Privacy Act as amended by the California Privacy Rights Act. CCPA/CPRA will become fully operational on Jan. 1, 2023, for B2B and HR personal information and will be subject to the same rigorous California privacy regulations as "consumer" personal information.
Preparing for compliance
Privacy professionals should start their engines because this will be a race to the finish line on Jan. 1, 2023. For any organization that has not already started preparing in earnest on B2B and HR personal information, four months is precious little time to align data collection and processing practices with these new laws. A few big-picture thoughts on the process are as follows:
Help senior leadership understand business impact
The direct applicability of CCPA/CPRA to B2B and HR personal information marks the first time comprehensive privacy regulation has come to the U.S. The direct regulation of B2B and HR personal information may be a bit of a shock for many companies. Unless a carve-out applies, e.g., for Health Insurance Portability and Accountability Act-regulated protected health information), companies will need to be ready to meet strict privacy obligations for personal information about a broad range of individuals, such as employees, contractors, job applicants, B2B customer contacts and prospects, web and mobile application visitors, supplier contacts, and other individuals. Privacy professionals will need to quickly and credibly explain the potential business impact on their organization. The goal should be to equip business leaders with enough information that the leaders can help shape and drive toward efficient solutions.
Aim to be a trusted advisor
Business leaders may naturally wish to place the core responsibility for privacy compliance, i.e., the "monkey," on the back of the privacy office. In reality, the privacy office does not own the people, processes, and systems that collect and process B2B and HR personal information. In contrast, the privacy office is at its best when it serves as a trusted advisor to the business that empowers the business to make strategic decisions on risk and helps build and enhance strong privacy compliance policies and procedures. See related IAPP guidance note on "Applying privacy law in 3 dimensions: How to focus on solutions and maximize value."
Pragmatism as the north star
A privacy professional is unlikely to have enough time to launch and complete a full-blown data mapping exercise before Jan. 1, 2023. Pragmatism should be the north star for this effort. For example, rather than launching a comprehensive data mapping, the privacy office could engage the "brain trust" of the business leaders to identify the most important systems that collect and process B2B and HR personal information and expedite the core compliance activities. Otherwise, the company may find itself in a situation where the perfect has become the enemy of the good.
Core tasks to address the application of CCPA/CPRA to B2B and HR personal information
Although the specifics will vary depending on the company, a high-level checklist for privacy professionals should include the following:
- Confirm the right tone at the top. Success depends on whether senior leadership endorses the initiative with the right "tone at the top." Resources are tight, and many company stakeholders have already identified year-end deadlines for other mission-critical projects. Many company leaders are focused on addressing compliance obligations but may have questions about risk and likelihood of enforcement. It will be important to confirm that California's employees and workforce personnel may leverage new privacy rights for pre-litigation discovery and other aspects of disputes. On the B2B side, the specifics will depend on the company, but if customer contacts have any kind of sensitivity to privacy or compliance, or if competitors take the position that privacy compliance is a brand differentiator, it will be essential to establish and maintain an effective privacy compliance program.
- Organize productive kick-off meetings. Participants in these kick-off meetings should include core functional areas, such as legal, information technology, information security and compliance. It may be more beneficial to establish one working group for HR, a second working group for B2B, and perhaps a third working group for any consumer-facing or digital marketing activities. There is no one size fits all for this, but you'll want to be organized and efficient in the presentation so that the teams will "get it" immediately and start working collaboratively on the next steps.
- Develop a core inventory of California personal information. For each core working group, HR, B2B and consumers, develop an inventory of key systems and assets that collect and process the relevant personal information. The inventory should also reflect how and under what terms such information is disclosed to other parties, including vendors, suppliers, distributors, business partners and others. This information will be critical for businesses to carry out all other privacy compliance aspects.
- Confirm whether the business engages in the "sale" or "sharing" of personal information and amend or update contracts accordingly. Evaluate whether the business engages in any disclosures of personal information that may constitute a "sale" or "sharing" of personal information. B2B companies may engage in such activities in connection with certain advertising and digital marketing. For HR personal information, most companies will likely aim to structure their disclosures of HR personal information to avoid "sales" and "sharing." For benefits providers and other parties that might typically be considered "controllers" under European Union and other frameworks, the company should consider whether such disclosures could, for example, be considered to be directed by the individual or otherwise result from the individual's use or direction to the business to interact with one or more parties. For other situations, the company could consider whether it has or could implement service provider terms to qualify for an exception to sale and sharing.
- Confirm whether the business engages in any use or disclosure of sensitive personal information that might be subject to instructions to limit use and disclosure. CPRA establishes a robust list of personal information that is considered "sensitive," including elements such as Social Security Number, passport number, biometric information used to uniquely identify the individual, information about sex life or sexual orientation, the contents of an individual's mail, email, and text messages (unless the business is the intended recipient), and the like. CPRA establishes a general rule that individuals must be able to limit the use or disclosure of sensitive personal information beyond what is "reasonably necessary to provide the services or provide the goods reasonably expected by an average consumer," or other limited exceptions. Although the language from these consumer-focused privacy rules raises interpretational challenges as applied to HR personal information, most companies will likely seek to collect and process sensitive personal information only as strictly needed for such purposes as providing benefits and/or compliance with the law and therefore take the position that the company only uses and discloses sensitive personal information as permitted by CPRA, (without needing to offer employees the choice to limit the use and disclosure of such sensitive personal information).
- Update privacy notices. The company should also develop and/or enhance relevant privacy notices, including updates to existing externally facing privacy notices, e.g., a website privacy statement, as well as the basic version of privacy notices for employees that had already been required under the CCPA. These updated privacy notices should take account of all the content requirements for notices in the CCPA/CPRA, including the obligation to identify the length of time the company intends to retain each category of personal information or the criteria used to determine that period. One strategic question for the HR privacy notice is whether the company would direct such notice to its California workforce only or employees in other U.S. states. The benefits of applying the privacy notice to all employees in the U.S. could provide a strong sense of fairness for employees across the country. However, the absence of CCPA/CPRA-like privacy laws in other states and the attendant potential employment law and litigation risks suggest limiting these privacy promises to California employees only.
- Prepare and provide B2B and HR contacts with the opportunity to exercise their rights with respect to their personal information. All B2B and HR contacts should be able to exercise the full rights afforded to them under the CPRA as of Jan. 1, 2023, including access and right to know, correction, and deletion rights. Although there is no one size fits all approach, it may be logical to bundle responses to B2B contacts with any consumers/web visitors and align the process through a consent management platform. For HR personal information, it may be that an internally facing request and response mechanism, preferably building from what HR already has in place for employees, might be the most secure and logical approach. Additionally, the company will need to implement processes on the back end to ensure it can execute those rights. This will require company working groups to consider how to address rights such as access/right to know, objection and deletion in the context of the exclusions and general exceptions available under CCPA/CPRA.
Ongoing journey
If the company follows the approach described above, it will have taken important steps on a tight timeline to establish a basic program for B2B and HR personal information under CCPA/CPRA. However, privacy professionals should set expectations for senior leadership that there will be additional clarifications in the law and further regulatory requirements, including potentially similar regimes coming in other U.S. states. As such, all signs are that this will be an ongoing journey for some time to come.