The wheels are officially in motion for the California Consumer Privacy Act. The initial six-month enforcement delay period has now passed, and California Attorney General Xavier Becerra has made clear his intentions to enforce the law to its fullest extent. Insiders say that despite business disruptions due to COVID-19 and some California companies pushing for further enforcement delay, the attorney general's office had issued numerous notices of violation as of early July. Dozens of class-action lawsuits have already been filed under the law’s private rights of action. CCPA activity is expected to ramp up on both regulatory and litigation fronts, all while the last remaining delay — for the inclusion of employment data to be in scope for access and deletion rights — is anticipated to come into effect Jan. 1, 2021.

Unique to the CCPA is the inclusion of employees as “consumers” and applying the exceptionally broad definition of personal data, which may far exceed information typically contained in personnel or employment records. Many existing federal- and state-based data privacy regulations include carveouts or exemptions for information collected under the U.S. Health Insurance Portability and Accountability Act, Fair and Accurate Credit Transactions Act, and Genetic Information Nondiscrimination Act, as examples, and as part of the employment experience. Those regulations provide for individual rights to that personal information. As to other information typical of employee records (payroll, contact information, application, etcetera), California already has a labor law (Section 1198.5) granting current and former employees the right to inspect and receive a copy of their personnel records. This is similar to 19 other states (according to Nolo.com) that provide employees access to view and/or copy their employment records, which may be restricted, such as Connecticut’s limitation of accessing personnel records to twice per year. More than half of the states do not have laws or regulations as to employees accessing their employment records, let alone personal information as broad in scope as defined in the CCPA.

If everything proceeds as current law allows, the attorney general will have the authority to enforce violations relating to employment data dating back to Jan. 1, 2020, considered the “look-back” period. However, in a recent development, the

These developments pose additional burdens on companies with California resident employees. They are facing the arduous task of preparing for employment data coming in scope, alongside the uncertainty as to whether it will be in five months or more than two years when compliance is required.

Preparing for this aspect of the CCPA includes locating employee information in the same way it is done for consumer information and preparing to respond to individual rights around that data. Like customer data, employee data represents a vast universe of information, typically stored in digital and/or hard copy by various departments, in multiple locations. Finding, gathering, reviewing and preparing that data in response to a rights request can be a lengthy and costly process. 

Despite the fact that businesses have known about this provision since the law was enacted, most have been reluctant in their preparation efforts or simply underestimated the lift necessary to meet these requirements. Many of the law’s opponents expected that the issue would be further delayed or that the law would be revised to exempt employee information, as we have now seen. The CCPA was a contentiously fought effort, and the CPRA will likely follow suit. Potentially hundreds of thousands of companies will be subject to the employment data inclusion. While some companies may have been taking steps to prepare, the COVID-19 pandemic has almost certainly derailed or delayed forward progress in the last several months. Nevertheless, the issue and uncertainty remain.

The prudent organization will prepare now for employment data coming into the scope. Companies unsure of where to begin or in need of a reality check that they are implementing the extra precautions and processes necessary to handle this unique facet of the law properly can look to the checklist below as a guide.

  • Bolster privacy and compliance support. Unless the CPRA or another CCPA amendment passes later this year (thus modifying the current obligations or extending CCPA moratoriums), all aspects of the CCPA will apply to current, former and prospective employees at the start of 2021. These individuals will have the right to access and delete any of their data that is no longer in use or required for their employment. If the company has been negligent in complying with CCPA or has experienced a data breach, these individuals will have the right to pursue legal recourse for any exposure of their personal data. Last year, the California attorney general issued a report by independent economy research firm Berkeley Economic Advising and Research, stating that operationalizing CCPA for consumers would cost an estimated $55 billion. Doing so for employment data will likewise require an increasing investment in resources, especially for large employers that are likely to see a significant surge in the number of requests once rights are opened up to employees.
  • Map it out. Employment information spans current and past employees, as well as job applicants. It can be spread around among various systems or partially processed by third parties. Job seekers may fill out an online form when they apply, then fill out hard copy paperwork when they are hired and provide personal information in various places — for performance reviews, bonuses, benefits enrollment, etcetera — through the duration of their employment. Properly protecting that information means first knowing where it is generated, as well as where and how it is stored. When individuals begin making individual rights requests, companies will need to rely on up to date data maps and inventories to ensure they can find the full scope of information in question and adequately respond.
  • Consider the unique sensitivities. While much of the privacy ramp up for employee data will be the same as it was for consumer data, employment information brings unique sensitivities. Employees may be reluctant about exercising their individual rights with their employers out of concern that they might inadvertently jeopardize their good standing with their superiors. In severe cases, individuals may be torn between leveraging their privacy rights and imposing additional strain or legal liability on their employer. It’s important for companies to address these issues directly and build steps into their processes that ease the burden for employees and those fulfilling these newly-granted access requests. Employers must understand that while in the past, employment data was considered company property, and that is no longer the case in California.
  • Create a repeatable process. Strong processes are key to maintaining and demonstrating data privacy compliance. When building processes around employee data, legal and compliance teams should be thinking about a variety of factors, including how to safely provide requested data electronically, documentation of the controls in place to protect sensitive information, how requests are fulfilled, and legal parameters for when certain data requests can or should be denied. Employee data for one person may also contain sensitive information for another employee. Processes need to be in place to ensure anything sensitive that does not pertain to the employee requesting the information is fully redacted.
  • Contingency plan for breaches and lawsuits. Data breaches are a fact of doing business. While a breach can be highly damaging to a company, a business can get back to normal fairly quickly if the incident is well-handled. Now, as lawsuits relating to the breach of California citizen personal information are also becoming a fact of doing business, the same principle applies. Breaches of employment data can put employers and employees in a difficult position, but if the issue is addressed using best practices, everyone will benefit. Data privacy compliance efforts must include incident response plans for data breaches and increasing lawsuits and account for the extra sensitivities that may arise if lawsuits involve employees.

Photo by LYCS Architecture on Unsplash