HR data is now regulated under California privacy law: How to tackle compliance

2023 will be yet another dynamic year for data privacy regulation.  In addition to the data privacy laws in Virginia, Colorado, Utah, and Connecticut going into force this year, businesses also have to contend with the fact that as of January 1, California employers are required to fully comply with the California Consumer Privacy Act, as amended (“CCPA”) for all personal information concerning their employees, contractors, job applicants, and other similar types of personnel (collectively, “HR Data”).  In other words, California employees, contractors and applicants now have the full panoply of rights available under the CCPA, creating compliance challenges and the potential for government enforcement.  These challenges are further complicated by the fact that the California Privacy Protection Agency (“CPPA”) has yet to issue any regulations or guidance to help organizations decipher how they might apply the consumer directed law to HR Data.  Nevertheless, organizations with California personnel need to pull HR Data within the scope of their privacy compliance program, with an eye toward making meaningful progress before enforcement of the revised CCPA begins in July, 2023.

To that end, the following compliance measures will help companies with California personnel evaluate and address their obligations under the amended CCPA with respect to HR Data:

• Application of CCPA.  As a threshold matter, privacy teams should evaluate whether their organization is subject to the CCPA. The CCPA applies to any for-profit business that “does business” in California and either: a) has an annual gross revenue of at least $25 million; b) buys, sells, or shares the personal information of at least 100,000 California residents; or c) derives at least 50% of its revenue from the sale or sharing of the personal information of California residents.^[1] 
• Understand/Map HR Data Flows. To determine the scope of obligations under the CCPA, California employers should prioritize mapping the collection, use, and disclosure of personal data of California residents within their organizations. Specifically, businesses should identify internal departments that process California HR Data and evaluate the categories of HR Data involved (e.g., names, dates of birth, governmental identification numbers, etc.), how that data is being processed, the systems such data is hosted on or accessible from (whether internal or external), and whether and to what extent third parties are processing such data. Since the CCPA imposes data minimization requirements on businesses, retention periods (and relevant deletion obligations) for HR Data should also be considered. Typically, starting with internal Human Resources teams and Information Technology teams to map out the use of HR Data provides broad insight on other departments that may have access to the data. This information will serve as the backbone for next steps (e.g., content of notices, implementation of employee/personnel rights infrastructure, etc.) and is critical for building a dynamic CCPA program for HR Data.
• Prepare or Update Employee/Job Applicant Notices.  Under the amended CCPA, notices to personnel and job applicants that explain the type of HR Data collected and the purposes of collection must be much more detailed than under the original CCPA and must provide additional information, including information about data subject rights, retention periods and other issues. In practice, personnel notices will include similar information as that required for consumer privacy notices under the CCPA, along with some further information mandated by the amendments to the CCPA (such as the additional data subject rights).
• Expand Data Subject Rights Capabilities. In addition to making sure to expand existing data subject rights infrastructure to address new data subject rights under the CCPA (such as the right of rectification^[2]) for customer data, such program must also be expanded to include HR Data. As with the other steps, the data mapping exercise will be critical to understanding where HR Data is stored, how it is used and how requests to exercise data privacy rights can be addressed. For certain rights requests, California employers should prepare to maintain information on data usage from the prior 12 months in order to respond appropriately beginning on January 1, 2023.^[3] In addition, California employees will need work closely with HR teams to make sure that this process is considered in conjunction with California labor rules regarding employee rights to access personnel files. And, employers will need to carefully examine their use and disclosure of certain types of sensitive personal information (e.g., information about race and ethnic origin, health and medical conditions and/or sexual orientation) to make sure that such uses and disclosures do not trigger a right for employees to limit their use of such personal information. 
• Service Provider Agreements. It will be important to confirm that agreements with HR service providers or other third parties that access HR Data meet the content obligations for service provider agreements under the CCPA,^[4] and that such providers have implemented the technical infrastructure to assist California employers in meeting their obligations under the CCPA (e.g., meeting access and deletion requests, implementing retention and deletion requirements). Businesses should address this issue with new contracts now, and develop a strategy for revisiting extant agreements.
• Review Incident Response Policies and Procedures.  The private right of action for certain data breaches includes qualifying breaches of HR Data under the current language of the CCPA.^[5] Businesses should review their incident response processes and procedures to ensure that such policies are current, and more generally businesses should take into account data minimization procedures to decrease the risk of exposure. Businesses should also review their cybersecurity policies to ensure they are adequate.

The inclusion of HR Data in the scope of the CCPA is an immediate compliance challenge that California employers need to evaluate and address.  However, it – along with the four other state privacy laws going into effect this year – is part of a broader trend towards increased regulation in this space, underscoring the need for businesses to understand how they collect, manage, and disclose data and to thoughtfully address new privacy requirements in a manner that makes sense in light of the company’s overall privacy compliance approach. 

^[1] 11 CCR § 7012(f).

^[2] CCPA § 1798.106.

^[3] For instance, if an employee or job applicant requests access to the HR Data maintained by the business, the business must provide an explanation of the HR Data collected, used, or disclosed during the prior 12 months, or since January 1, 2023 for requests made prior to January 1, 2024.  CCPA § 1798.130(a)(3) – (5). The obligation to maintain information on HR Data usage begins on the operative date of the amendments to the CCPA and is not retroactive.

^[4] CCPA § 1798.100(d), 140(ag).

^[5]CCPA § 1798.150(c).