Employee Data under the CCPA: Expiration of Employer Exemptions Requires Compliance as of January 1, 2023

Since the California Consumer Privacy Act (“CCPA”) was passed in 2018, employers have been watching carefully to see how the law will apply to data collected and maintained about their employees. Up until now, employment data had been exempted from most of the CCPA’s requirements. But the new amendments to the CCPA embodied in the California Privacy Rights Act (“CPRA”) come into effect on January 1, 2023, and that, coupled with the fact that the legislature failed to extend the employer exemptions, means that many categories of human resources data will be subject to the requirements of the law.

The Current CCPA Employer Exemptions Are Expiring

As it stands (and through the end of 2022), covered employers are only obligated to notify employees of the categories of data being collected and the purposes for which the data will be used. In the event of a security breach involving employee data, employers are required to notify affected individuals and could be liable for statutory damages. In response to these requirements, most covered employers developed privacy notices with the required disclosures and reviewed their data security policies and protocols to ensure consistency with best practices.

But starting in 2023, employee data will be treated as any other commercial information, and covered employers will need to add employee and human resources data to their ongoing compliance efforts. Indeed, under the CCPA, “personal information” is defined broadly to include information that “identifies, relates to, describes, is reasonably associated with, or could reasonably be linked, directly or indirectly, with a particular consumer household.” Cal. Civ. Code § 1798.140(o)(1). In the employee or human resources context, personal information could include an employee’s contact information, insurance and benefits elections, bank and direct deposit information, emergency contacts, dependents, resume and employment history, performance evaluations, wage statements, time punch records, stock and equity grants, compensation history, and many other forms of data routinely collected in the context of the employment relationship. Moreover, the CPRA introduces a new concept of “sensitive personal information” (such as financial information, social security numbers, communications content, health information, and biometrics) that must be considered and addressed by the employer.

New Requirements Take Effect in 2023

So what does this mean for employers? First, employers must prepare and provide a privacy notice to an employee (or a job applicant since such applicant is likely providing personal information) at or before the time personal information is collected. This could mean including a privacy policy (and a click-through mechanism) on any online application site, in the employee handbook, and/or on internal websites. The privacy policy is likely to be similar to the online privacy policy the employer includes for consumers, though it will need to be revised to accurately reflect the categories of personal information collected (along with the length of time the employer intends to retain data in each category), as well as the categories of third parties with whom such information will be shared (e.g., payroll service providers, etc.).

Read the full Privacy blog post with key takeaways here.