Last week, the California Legislature adjourned its 2022 legislative session without passing proposed legislation (AB 2871, AB 2891, SB 1454, AB 1102) that would have extended or made permanent exemptions under the California Consumer Privacy Act (CCPA) applicable to personal information collected in human resources (HR) and business-to-business (B2B) contexts. We described the HR exemption and the B2B exemption in previous blog posts. These exemptions will now expire when the California Privacy Rights Act (CPRA) amends the CCPA on January 1, 2023, leaving CCPA-regulated businesses four months to comply with the full spectrum of the CCPA’s requirements as applied to HR and B2B data. CCPA compliance efforts must now address personal information of a broad scope of Californians from whom businesses collect personal information, including:
- job applicants, employees, non-employee staff, independent contractors, advisers, directors, owners and shareholders
- contacts at current and prospective business customers, vendors and partners
- B2B website visitors
- business leads and contacts purchased or obtained from third-party sources
- event attendees and office visitors
- business email correspondents
- most other individuals in human resources information, customer relationship management and contact management systems
Core CCPA requirements that will extend to HR and B2B data include:
- Giving privacy notices – with the same level of detail currently required for consumer-facing privacy notices – to personnel, job applicants and business contacts
- Honoring requests from personnel, job applicants and business contacts to exercise rights under the CCPA, including rights to:
- know how their personal information is used and shared
- access a copy of the personal information
- delete personal information they provided
- correct personal information
- opt out of certain uses and sharing of personal information, including any sale of personal information, sharing of personal information for behavioral advertising purposes or use of sensitive personal information for certain purposes
- exercise rights free of discrimination
- Ensuring vendors with access to HR or B2B data are subject to specific contractual data-use prohibitions necessary to qualify the vendors as “service providers” or “contractors” and that granting such access does not constitute restricted “selling” or “sharing” of personal information from which Californians can opt out
- Ensuring third parties to whom HR or B2B data is sold, or with whom it is shared for behavioral advertising purposes, are subject to contractual obligations specified in the CPRA
Given the breadth of the individuals in scope, and the volume of data that businesses collect about them, extending compliance measures required by the CCPA to HR and B2B data entails a significant level of effort. In particular, gathering, reviewing and producing the large volume of personal information that employers maintain about employees can be a difficult task. California employees already have a right to their personnel records under Section 1198.5 of the California Labor Code but the CCPA will substantially enlarge the scope of personal information to which employees are entitled. Businesses should also be mindful that employees, job applicants and other individuals may be able to leverage their CCPA rights to access information that is helpful to them in disputes without having to initiate litigation and discovery.
For more information on the requirements that will apply to HR and B2B data effective January 1, 2023, see Cooley’s CPRA Resource Page.