What is the CCPA and what does HR need to know?
Est. Read Time: 2 min.
Update November 19, 2019: An amendment to the State's new privacy law, the California Consumer Privacy Act, will temporarily exempt employee data from most of the requirements. Fisher Phillips outlines what employers need to do before January 2020.
The California Consumer Privacy Act (CCPA), intended to protect the privacy of California residents, is having a ripple effect across the United States. Originally designed to give California consumers new rights, the definition of “consumer” in the Act is so broad that your workforce data may also be affected. If you're an employer who may be impacted by the CCPA, here are 5 actions you can consider before the new privacy law goes into effect on January 1, 2020.
1. Audit your HR data
Before protecting active employee, terminated employee and job applicant data, it’s important to get a full picture of the personal information your company collects. Not sure where to start? A good first step is to connect with teams across the organization to identify how your organization collects, processes, stores and deletes personal employee information. As a more advanced option, many HR teams are conducting risk assessments designed to assure the lawful and legitimate handling of personal information.
2. Reduce your data collection
Once you know the personal employee information your organization collects, it’s time to consider whether you need the data you’re collecting and storing. Under the CCPA, employers are obligated to disclose the personal information collected, shared and sold in the previous 12 months upon request (with some exceptions). This can be challenging for an employer, both in terms of the work involved in compiling records as well as the potentially sensitive nature of the data.
For example, imagine the complications that can arise when an underperforming employee requests communications related to being put on a performance improvement plan. By reducing the personal data that’s collected, you can limit both the burden of compiling data and the risk of having to provide sensitive communications to potentially litigious employees.
3. Create a process to manage employee disclosure and deletion requests
Under the CCPA, individuals can request information about the personal data that’s collected. They can also request the deletion of their personal information and opt-out of the sale of their data (if applicable). For employers with a large California employee population, processing these requests can take a substantial amount of manual work. Consider where you can create efficiencies and move to automated processes to reduce the time it takes to handle information and deletion requests. For example, both U.S. and European employers complying with the General Data Protection Regulation may be able to build on existing processes for individual access requests.
4. Review and update privacy policies and notices
The CCPA requires that individuals are informed of their personal data rights through a special notice to California residents. Review HR-related personal data collection practices to see where notices may need to be updated to reflect the new requirements, and where you may need to create a separate notice for California employees. Some California employers are considering extending the rights to all their employees and job applicants. While this can make it easier to apply the law, it can also create additional risks.
5. Look out for changes to the law
The CCPA has been modified once already and there is the possibility of additional modifications to the legislation prior to 2020. One potential change is allowing “consumers” to take private rights of action for any violation of the CCPA (i.e., employees could initiate lawsuits, even when there are no damages). Given that California is known to be a litigious state, this change could substantially increase liability for employers.
It seems more than possible that there will be certain modifications before the law goes into effect (potentially even excluding employee data from the law). In any case, the Attorney General is expected to issue regulations that will provide additional guidance. Therefore, it’s a good idea to keep an eye out for updates that may impact Californian employee data.
Managing CCPA compliance
You can use the steps above as a starting point for your HR team to prepare for the CCPA. If you're reviewing your employee data collection practices and are looking for tips to help manage your employee data, remember that PeopleDoc Employee File Management customers have access to HR Compliance Assist. If you're not a customer, learn how technology can help you stay ahead of CCPA compliance in the eBook, A Practical Guide to Proactive HR Compliance.
You May Also Be Interested In:
About Robin Sendrow
Robin is the HR Compliance Assist Manager at PeopleDoc. She joined the team to help customers remain in compliance globally and easily navigate foreign rules and regulations through HR Compliance Assist. Previously, Robin managed client HR communications and provided outsourced HR support. She has a Masters in Psychological Counseling from Teachers College, Columbia University.