Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
Update: Governor Newsom signed AB 1281 into law on September 29, 2020.
California’s governor may soon sign into law a one-year delay of the California Consumer Privacy Act’s (CCPA) full application to human resources data. On August 28, 2020, California’s legislature passed A.B. 1281, which extends the exemption for human resources data from most CCPA obligations to January 1, 2022. The exemption was previously set to expire on January 1, 2021. Governor Newsom is expected to sign the bill by September 30. If A.B. 1281 becomes law, employers subject to the CCPA can breathe a sigh of relief. With administrative staff already stretched handling issues related to the COVID-19 pandemic, expanding current compliance efforts to address all of the CCPA’s burdensome requirements would have been daunting for most employers.
CCPA’s Exemption for Human Resources Data
The CCPA now exempts human resources data from all but two of its provisions. First, employers must provide HR Individuals (defined below) with a “Notice at Collection” when or before collecting their individually identifiable information (“personal information”). This notice must describe 1) the personal information the company will collect about these individuals, and 2) the purposes for which the company will use that information. HR Individuals means California residents in their capacity as applicants, employees, contractors, owners, directors, medical staff members, emergency contacts of the foregoing, and employees’ dependents or beneficiaries who receive company benefits.
Second, the CCPA grants HR Individuals, like other California residents, the right to recover up to $750 in statutory damages, on an individual or class-wide basis, from a company that breaches its human resources personal information due to a failure to implement reasonable safeguards.
The exemption for HR Individuals was originally set to expire on January 1, 2021, at which point HR Individuals would enjoy the rest of the rights that the CCPA provides to California residents.1
Full Obligations of the CCPA
The full CCPA would impose heavy burdens on employers with respect to human resources data. In addition, for the notice at collection and private right of action, the CCPA imposes two key sets of obligations on covered businesses.
First, the CCPA requires a covered business to post a detailed website privacy policy. This policy must disclose detailed information about how the business handles personal information, including:
- The categories of personal information the business has collected about California residents in the preceding 12 months;
- The categories of sources from which the personal information was collected;
- The business or commercial purpose for collecting or selling personal information;
- The categories of personal information, if any, that the business has disclosed for a business purpose or sold to any third party in the preceding 12 months; and
- For each category of personal information identified, the categories of third parties to whom the information was disclosed or sold.
In addition, the privacy policy must explain the rights the CCPA grants to California residents and how to exercise those rights.
Second, subject to certain limitations, the CCPA grants California residents:
- The right to know what personal information a business has collected about them and details about how the business handles that information;
- The right to have a business delete their personal information; and
- The right to opt out of sale of their personal information.
For most employers, building a program to comply with these obligations would be a burdensome and time-consuming process. Companies typically have to undertake a data-mapping exercise to identify all of their repositories of HR Individuals’ personal information and the flow of that personal information into and out of the company. Based on the findings from the data-mapping exercise, the company must draft and publicly post an accurate privacy policy. To comply with data rights requests, a business needs to create an internal administrative structure to process the requests. Finally, companies often implement internal policies and procedures on handling the requests, including a suite of administrative forms.
The California Privacy Rights Act Ballot Measure and Continued Uncertainty
Uncertainty about whether the exemption for HR Individuals would expire left employers in a state of limbo in 2020. The sunset date of January 1, 2021, for the HR Individuals’ exemption was originally intended to encourage further negotiations in the California legislature over the CCPA’s application to human resources data. California legislators had expressed an intention to replace the HR Individuals’ exemption with a data protection law tailored to the employment context. Sidetracked no doubt by the pandemic, the California legislature did not focus on this issue in 2020. This left covered businesses uncertain about whether to start the process of complying with the full CCPA for human resources data.
California’s legislators may eventually turn more attention to the CCPA’s treatment of HR Individuals. In the meantime, the CCPA is more likely to be amended through a different route. This past spring, a California privacy rights group obtained the necessary number of signatures to place a ballot measure on the November 2020 ballot that, if adopted, would materially revise the CCPA. Titled the “California Privacy Rights and Enforcement Act of 2020” (CPREA), the ballot measure would expand existing rights and provide additional rights to California residents with respect to their personal information. Notably, the CPREA would extend the exemption for HR Individuals’ personal information until January 1, 2023, but on that date, HR Individuals would obtain the full rights of the CPREA.
The Takeaway: More Time, for Now
For now, employers most likely gain another year’s respite from complying with all the obligations of the CCPA. If the CPREA passes in November, they will have more than a two-year reprieve. Without another ballot measure or more action from the California legislature, however, employers will eventually be required to comply with all of the CCPA’s or CPREA’s obligations.
See Footnotes
1 For a comprehensive discussion of the CCPA’s application to HR Individuals, please see Philip Gordon, Kwabena Appenteng, and Zoe Argento, Employers Receive Last-Minute Reprieve From The Most Onerous CCPA Compliance Obligations, Littler Insight (Sept. 17, 2019).