The California Consumer Privacy Act (CCPA) exemptions for employee and business-to-business Personal Information (PI) likely will not be extended. Aug. 31, 2022 was the last day for each house to pass bills, per the California Constitution (Art. IV, Sec 10(c) and the Joint Rules (J.R. 61(b)(18))), and no legislative proposals or amended bills made it to the floor. This means that on Jan. 1, 2023, full consumer rights will apply to the PI of workforce members1 as well as to their PI collected on behalf of their employer in the context of "providing or receiving a product or service to or from" a business (B2B).
Businesses should assess how consumer rights apply to workforce member and B2B PI, and prepare to provide workforce member and B2B with CCPA or California Privacy Rights Act (CPRA) rights, including the right to know, the right to delete, the right to opt out of the sale or sharing of personal information, the right to limit use and disclosure of sensitive personal information, and the right of no retaliation following opt-out or exercise of other rights.
California businesses should carefully assess the differences between the rights afforded to workplace members under the CCPA, including exemptions, and those provided under the California Labor Code. Most California employers should have in place many of the processes required under the CCPA. For example:
- Right to Know – The California Labor Code has several laws affording workforce members the "right to know" certain types of workforce member information the employer has collected, including but not limited to (1) Personnel File (Cal. Labor Code § 1198.5), (2) All Documents Signed (Labor Code § 432) and (3) Payroll Records (Labor Code § 226). However, the CCPA, amended by the CPRA, may be broader in scope and may have new and different obligations for employers that do not exist under the current Labor Code, including possible additional PI in scope (e.g., geolocation, biometric, internet activity, inferences drawn, etc.) and different timelines for compliance with a workforce member's request.
- Right to Delete – Employers should assess federal, state and local retention requirements pertaining to workforce member PI, including but not limited to the Age Discrimination in Employment Act, the Americans with Disabilities Act, the Civil Rights Act of 1964 (Title VII), the Fair Labor Standards Act, the Family Medical Leave Act, the Occupational Health and Safety Act, California Government Code § 12946, and California Labor Code § 226 to determine potential exemptions to a deletion request under CCPA §1798.105 (d)(8)'s "to comply with a legal obligation."
- Right to Opt Out of Sale or Share – Employers should not only reassess their disclosure agreements with vendors but also ascertain whether their vendors are service providers, contractors or third parties under the CPRA, as disclosure of workforce member PI may be viewed as a "sale" under certain circumstances.
- Right to Limit Use and Disclosure of Sensitive PI – Employers should assess whether they are processing workforce member PI, including sensitive PI. For example, if an employer is processing sensitive PI (e.g., racial or ethnic origin) for diversity and inclusion purposes, it may be permitted under an exception. However, if an employer is processing sensitive PI for purposes of inferring characteristics of its workforce members and using artificial intelligence to assist with hiring, including using automated decision systems, this right may be triggered.
For B2B PI, businesses would have to provide the same rights as the rights to a consumer under the CCPA/CPRA, including but not limited to the right to know, right to delete, right to opt out of sale or share, and right to limit use and disclosure of sensitive PI. As we approach Jan. 1, businesses should start reviewing and updating their internal processes and procedures, including identifying the methods by which workforce member and B2B PI rights may be exercised (i.e., PEO portal, website, directly with human resources staff, etc.), to ensure that they are afforded the same rights as consumers under the CCPA.
Footnote
1. For purposes of this blog, references to "workforce member(s)" mean a natural person acting as a job applicant, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of that business. (See, Cal. Civ. Code §1798.145(m)(1)).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.