Your 5-Step Plan as Attorney General Announces CCPA Investigative Sweep
California employers, beware: the state’s top prosecutor just announced his office is conducting an investigative sweep of whether and how large California employers have complied with data privacy and consumer protection requirements as they relate to employees and job applicants. The July 14 announcement came just two weeks after a court put a hold on enforcement of the updated California Consumer Privacy Act (CCPA) regulations that became final in March, which may have lulled some businesses into a false sense of security. And while this recent initiative targets “large” employers – a vague reference in the AG’s announcement without further explanation – all businesses nationwide that are subject to the CCPA and have one or more employees in California should heed this warning.
Here is a summary of what happened and a five-step action plan for employers subject to this law.
1. Understand the scope: employees now have all the CCPA rights as other consumers under the law.
Your first step is understanding how far this law now ranges. See the GBS article “California Consumer Privacy Act (CCPA) Imposes Many New Compliance Requirements on Businesses With Personal Information on California Residents”. Comprehensive FAQs on the CCPA Will Guide You Through These Rules. While employees were always consumers under the CCPA, their rights at the inception of the law in January 2020 were limited. However, as of January 1, 2023, the CCPA provides all California residents – regardless of the context in which they interact with a covered business – with the exact same rights that other consumers under the CCPA would have related to data collected from or about them. This has nothing to do with your type of business (for example, whether you are a business-to-business operation interacting exclusively with other entities, such as manufacturers), nor does it have anything to do with whether you are in the business of selling data.
If your business triggers any of the criteria for the CCPA to apply (see the previous article “Does the California Consumer Privacy Act (CCPA) Apply to Your Business?”), then all of the following individuals are your “consumers” with full rights under the CCPA so long as they are California residents and you have any data about them:
- current and former employees;
- family members, dependents, beneficiaries, and emergency contacts of your current and former employees;
- job applicants; and
- independent contractors who are individuals providing services in their individual capacity.
Recognizing that your HR and recruiting teams are now at the epicenter of consumer privacy compliance is the first step to withstanding an AG investigation.
At its core, the CCPA is all about transparency. That is why one of the first things employers will be asked about in the event of an enforcement action or inquiry is whether you provided all your employees and applicants with the right notices and disclosures at the right time. See previous GBS article “California Consumer Privacy Act (CCPA) Covered Businesses Must Disclose Most Inferences Drawn from Consumers’ Personal Information”.
Employers subject to the CCPA should review all their privacy notices and policies and ensure they have been distributed properly. The following is not an exhaustive checklist, but can provide a starting point for an internal assessment:
- Do you provide a privacy notice to job applicants who are California residents at or before the point at which you collect any personal information?
- Have you updated your privacy notice since 2020? That is, since January 1, 2023, have you provided all your current employees who are California residents with a privacy notice that identifies all categories of data you will collect from or about them during their employment and all the purposes for which you will use or disclose the data?
- Do you have your privacy notice included in your onboarding documents for new employees who are California residents?
3. Implement an effective workflow to receive, respond to, and comply with CCPA requests from employees and job applicants.
Under the CCPA, California consumers (including employees and job applicants) may exercise certain rights in relation to their personal information – and employers have strict deadlines to respond to such requests.
For example, a California employee or job applicant has a right to know what personal information is collected about them, the right to access such information, the right to correct such information, and the right to delete such information (subject to certain exceptions, such as where the employer must retain the information for legal compliance or to defend against or prosecute legal claims). An employer has 10 business days to confirm receipt of such a request, and 45 calendar days to respond (which may be extended to 90 calendar days).
In addition, employees and job applicants can request to opt out of the selling of their data or the sharing of their data with third parties for purposes of targeted ads – and while most employers usually do not engage in selling or sharing of employee data in this manner, some do, and many are often surprised by what it actually means to sell or share data under the CCPA. (Hint: it is more than just disclosing data in exchange for money.)
Employees and job applicants also have a right to request that the employer limit the use or disclosure of certain data that the law defines as “sensitive,” but only where the employer is using or disclosing the sensitive data in certain ways. Businesses must respond to these requests within 15 business days. Read more about these obligations here.
It is critical that you implement a CCPA-compliant request process for employees and job applicants (in addition to other consumers). Your process should address all of these types of requests and enable you to respond by the statutory deadlines, as well as maintain a record of all requests and how you handled them for at least two years. When implementing such a process, there are two key points to keep in mind:
- You must implement at least two methods for CCPA requests (a toll-free number and an electronic method) and adhere to the strict response deadlines discussed above.
- You must implement a verification process to verify the identity of the person making requests to access, know, correct, or delete. (You are prohibited from verifying opt-out requests or requests to limit.)
4. Update your contracts with vendors that collect, process, store, or access employee or applicant data.
Employers often have contractual relationships with vendors that collect and use employee or applicant data – including for payroll operations, benefit administration, employment and salary verification, and other uses. But employers are the “stewards” of this information and therefore this puts the onus on you to ensure CCPA compliance as to that data. Consider that a third-party vendor’s improper use and storage of employee or applicant data can create potential liability for your business.
As the responsible party for this data, this requires you to exercise proper due diligence on your vendors to ensure their data usage complies with the CCPA, including the requirement to use “reasonable security measures.” In addition to exercising due diligence and asking the right questions when selecting a reputable vendor, you want to ensure your contract has strong language to address potential issues. Most significant of these include clearly articulating the scope of acceptable data use and deletion requirements.
The AG will likely seek to hold you liable as the “information stewards” for violations by your vendors, so reviewing your contracts with vendors is a critically important part of avoiding or reducing potential liability. The AG will also be looking to whether you have updated contracts with your vendors to include specific terms required by the statutory changes to the CCPA that took effect this past January 1.
5. If you receive a letter from the AG, do not panic! Call your privacy attorney.
The AG announced his office will initiate this investigative sweep by sending inquiry letters to large California employers and then scrutinizing their response. Receiving such a letter can be a scary proposition. But don’t panic!
An employment attorney, such as the GBS + Leavitt Group preferred partner for employment law Fisher Phillips, can help you assess your current state of CCPA compliance and respond to any inquiry in a manner that best protects your business. And if your review of the key takeaways above illustrates you still have some work to do, we can assist with that as well by connecting you to Fisher Phillips.
The AG’s investigation is meant to serve as a strong reminder to employers that, while there was a reprieve for the first three years of the CCPA’s existence as to employee and job applicant data, that grace period has ended. It is important that businesses expand their CCPA compliance efforts to fully include employees and job applicants who are California residents within their scope. See the previous GBS article “Proposed CCPA Regulations Set to Take Effect As Soon as April – The Time to Get Into Compliance is Now”.