After more than a year of remote work during the coronavirus pandemic, and with vaccines being more widely available, many businesses are now at a crossroads: Should they move their employees back to the office or continue working from home? Of course there are many considerations to take into account — everything from data security measures to how it changes the work environment — but for those businesses that fall under the requirements of the California Consumer Privacy Act (CCPA), one of those considerations should be how working from home affects CCPA compliance.
The CCPA gives consumers more control over and access to the personal information that businesses collect about them. It also defines “consumers” very broadly. According to the CCPA, a consumer is simply limited exemption for personal information collected in the course of employment.
CCPA compliance has two main branches: (1) making the required disclosures about how personal information is collected and used, and (2) responding to consumers’ privacy requests. Employment-related data is exempted from the second branch, meaning employees cannot make privacy requests regarding their personal information. This is likely because extending full CCPA consumer rights to employees could cause significant disruption (allowing them to request the deletion of all their information from company records, for example). However, businesses are still required to make privacy disclosures to employees. Namely, they must be told what personal information is being collected about them and for what purpose. They also still have a private right of action against the business if their personal information is compromised during a cybersecurity breach.
This exemption is a temporary provision that was added by the legislature before the law went into effect. The California Privacy Rights Act (CPRA), which made significant changes to the CCPA, extended the exemption until January 1, 2023. It may be further extended, made permanent, or allowed to expire at that time.
Because employees are not completely exempted from the CCPA requirements, businesses that have implemented any kind of remote work plan should examine their personal data collection practices. Ideally, if a business is covered by the CCPA it should already be disclosing to employees what personal information it collects about them and for what purpose; now they must determine if remote work technologies are capturing any consumer data that was not covered by the original disclosure.
For example, video conferencing is potentially a type of data collection. It may be covered by the original disclosure, but other technology such as productivity-tracking software, especially if installed on the employee’s personal computer, may not be. Some companies are now tracking their workers’ geolocation data, which would need to be disclosed. Businesses must make a list of all new technologies that have been deployed in support of remote work, and then check the data collection by these products against the original employee disclosures. If there is any additional information that must be included, it is just a matter of updating those disclosures.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
