Since it was passed in 2018, the California Consumer Privacy Act (CCPA) has been seen as mainly an issue for marketing and eCommerce teams—i.e., people who deal with customers and website visitors. Even though they handle large volumes of personal information, human resources departments were spared many of the privacy law’s requirements because they deal exclusively with internal data from job applicants, employees, and contractors.

That changed on January 1, 2023, when the CCPA’s long-standing exemption for employment-related data expired. Now, applicants, employees, and contractors are treated exactly the same as any other consumers.

Privacy Disclosures for Applicants and Employees

Privacy disclosures are central to CCPA compliance, and after the employee-data exemption expired in 2023, these disclosures expanded significantly for HR departments.

Here’s some of the information that must now be disclosed:

• Categories of personal information processed and the purposes for processing it
• Categories of “sensitive personal information” being collected and processed
• The period of time each category of personal information will be retained
• The categories of third parties to whom the personal information is disclosed
• Whether the business is using their personal information in a way that could be considered “selling” or “sharing”
• A description of their privacy rights as well as instructions on how to exercise those rights

Job applications and employee agreements must be updated to include the new disclosures, but it’s not as simple as copying and pasting boilerplate language from a generic privacy policy.

Businesses should first create a data map in order to understand their own information practices (i.e., where personal data is collected, how it’s used, and who else may have access), and potentially make policy changes to bring those practices in line with the law.

Contractors

Independent contractors make up a significant part of the workforce for some businesses. To the extent that a business is collecting and processing individuals’ personal information, the CCPA does not distinguish between contractors and employees. Accordingly, businesses will need to make full privacy disclosures to any contractors they hire, just as they would with employees.

However, if the contractors are receiving personal information as part of their job, there is also a contractual requirement that must be met. They need to have a written contract with the business that does the following:

• Specifies that the personal information is being disclosed by the business only for limited and specified purposes
• Obligates the contractor to comply with the CCPA and provide the same level of privacy
• Grants the business the right to take reasonable and appropriate steps to help ensure that the contractor is using the data in a compliant manner
• Requires the contractor to notify the business if they determine that they can no longer meet their CCPA obligations
• Grants the business the right to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information

Fortunately this requirement should be relatively simple for businesses to meet. They will just need to draft an agreement with the necessary language for any contractors they hire.

CCPA Privacy Requests for Employees

Because job applicants, employees, and contractors are treated the same as any other consumer, they have the same privacy rights as other consumers. This means businesses are likely to get privacy requests from those individuals, a situation which may present special challenges.

• Request to Know - A request to know is probably the trickiest CCPA request for employers. Employers tend to have large amounts of personal information about their employees. It may be mixed together with personal information from other people (which needs to be redacted), or it might contain awkward information like performance reviews. Because a request to know from an applicant, employee, or contractor has a significant chance of being a precursor to litigation, it is probably best to consult with an attorney throughout the process.

• Request to Delete - Individuals may request the deletion of employment-related personal information, but businesses may still retain the data for certain reasons (such as to comply with a legal obligation or enable solely internal uses). Because of these exceptions, businesses are unlikely to be required to delete much of the data from workers.

• Request to Opt-Out - It is unusual for a business to sell employment-related personal information or use it for behavioral advertising, but if it does then it must honor opt-out requests.

• Request to Correct Inaccuracies - Businesses must correct inaccurate personal information upon request. They generally have an interest in maintaining accurate information about their workers, so these requests should not be an imposition.

• Request to Limit - Consumers can request that businesses limit the use and disclosure of “sensitive personal information.” Categories of sensitive personal information include social security numbers, biometric data, and race or ethnicity data—the kind of information that HR departments regularly collect. However, there are numerous exceptions to this right, and if businesses restrict their use of sensitive personal information to what is necessary for limited purposes, they may not have to offer this request type.

‍