Employee and B2B Data Covered by the CCPA

In what turned out to a be a busy August for data privacy, the California legislature did not pass bills AB2891 and AB2871. These bills would have extended the employee and B2B exemptions and made them indefinite. While some disclosures and rights are already afforded to employees and B2B data under the CCPA, additional rights, disclosures, contractual language and more will be applicable on January 1, 2023. The California legislature was likely comfortable with the CCPA coverage of employee and B2B data and was also focused on passing the California Age-Appropriate Design Code Act.  

There a few things businesses should focus on to ensure they are ready for these exemptions to expire:

Understand what employee and B2B data is processed:

We recommend engaging HR, Marketing, Procurement, and Sales stakeholders to understand what personal information is processed within the employment and B2B contexts. This conversation should focus around:

• What information is processed
• The purpose of processing
• How information is shared and with whom and for what purpose
• How long information is maintained
• Any legal obligations to maintain the information

Do not forget about the recruitment side of HR. This is where consumers and employees are likely to make right to know and right to be deleted requests, especially if they were not selected for a position.

Employee Rights:

Processes and procedures to honor consumer rights should already exist as part of your CCPA compliance and some of the knowledge base can be leveraged to honor access, deletion, correction, and sale/share opt-outs, however, the employee information will present its own nuances. Many businesses may already allow employees to update and correct information within the HRIS or through the HR team, but it’s likely this does not apply to all of the personal information processed within the employment context. Businesses will need to ensure they have steps to verify identity and honor these requests just as they have with consumers. There are several exemptions under the CCPA and it’s critical that businesses account for these when honoring these rights, specifically the right to be deleted exemptions like complying with a legal obligation or to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business and compatible with the context in which the consumer provided the information. Sensitive information for employees and well as dependents should also be considered. It will take time to work through a practical sense, how these rights will be honored.

Disclosure Obligations:

While light disclosures to employees are applicable today, the inclusion of employment and B2B information under the CCPA in 2023 will greatly expand what must be disclosed. While in draft form, the CPRA outlines these disclosures and they are specific and numerous. Further, and more likely in the HR space, sensitive personal information disclosures are rights will come into play. The HR team may operate from an existing employee policy that makes some of these disclosures but sharing activities and the rights will need to be added to the policy. Regardless, this exercise will take some discovery and conversation with the applicable teams to make sure the robust disclosure requirements are accounted for and present.

In Summary:

The CCPA applies broadly to personal information and in the U.S. employee and B2B data has been largely exempt. This is no longer the case, businesses must ensure they have processes, procedures, and policies in place to meet disclosure requirements, access rights, anti-discrimination, sharing and limiting of sensitive information, opt-out of sale requirements, and much more. January 1, 2023 will be here before we know it and while the CPRA regulations are still in draft form, the time is now to get started on complying with these new information sets under the CCPA. Engage HR and business stakeholders and rely upon existing controls the privacy team has in place for other CCPA obligations to make it easier and to avoid reinventing the wheel.

Contact us at connect@compliancepoint.com if you have any questions about the CCPA or data privacy.