Employers Get Ready – CCPA Employee and B2B Exemptions End, Expanded Privacy Compliance Begins in 2023

Sameer Ahirrao -

What do organizations need to do with CPRA/CCPA compliance requirements coming into effect in Jan 2023?

On August 31, 2022, the California legislative session ended without extending the grace period, under the California Consumer Privacy Act (CCPA), for the employment and business-to-business data. Consequently, enterprises ought to initiate specific steps to comply with the CCPA / CPRA with regard to such data by January 1, 2023, when the California Privacy Rights Act (CPRA) amendments take effect. The current partial exceptions, which were proposed in 2019 as part of a set of amendments to the California Consumer Privacy Act (CCPA), were originally extended again until January 1, 2023, as part of the ballot initiative that enacted the CPRA.

CPRA shall be effective on Jan 01, 2023, for B2B and HR Personal Information, which mandate to the California Privacy regulations (CPRA).

CCPA Enforcement:

While CPRA and its regulations takes effect on January 1, 2023, the Agency’s enforcement of the provisions added or amended by the CPRA will not begin until July 1, 2023. Meantime, the provisions originally contained in the CCPA will remain in effect and enforceable by the California Attorney General.

Few Key Steps for Enterprises:

Enterprises should consider undertaking the following key steps, amongst others:

Data Inventory:

To kickstart, enterprises should prepare data inventories to ensure they have an accurate understanding of what information they are collecting / processing from employee / worker and B2B sources.

Update Data Processing Agreements (DPA’s):

Businesses may also need to revisit their contracts with vendors processing this previously exempted data, to incorporate the appropriate terms/clauses under CPRA and mitigate the risk.

Extend “Data Subject Rights” procedures to cover Employee & B2B Data, prepare for requests and consent management:

Enterprises should prepare to receive data subject requests from the employees and from B2B contacts including access and right to know, correction, and deletion rights, if not already included under the EU GDPR and / or other applicable global laws. Further, consent management shall also need to be addressed appropriately.

Privacy Notice:

The privacy notice should be updated, and this updated notice should consider the requirements enshrined under CCPA / CPRA, including the duration / period for which the enterprises want to retain each category of personal information.

Update Contracts:

Review Human Resources vendors and update contract terms with service providers and contractors to incorporate new required terms under CPRA and mitigate the risk.

Diving deep into the challenges emanating from the CPRA amendments:

Consumer or data subject rights have been gaining significant importance, and fulfillment of such rights brings its own unique challenges. Fulfillment of such rights is at the core of any “Privacy regulation/ law”, and is an essential ingredient of any successful privacy program. It’s a no-brainer that the enterprises ought to comply with the underlying/relevant “Privacy regulation/ law”. Nevertheless the enterprises ought to factor in the below mentioned challenges in the backdrop of the CCPA/CPRA amendments.

Employee/HR Personal information:

1) Employees may include active and former employees. One of the key challenges shall be to discover employee data at scale, in the backdrop of the voluminous and unstructured data and the different verification methods pertaining to the employees.

2) Employee data being highly sensitive in nature, will attract its own challenge in terms of fulfillment of data subject rights.

3) Former employee may request for deletion of his/her data/information. Discovery of this data is critical to enable toi comply with his/her request for deletion.

Business to Business information:

The challenges flowing from the applicability of amendments to the Business to Business information category are enumerated herein below:

1) Contractor/Vendor trying to understand why he/she was rejected and not allocated the contract.

2) Contractor/Vendor may request for the information as to why the contract was lost/terminated and not renewed.

Way forward:

Though, all the challenges may not be covered in this article and though the CPRA amendment is yet to be implemented, the following actionable can be summarized as a way forward in brief.

1) To undertake the data discovery of the underlying employee and B2B data.

2) To maintain and update the latest data inventory of employee data.

3) To classify, categorize and segregate the data/information.

4) To introduce and implement processes and technologies such as automation of fulfillment of data subject rights, data deletion etc.