Staying in the Clear: Employee and B2B Data Obligations in CCPA

Sameer Ahirrao -

Focus and Context

The California Consumer Privacy Act (“CCPA”) and the potential amendment California Privacy Rights Act (“CPRA”) are consumer-focused legislations. CCPA provides for two exemptions, one for employee personal information and another for business-to-business organizations (“B2B exemption”) thus, leaving holes to be filled by a future employee and B2B focused legislation. The exemptions were recently extended from January 1, 2021, to January 1, 2022, with AB 1281 becoming the law. If Californians pass the CPRA in November, the exemptions will be last until January 1, 2023. The exemptions apply to California employees and Businesses that employees Californians.

The fundamental consumer rights bestowed by CCPA include the right to notice, know, portability, deletion, and opt-out of the use and sale of Personal Information. CPRA would expand the definition of selling to include sharing, giving consumers the right to limit how companies share their data. Consumers will also have the right to correct inaccurate information.

Under CCPA

While the CCPA exempts employers from most of the protections provided in the law, two areas of compliance require action: (1) providing notice at collection, and (2) maintaining reasonable safeguards for personal information. The CCPA exempts from its provisions certain information collected by a business about a natural person in the course of the natural person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor, as specified.

The CCPA also exempts from specified provisions personal information reflecting a written or verbal communication or a transaction between the business and the consumer, if the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from that company, partnership, sole proprietorship, nonprofit, or government agency.

Providing Notice at Collection

A business must provide a California employee notice before or at the time of data collection, including the specific personal information it is collecting and the purpose it will be used for in a privacy notice.

Reasonable Safeguards for Personal Information

The reasonable safeguards requirement is driven by a private right of action now present in the CCPA when the breach is caused by a company’s failure to maintain reasonable safeguards based on a subset of personal information and a 30-day cure period. Employers should carefully review what constitutes personal information.

Personal information subset:

An individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

  1. Social security number,
  2. Driver’s license number, California identification card number, and government identifiers (i.e. tax identification number, passport number, military identification number),
  3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account,
  4. Medical information,
  5. Health insurance information, and
  6. Biometric identifiers.

Data mapping of the personal data being retained is one of the starting points in CCPA compliance. Proper data mapping will allow companies to know what information it has about employees. Beyond traditional identifiers, companies collecting information on job applicants, benefits, professional or employment-related information, internet activity, geolocation, protected classifications, and disabilities. The CCPA’s definition of “consumer” includes employees, so losing employee personal information in a data breach could result in employees recovering statutory damages ranging from $100-$750 per incident, or the actual damages incurred, depending on whichever amount is greater. Civ. Code § 1798.150(a)(1).

Employee Data Exceptions

CCPA/CPRA allows job applicants, employees, and independent contractors to have no retaliation if they use their right to opt-out or exercise other rights. However, data from such parties is exempt under CCPA/CPRA rules to the extent that businesses are only using the information within a business context. Companies can use Personal Information in case of emergencies and administrative purposes. When considering the right to delete, the CCPA exempts companies from having to delete personal information that must be retained for legal and regulatory reasons.

B2B Exemption

Businesses must comply if they…

  • Have gross annual revenues of $25 million or more;
  • Have data on 50,000 or more individuals, households, or devices;
  • or earn more than half their annual revenue from selling consumers’ personal information

Businesses need to ensure third-parties that are handling employee information are complying with CCPA requirements. Companies need to keep track of all vendor partnerships and where personal data is being shared. Communications and transactions which “occur solely within the context of the business conducting due diligence regarding or providing or receiving a product or service to or from” are currently exempt until January 1, 2022, meaning business communications are likely exempt for the time being. Businesses must still allow individuals to opt-out of the sale of their information, ensure that individuals that opt-out is not discriminated against, and promptly inform individuals of a data breach.

Assembly Bill No. 1281

This bill would extend the CCPA exemption on employee personal information until January 1, 2022. This bill, signed into law by California Governor Gavin Newsom on September 29, is contingent upon voters not approving the CPRA ballot proposition at the November 3, 2020, statewide general election. Governor Newsom also extended the B2B exemption. If, as predicted, the CPRA passes, this bill will become void.

Under CPRA

If passed, CPRA will extend the employee data and business-to-business exemptions until January 1, 2023, as a place holder for a separate employee and business data law still to come. CPRA allows job applicants, employees, and independent contractors to have no retaliation if they use their right to opt-out or exercise other rights. However, data from such parties is exempt under CPRA rules to the extent that businesses are only using the information within a business context.

Other Regulations

At this time there does not appear to be any regulation being considered to cover employee data and business-to-business data.

Conclusion

The CPRA is slated to win voter approval, extending the exemptions until January 1, 2023. If not, the exemptions will be around until January 1, 2022. Until then individuals and businesses must wait and see what regulation comes to light to fill the void left by the CCPA and its extensions. Additionally, businesses must ensure they are following the two requirements listed in the CCPA. The pandemic has led companies to potentially collect even more sensitive data such as temperature and health information. It is vital to make sure all of such personal information is properly protected. Companies should regularly review their privacy practices to ensure their systems are effective and up to date. If no specific legislation comes before the exemptions expire, California employees will be covered by the full extent of the act. It would be best practice to track employee data and B2B data in the same manner as consumer data in order to prepare for future regulations.

Ardent Value Proposition

This article only touches the surface of the CCPA; thus, businesses should further research the context of their business concerning the proposed law. The crucial first step of data, security compliance, is knowing what data you have, then identifying sensitive data and information assets that require protection under the law. Additionally, review your website and conduct a data audit to know what employee data you have.

Ardent Privacy’s solution provides safeguards for personal information via data risk assessments and automated mapping, identification, and inventory data assets. Ardent Privacy specializes in data minimization and secure disposal, eliminating excess data to reduce liability. Visit http://www.ardentprivacy.com/ or email advisor at ardentsec.com for a consultation.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.

For more information visit https://ardentprivacy.ai/and for more resources here.

Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.