It’s January 2020. Thousands of businesses just completed the mad dash to meet the California Consumer Privacy Act’s (CCPA) requirements. Unfortunately, now is not the time to take a breather if you have employees in California or plan to hire any in the next two years.
CCPA and How it Applies
As a refresher, the CCPA went into effect on January 1, 2020, and requires a business to make various disclosures to California residents about the types of personal data it collects. The law also gives consumers specific rights regarding their personal data.
While much of the discussion and preparation for CCPA has centered on traditional consumer and customer data, prospective and current employees who live in California must also be considered. In fact, considering California employees is critical due to the type of highly sensitive information provided during the application and onboarding process, including birthdates, ethnicities, and/or Social Security numbers. Fortunately for employers, section 1798.145(h)(1)(A) specifically exempts all job applicants and employees from CCPA’s requirements for one year.
Under the CCPA’s One-Year Reprieve You Still Have Employment Obligations Now
Upon first glance, this so-called “sunset provision” gives HR and hiring departments some welcome breathing room in the rush to CCPA compliance. However, buried in the text of the law, is an exception to the exemption: Employee information is exempt from most of the CCPA, but there are two specific exceptions to this exemption.
- First, the business must give CCPA point-of-collection disclosures to applicants and employees, notwithstanding the exemption. So, right now, when a prospective employee applies for a job or you collect information from a current employee (either of whom reside in California), you must make basic disclosures regarding what information you are collecting and how you will use that information. You must make those disclosures “at or before” the time the employee or applicant submits his or her personal information.
- Second, as of now, you must inform applicants or employees if there is a data breach involving their personal information. And, perhaps more importantly, the applicant or employee has a private right of action to bring a claim against you for that data breach.
What Does This Mean for California Employers in 2020?
It means that you already have obligations under the CCPA (if you are a covered business) to make disclosures and follow data breach protocols. But it also means that, despite the one-year exemption, your work doesn’t stop there. First, you need to make the point of collection disclosures now. Second, you need to prepare for next year’s obligations. On January 1, 2021, applicant data will be subject to every relevant provision and requirement in the CCPA. So, while you prepare for this interim period, do so with an eye on 2021 and full compliance. Don’t get caught unprepared or without a plan for full implementation. Your current and future employees will thank you.