The California Consumer Privacy Act (CCPA) will see significant amendments go into effect on January 1, 2023, including the expiration of exemptions in place since the law’s inception for employee-related and business-to-business data.
This will be a big change for all businesses, but particularly for B2B companies. This session will provide an overview of the new requirements under the California Privacy Rights Act (CPRA) with a focus on the expiring exemptions and what companies need to do to extend their CCPA compliance programs.
CCPA 2.0: What Companies Need to Know About the CPRA and Expiring Exemptions for Employee-Related and Business to Business Data
December 7, 2022
The California Consumer Privacy Act (CCPA) will see significant amendments go into effect on January 1, 2023, including the expiration of exemptions in place since the law’s inception for employee-related and business-to-business data.
This will be a big change for all businesses, but particularly for B2B companies. This session provides an overview of the new requirements under the California Privacy Rights Act (CPRA) with a focus on the expiring exemptions and what companies need to do to extend their CCPA compliance programs.
Narrator: [00:07] Welcome to Procopio Perspectives, a podcast featuring award-winning corporate and litigation attorneys providing useful legal insights on the latest issues of the day. Now here's your host.
Elaine Harwell: [00:20] Hi everyone, my name is Elaine Harwell. I am a data privacy attorney at Procopio. I lead Procopio's privacy and cybersecurity group, as well as serve as the firm's privacy officer, and I'm here with my colleague Travis. Travis, I'll let you introduce yourself.
Travis Jang-Bus...: [00:35] Hi everyone, my name's Travis Jang-Busby, and I am a partner in our labor and employment group focusing primarily on wage and hour class actions and personnel issues.
Elaine Harwell: [00:46] Excellent, and we're here today to talk a little bit about what's going on with respect to California privacy laws, specifically the California Consumer Privacy Act, what we know as the CCPA. As I think most people know by now, the CCPA is a comprehensive data privacy law that impacts for-profit businesses that collect information, personal information about California residents and consumers. It's been in effect since 2020, and in that same year, California voters actually amended the CCPA, what we call the California Privacy Rights Act, or the CPRA. That law will go into, I should say the amendments to the CCPA will go into effect as of January 1, 2023.
[01:32] What we're here really to talk about today is the expiration of some exemptions that have really been in place since inception of this law, and that is the exemption for HR data, as well as B2B data, so B2B contact data is generally what we're talking about there. Those exemptions have been in place and really allowed a lot of companies that are B2B companies to not pay a whole lot of attention to the CCPA.
[02:01] But now that we have these exemptions expiring, I think that probably the biggest impact is one, going to be to any company that's covered by the CCPA, but particularly those that are B2B companies. So what we're, I think, going to just talk about today with respect to that is kind of the intersection with employment laws. So I'm excited to be here today with Travis to talk about that and how we are going to see some changes as of January 1.
[00:02:30] So I think maybe it makes sense just to start out talking about what some of the consumer rights are under the CCPA, because I think that this is what we're generally going to be talking about, right? So with the expiration of the HR exemption, what that means is that any data that was used only and solely for HR purposes, which was previously exempt, will now be part of the law, and that means that your employees will be able to make requests under the CCPA as a consumer, and making requests means that the consumer or the employee will have a right to access or know what data is collected about them by the business. They'll have a right to request deletion, with certain exceptions. They'll have a right to correct information under the law, as well as some rights to limit and restrict the sale of personal information, and the use of any sensitive personal information.
[03:30] So this really was a law, the CCPA, that was written in the context of a consumer rights law. It was not initially intended to cover employee information, or B2B contact information, for that matter, so it is a little bit different when we think about the application of these rights to an employee and in that context. So what I was kind of thinking about that we would do is to kind of just, one, get a sense of what California law says in the employment context that may sort of intersect with these rights that are available to consumers under the CCPA. So Travis, I think this is where I'll drag you in and let you kind of just give us your brief update, or kind of give us a brief overview from your perspective as to, one, how some of these rights might intersect with the rights under the CCPA, and what that might mean for employers?
Travis Jang-Bus...: [04:23] Yeah, I'm happy to provide my thoughts. I guess my first question back, Elaine, is how did this happen? Why are employers now subject to this mandate?
Elaine Harwell: [4:31] Yeah, that's a good question. So we previously had amendments to the law that were put in place by the legislature. This legislative session actually dates back to prior year. The legislators, along with some labor rights activists, were trying to put into place and have some new laws pertaining to how employee privacy would work and how privacy laws would operate with respect to employees. Unfortunately, those negotiations didn't pan out, and so the effort then became to try to extend these exemptions that were in place with the CCPA. That went on, I think, until the very last minute. There was 11th-hour efforts to try to extend these exemptions, but unfortunately those failed, and there was no new law passed that pertained to employee privacy rights, and there was no extension to these exemptions under the law.
[05:24] So by operative effect of the CPRA, those exemptions are going to sunset January 1, and employee data and B2B data will be considered part of personal information that's considered part of the law, and employers who collect this type of information and are subject to the CCPA, but maybe don't collect a lot of consumer data, are now going to have to pay attention to the CCPA for purposes of providing their employees and also any B2B contacts with the rights that they're now due under the CCPA.
Travis Jang-Bus...: [05:57] Wow. That reminds me of the old adage, "The opposite of progress is Congress." This is in no way a political statement, but it certainly puts our businesses in a very tough spot, applying a law that really isn't geared towards employers, to our employing businesses. It's very much a square peg and round hole scenario. One of the first things that comes to mind as it relates to how this law intersects with existing employment laws is the extent to which it requires training, which is interesting, because it's a new facet of training for potentially people in HR. As I understand it, just a couple of people need to be designated as their recipients of these requests, is that right, Elaine?
Elaine Harwell: [06:43] Yeah, so I think the requirements under the CCPA at least are with respect to anybody who handles any CCPA requests, incoming requests, or is expected to implement the CCPA, there's a requirement that those individuals be trained on the CCPA, presumably to allow them to understand how they should be executing those rights on behalf of the either employees or whoever comes to them requesting to make a request underneath the CCPA.
Travis Jang-Bus...: [07:10] That's very interesting, because potentially that could be your HR representatives and specialists, who now on top of sexual harassment training and wage and hour training may have to undertake CCPA training, which is completely foreign, or was foreign to myself and largely others in the personnel management industry. So it's likely that HR professionals will receive some sort of request that falls under the CCPA, so it'll be interesting to see how that evolves.
Elaine Harwell: [07:38] I think that's right, I think you have to expect that your HR professionals are potentially going to be receiving requests from employees pursuant to the CCPA. I mean, what we've seen happen in other jurisdictions where employee data is part of general comprehensive data privacy laws, for example in the EU under the GDPR, is a use by employees who either want to get a leg up on their employment claims, or they potentially have an employment claim coming against their employer. These laws like the CCPA and the rights that are afforded to consumers under it, I think really is much broader than what you see under California law currently with respect to what a potential litigant could get, right?
[08:20] I think when we talk about the right to access data and the ability to access personal information that the company holds on you, it really encompasses things that could be as broad as just emails that are sent internally that might have personal information about that employee. So I think that we have to think about this in a much broader way, and that's probably going to be a sea change for most employers.
Travis Jang-Bus...: [08:44] Absolutely, I think you have to change the paradigm completely as to what becomes relevant. And that actually brings me to the next overlapping point is record keeping, because I think the traditional sense of personnel records is an employee file with some basic data, maybe some progress reports, things of that nature. It seems like the CCPA really turns that definition on its head. And so in the personnel records context, what is protected information? Do you have any thoughts there?
Elaine Harwell: [09:18] Yeah, so personal information under the CCPA is quite broad, right? So you look at the 11 categories of data that are a part of the CCPA, and it's not just going to be your strict identifiers, for example, government ID numbers like your Social Security number, but it's also going to be things like information that could potentially be used to profile a person. So if a company is using third-party tools to try to understand what type of employees that they have a little bit better, how they might perform under certain situations, what tasks they might be particularly good at, those types of, if you will, assumptions about that employee, are going to be considered personal information subject to the CCPA potentially, unless that there is an exception or exemption that applies.
Travis Jang-Bus...: [10:03] Wow, that's almost incomprehensible, given the amount of data and personal information that could potentially be generated just on a daily basis.
Elaine Harwell: [10:11] And let me ask you this, if in the context of outside the CCPA an employee asks for a copy of their records, what would they be entitled to under California employment laws?
Travis Jang-Bus...: [10:21] Yeah, so under California employment laws, they're entitled to a copy of their personnel file once a year, they can make the request. And the definition of "Personnel file" is somewhat vague, but it typically means onboarding documents and things that were assigned throughout the employment relationship, but it could also include payroll records, as well as timecards or time records. So it's a relatively limited set of information that you would respond to if an employee made the request, so this new obligation is much broader, depending on how these personnel records are defined or how they fit in within PI, which brings up the concerns about record retention requirement, right? Under the California Labor Code, employers really only have to maintain some records between three and four years, but now if employees can request that their personal information be deleted, that clearly conflicts with existing California law.
Elaine Harwell: [11:16] Yep, and I think that when we think about the right to delete, there are a lot of exceptions that will or potentially could apply, and I think in this context, when we're talking about responding to an employee's right to delete or request under the CCPA, we'd have to really look very carefully, I think, at those exceptions to see whether or not any of them apply. And the example that you gave with respect to legal obligations to maintain information, that will be an exception under the CCPA all day long. So if an employee asked to have a record deleted, but the company has a legal obligation to keep it, then that would fall under an exception and the company could then deny the request on that basis.
[11:57] In responding to that employee, the employer would need to let that employee know what the result is of their request, i.e. that they're going to deny it, and their basis for doing so, so they would need to be able to make sure that they can cite to the proper legal basis for maintaining that information, if that's the case. But I will say this also raises the issue of what we talk about in data privacy quite often, which is data minimization, not keeping records for longer than you have to or that you need to.
[12:24] And I think this brings up something that I think a lot of companies ignore a lot of times, and that is record retention policies and making sure that documents that are set to be on that destruction path are indeed on that destruction path. Because if you have that information and you get a request either to access that information or to correct it, if you're still holding that, then the company may have an obligation to actually provide that information back over to the employee in an access request, or correct it if they're still maintaining that information. So it's one of those things that I think the company, one, not only to know and understand what information you have about your employees and making sure you have a good inventory of that, but also making sure that your record retention policies are up-to-date and that you have implemented those policies in such a way that when information is no longer needed, it is in fact destroyed or gotten rid of.
Travis Jang-Bus...: [13:18] Yeah, that's an interesting point. I think one of the things that we in California deal with on the employment side is constant lawsuits, so I wonder whether or not employers facing like a deletion request in the absence of any stated litigation could still make the claim that because California is so litigious and they could be hit with a class action or an individual case at any time, whether they have to preserve those records in anticipation of deletion, and maybe that's something we don't know to date, and maybe that's something that will be addressed later, but certainly highlights the conflicting policies at play here.
Elaine Harwell: [13:54] Yeah, and I think when we think about whether or not there's a basis to maintain certain information, the potential for litigation, or the need of the company to defend itself in litigation, I think is a factor that the company can consider and potentially maintain records in that regard. If there is a reason or if there are reasons to believe that that employee is preparing to institute litigation against that company, you may have a basis to maintain that information even beyond any other potential requirements to maintain that information. So that is certainly, I think, something to look at and to pay attention to.
Travis Jang-Bus...: [14:30] And so on the litigation front as well, California employers are very weary, and also aware of lawsuits. They deal with them in multiple forms, from class actions to qui tam PAGA actions, to individual harassment and discrimination actions. I'm curious as to what you see will be the next frontier of litigation as it relates to the CCPA, if it's something that will create new avenues for plaintiff's attorneys, or if it's something that they may not seize on?
Elaine Harwell: [15:02] Yeah, so the CCPA does have a limited private right of action, limited with respect to if the company has a data breach and the company failed to properly secure the information in the first place, they could be subject to liability under the CCPA. That's really the only place where we've seen litigation succeed so far in terms of where we're at. That's the way the law was written and the way it was designed. Now, I know there are other types of litigation here in California, like you mentioned PAGA and qui tam cases. I don't know if those are going to potentially become an avenue later. I think there would have to be some legislative action in order for that to happen. Does that happen in a very litigious place like California? Potentially, but I think for at least right now, we won't see that type of litigation succeed.
[15:53] Now, can people bring those cases? Yes, you can sue anybody for anything, but for the most part, the courts have been pretty consistent about dismissing those cases that are clearly outside of what the private right of action was intended to do and to bring in California. So where that goes down the road, I guess is anyone's guess, and what the legislative body can do in California at some later point in time is anyone's guess, really. But I think for right now, for the foreseeable future, we probably don't have to worry about those types of potential class actions. I think employers have enough to worry about on that front.
Travis Jang-Bus...: [16:21] Yeah, that's good news for now, although the way the legislature has been enforcing laws that previously could not be pursued by individuals is a bit troublesome. I guess we'll just have to wait and see where it goes. So the other thing that I think is relevant here is just the fact that HR departments and people who deal with employees need to be cognizant of the fact that employees have the same rights that have applied to consumers since 2020. They're not treated any differently, are they?
Elaine Harwell: [16:53] Yeah, I mean, it remains to be seen what's going to happen. So one of the things that we may see, and some people may know this already, but our new California privacy regulator has been publishing regulations recently. They've been limited so far in terms of the topics that we've seen, but we anticipate there are going to be more that are coming out. One of the things that I wonder is whether or not we'll see regulations around how companies should implement the law with respect to employee and B2B data. I anticipate that we may see that. I think the CCPA, the privacy regulator, certainly would like to do that. They have a lot of tasks on their plate that they need to complete right now, but I think that this is a really important one for companies. It's not very clear how some of the CCPA rules and law is going to apply in the employee context.
[17:45] I think that we will start to see potentially plaintiffs, and plaintiff's attorneys in particular, who are quite savvy in the area of privacy, utilizing the CCPA as a litigation tool in order to potentially get more information than they would otherwise be entitled to, and we may see that tested out in court, and I think that that likely would probably be a good thing, to give us a little bit more guidance and give companies a little bit more guidance as to how they're going to have to respond to some of these requests when they come in.
[18:13] Right now, a lot of my recommendations are going to be around taking it on a case by case basis, because each one of these requests that comes from an employee is probably going to be unique, both with respect to the type of data that might be collected about that person, and also just in terms of what type of data might be responsive to a request. I think one of the things that we can all kind of put our saving graces on, I guess, a little bit, is that data that, in my view, that was not considered strictly for HR purposes, so data collected for HR purposes is really what we're talking about under the exemption that existed, that's what's expired.
[18:50] If companies were doing things like collecting information in order to be able to share it with third parties so that they could market to their employees in particular, that type of behavior, in my view, has always already been part of the CCPA, and if a employee acting in a consumer capacity were to make a request, the company would need to respond with respect to that type of the use of the information. So what we're really talking about here is this information that has been previously considered solely collected and used for the purpose of HR, in terms of being able to pay your employees, being able to provide them benefits, so the traditional uses of that data. So I think that that might be one way to think about this and not quite go into the panic mode just yet, I think.
Travis Jang-Bus...: [19:36] Not yet, at least.
Elaine Harwell: [19:38] Yeah. And with respect to the right to delete, I mentioned a couple of times that there are exceptions around that, and I also note that the right to delete itself applies to personal information that's actually collected from the individual. So information, I guess maybe it's questionable or maybe there are questions around it as to whether or not things like a reference check or performance evaluations, things like that that maybe weren't collected directly from the employee, would be potentially subject to a right to delete, and I think the answer to that might be no, that you could deny a request to delete those types of files.
Travis Jang-Bus...: [20:17] Yeah, that's an interesting point. I think this is going to be a very granular and nuanced discussion going forward. Seems like we're very much in the infancy as it relates to this and its impact on the employers. It's obvious that this was exempted, or employers were exempted from this law for a reason, in that it really doesn't quite fit the employment scheme, but now that it's here, we have to deal with it.
Elaine Harwell: [20:38] Yeah, and I think maybe just in closing, just to kind of give a few tips on the way out here, one of the things that I'll mention is that companies now that have really not ever had to pay attention to the CCPA, are going to have to revisit their notice disclosures. So if you've been subject to the CCPA, you previously had to provide a notice to your employees about the collection and use of their data, that notice is going to need to be updated in preparation for the effective date of the law in January. It will look more like your standard privacy policies that you see now that are CCPA, are responsive to the CCPA that provide a lot more information about how the data is used, where it's shared, and what now are the rights that employees have under this law with respect to that information.
[21:25] The other thing I'll mention too is that companies are now going to have to probably want to get in place their consumer rights response program to make sure that they're ready to receive any of these requests that might come in from employees as of January 1. There is a time period within which to respond, so 45 days to respond, and then an extension of, a potential extension of 45 days on top of that, to make it a total of 90. But you don't want to be caught flat-footed, and you also need to make sure you know where all that data is located within the organization so that you can actually collect that and determine what types of, if any, exemptions might apply such that you don't have to respond, or can deny a request on that front. Any closing thoughts from you, Travis?
Travis Jang-Bus...: [22:08] No, I think it'll just be interesting to see where this goes. I think it's very important to keep your counsel abreast of what's going on at your organization and confer with them to avoid the many technicalities that we see in this law, and in other laws that might overlap with this. So my final thought is good luck. It's going to be an interesting new world for our HR and employment personnel.
Elaine Harwell: [22:32] Right. All right, thanks everyone for joining us, and we'll see you next time.
Narrator: [22:39] We hope you enjoyed this Procopio Perspectives podcast. Please subscribe if you haven't already, and visit procopio.com to learn more about Procopio. Thank you for listening.