Employers who do business in California—take note! You may have additional obligations in a few short months and the cost of non-compliance is significant.
What happened?
On August 31, 2022, the California Legislature concluded its 2022 session and failed to extend a previous exemption that prevented employment data from being subject to the California Consumer Privacy Act (CCPA). As of January 1, 2023, employers subject to the CCPA must comply with its data privacy requirements for employment and job applicant data. The CCPA has a 12-month lookback period, which means the new obligations will also apply to such data already collected in 2022. It is important for businesses to determine if they are covered and, if so, to take action promptly.
Are you subject to the CCPA as of January 1, 2023?
Employers that are for-profit, do business in California, and meet one of the three thresholds below are subject to the CCPA’s requirements:
- Has an annual gross revenue of over $25 million;
- Buys, sells, or shares the personal information of at least 100,000 California residents or households; OR
- Derives at least 50% of its annual revenue from selling or sharing California residents’ personal information.
Covered employers should follow the following four steps:
CCPA-covered employers should take the following action items to make sure they are ready to comply with the new regulations in 2023:
1. Take an Inventory of Employment and Job Applicant Data
It is important for employers to understand what employee and job applicant information they collect, how it is collected, how it is used or shared, how long it is kept, where it is stored internally, and whether it is being sold. This information will guide what is disclosed in the updated employee privacy notice, help determine which third parties need to enter into new data processing agreements, and assist in responding to data subject requests from employees and job applicants.
2. Update Employee Privacy Notice
While employers were previously required to provide employees a privacy notice under CCPA, beginning in 2023 the notices must now include additional information, among other requirements. Employers must identify in these notices how long personal information will be kept, the categories of sensitive personal information (as defined in the statute) being collected, and whether personal information is sold to third parties.
3. Prepare to Respond to Data Subject Requests from Employees and Job Applicants
California employees, job applicants, and independent contractors will now have the same rights as California consumers under the CCPA and will be able to submit requests to know, delete, opt out of the sale of, and correct their personal information, and to limit the use of sensitive personal information. Employers will need to develop internal processes to receive and properly respond to these requests, and to do so within the required timelines.
4. Enter into Data Processing Agreements with Third Parties That Receive Employment Data
Employers must enter into agreements with third parties that act as service providers or contractors and with whom the employer is sharing employment and applicant data. These service providers include, for example, any third party that assists with benefits management or payroll. The agreements should contain certain restrictions on the third party’s use of the personal information as required in the law.
Employers who fail to satisfy their CCPA obligations can be subject to fines of not more than $2,500 for each violation (e.g., each failure to provide a proper employee notice) or $7,500 for each intentional violation.
If you or your business need guidance in determining if you are an employer subject to CCPA, navigating compliance requirements, or creating or updating internal policies to comply with the CCPA, Godfrey & Kahn’s attorneys are ready to assist. We have devoted Labor & Employment and Data Privacy & Cybersecurity practice groups who routinely assist clients with these and other similar issues.