As a business that either has physical operations in California or does business in the state of California that involves interaction with the personal information of California residents, the California Consumer Privacy Act (CCPA) will impact your business.
When it comes to employment-related personal information in the realm of human resources and recruitment, the CCPA is currently limited in its reach for HR than in general business. However, it still sets forth requirements for HR contexts.
Also, those HR limitations are set to expire at the end of 2020 and the more robust rights the CCPA provides to consumers will kick in for HR data subjects as well unless there is a further amendment to extend the limitation.
In everyday terms, you have a bit of a breather compared with other functions when it comes to CCPA in HR – but:
1) Your HR work is still impacted to a degree
2) CCPA will start to impact you more from the end of 2020 onwards.
So, to find out what you do need to worry about, we got in touch with BakerHostetler consumer data protection lawyer Alan L. Friel who brings decades of consumer law to the table.
Mr. Friel spoke at length in a Workable webinar on this very topic on Wednesday, February 19. Watch the webinar here:
The way Mr. Friel puts it, there are only two major provisions you need to be aware of in HR for 2020:
The pre-collection notice
The private right of action for data security breach.
But again, that doesn’t mean you can sleep at night without worry. You still need to stay on top of five major aspects of CCPA in HR to stay on the compliant side of the tracks:
1. Provide pre-collection notice
To be clear: this applies to all information you’re collecting in an HR context, including from job applicants and existing employees.
The CCPA requires that businesses that collect a California consumer’s (defined as California taxpayers) personal information must, at or before the time the personal information is collected, clearly inform consumers on:
The categories of personal information to be collected
The purposes for which each of the categories of PI will be used
In the HR context, this means that employers must give this type of notice at the point of collection of employment-related information, including on a job application. Be clear and up front about the types of personal information you’re collecting from the job applicant as well as the purposes for which you’re collecting it. You’re not just asking for the candidate to fill out the requisite fields – you will be using the collected information for certain business and, potentially, commercial purposes.
Even if it’s clear you’re just gathering information because you’re collecting applications for evaluating candidates for a job, you need to say so up front. You also will need to be sure to give additional pre-collection notice if you onboard the candidate.
Manage compliance confidently
Navigate local and international regulation - including GDPR and EEOC/OFCCP - with automated tools and reports that take the effort out of compliance, wherever you’re hiring.
To be clear: Simply posting a notice is not enough. You also have to specify what data you’re collecting and why.
What are you collecting?
To make sure you’re compliant, list in your pre-collection notice each category of personal information that you’re collecting. The following 11 enumerated categories of personal information are set forth in in the CCPA, with common HR-specific examples (not limited to):
Identifiers – name, address, email, SSN, DL number
Personal records – phone number, education/employment history, bank account details
Personal characteristics and traits – sex/gender, marital/veteran/familial status, race, disability
Commercial information – benefits records, records of reimbursement of expenses
Biometric information – finger/voice prints, retina scans
Internet usage information – browsing and search history
Geolocation data – physical location/movement, travel patterns (i.e. company tracking devices)
Sensory data – audio/visual recordings (i.e. security cameras)
Professional or employment information – resume, background checks, references
Non-public education records – educational institution transcripts and records
Inferences from public information collected – profiles reflecting abilities and aptitudes, aptitude testing results
Why are you collecting this information?
You also must fully disclose all business and commercial purposes for collecting the personal information. The first set of regulations of the CCPA – in HR or otherwise – specifies that the business and commercial purpose must be clearly outlined for each of the aforementioned categories you’re collecting for.
This means you can’t simply say you’re ‘collecting data for your records’ – you need to go into detail. The CCPA requires being specific about what data will be used for which purposes. Because of the amount of detail required – which may not provide any materially better information to the job applicant or employee – this may result in a lengthy document. You might be better off building out a full notice in a separate page and linking to it from the pre-collection notice itself – which is permitted in the proposed regulations. Alternatively, you can link to a privacy notice including this information.
The modified draft of the regulations still under consideration require less granularity by removing the requirement to disclose on a category-by-category basis the purposes for collection of the personal information. However, we will have to watch the rulemaking process to see where it lands.
For offline pre-collection notice, an example of sufficient notice provided by the regulations is “prominent signage directing consumers to where the notice can be found online.” Again, accordingly, it should suffice to provide a pre-collection notice as simple as: “For details on what personal information we collect and for what purposes visit [URL],” assuming that URL resolves to a notice which includes all of the detail required by the regs.
As for data sharing, for notice at collection of employment-related information, you do not need to include a link to a “Do Not Sell My Personal Information” page – at least in 2020. This may change for 2021.
3. Clear language from the get-go
The proposed regulations require that pre-collection notice must be plain and straightforward. Legal jargon is prohibited. Job applicants and employees don’t necessarily have a degree in law, nor are they well-versed in legal jargon. So, consequently, you are required to communicate what you’re doing in everyday language.
If you’re working with a legal document, don’t copy and paste – be familiar with the content itself and be ready to communicate it both verbally and in writing in such a way that job applicants and employees can fully understand what information you’re collecting and for what purposes.
4. Don’t do anything you didn’t say you would do
The CCPA specifies that a business cannot collect additional categories of personal information without providing the consumer with notice – replace “consumer” with “job applicant” or “employee” or “contractor”, and that’s how it applies to you in HR and to the person whose personal information you are collecting.
If you needed extra information on a job applicant or employee and you didn’t include a precursor in your pre-collection language about it, it’s better not to do it without giving notice to the job applicant or employee. The proposed regulations suggest that only registered data brokers are relieved of pre-collection notice when the collection is other than directly from the person. Also, keep in mind other laws like the Fair Credit Reporting Act, which require consent for background checks and give applicants the right to review the results.
5. Even publicly published information is protected
Many ATS solutions – and any software in general – can and do collect personal information automatically. Much of this is public – for instance, on LinkedIn, company pages, or any other public webpage – but nevertheless, even that ‘public’ personal information is covered by the CCPA.
However, data publicly available from a government publication is excluded from the definition of personal information.
Better safe than sorry
This doesn’t seem like a lot, but remember, it’s still early stages. The CCPA will get more complicated as it continues to take effect, and there are other states considering robust privacy laws. As said above, human resources isn’t nearly as impacted in 2020 as others are – but that can change as we go into 2021.
The spirit of “better safe than sorry” very much applies here – it’s best to get ahead and pre-empt any potential problems that may arise by following these five rules.