Processing employees' Data Access Requests ("DARs") under the CCPA
Brief Background
On January 1, 2023, the California Consumer Privacy Act of 2018 ("CCPA") became applicable to the personal information of employees, job applicants, subcontractors, contractors, and others in work roles who are California residents ("Employee Personal Information").
Since it went into effect on January 1, 2020, the CCPA (through a series of legislative actions) had exempted Employee Personal Information from its provisions. With the revisions to the CCPA made by the referendum on November 3, 2020, that enacted the California Privacy Rights Act of 2020 ("CPRA") as a revision to the CCPA (and the failure of the California legislature to continue the exemption), employees and others in the workforce now have the rights granted other California consumers by the CCPA. Enforcement for the amended CCPA provisions will begin on July 1, 2023 through the newly established California Privacy Protection Agency (the "Agency").
What Has Changed?
At the time of publication, the Agency has not promulgated the final regulations for the CCPA nor has it clarified how the CCPA applies to Employee Personal Information, therefore the recommendations of this article are subject to future revision if the Agency provides further regulations on this topic.
California is the first state to extend privacy protections to Employee Personal Information. Employers are thus likely to confront numerous challenges in applying the provisions of the CCPA (which is not specifically framed in terms of such information), particularly in California, which not only already has complicated workplace laws but also a notoriously litigious plaintiff's employment bar. One of the challenges facing employers is responding to requests from employees under the various rights afforded to them under the CCPA. Data Access Requests ("DARs") by employees implicating Employee Personal Information1, which are similar to what are commonly referred to as Data Subject Access Requests ("DSARs") under the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), create novel challenges and may require numerous judgment calls for employers.
California residents (including employees) have six basic rights under the CCPA: (i) the right to know; (ii) the right to correct; (iii), the right to delete; (iv) the right to opt out of the sale or sharing of personal information; (v) the right to restrict use and opt out of disclosure of sensitive personal information to that "necessary to perform the services or provide the goods reasonably expected by an average consumer..."; and (vi) the right not to be discriminated against for exercising these rights.
Although the right to restrict "sensitive personal information" (which includes information such as government IDs (e.g., social security or driver's license numbers), finance account information, precise geolocation, union membership, racial and ethnic origin, and contents of private communications of consumers, including employees), a consumer's right to restrict only applies when a business is using the information to "infer[] characteristics" about a consumer. The term "inferring characteristics" is undefined but is unlikely to include such direct employer uses of "sensitive personal information" as using social security numbers for payroll purposes. Moreover, it is also unlikely that employers "sell" or "share" personal information of their employees, including tracking employees for targeted advertising.
New Employee Rights: Right to Know, Right to Correct and Right to Delete
The three major rights to arise in the employment context are: (i) the right to know (or access); (ii) the right to correct; and (iii) the right to delete.
Right to know
The CCPA provides that "a consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following: (1) the categories of personal information it has collected about that consumer; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purpose for collecting, selling, or sharing personal information; (4) the categories of third parties to whom the business discloses personal information; and (5) the specific pieces of personal information it has collected about that consumer."
In responding to a request from a California resident regarding Employee Personal Information (which an employer must usually do free of charge), the employer should begin by referencing the categories of personal information that it knows it requests from job applicants, employees, and others. Although the right to know references "specific pieces of personal information," that term is not defined, which may present challenges to employers regarding personal information of employees that does not fall into describable categories, such as an employee identification number. Employers, therefore, should undertake an inventory of the Employee Personal Information that they collect in advance of receiving any DARs. Employers should also recognize that the right to know may not require production of an entire personnel file, including performance reports, but that they may need to respond to such requests under the California Labor Code which provides a right to current and former employees to inspect and receive a copy of personnel records.
The "right to know" requires that the employer provide "two or more designated methods" for submitting requests for information. The employer's response to a "verifiable" request is to identity "any personal information previously requested by the business" and to "identity by category or categories the personal information collected... in the preceding 12 months by reference to the enumerated category or categories."
As is the case as well for requests under the right to delete, certain exceptions apply to the right to know. The employee cannot make more than two requests in a 12-month period. The employer may "charge a reasonable fee, taking into account the administrative costs" or to refuse requests if they are "manifestly unfounded or excessive, in particular because of their repetitive character." The employer also need not produce privileged materials, data that is maintained for legal or compliance purposes only, and information that is particularly sensitive or would reveal personal information of another person. The employer also does not need to disclose information that is exempt from the CCPA, including medical information, consumer reporting information subject to the Fair Credit Reporting Act of 1970, and information subject to certain other state and federal privacy laws.
Right to delete
Employees also "have the right to request that a business delete personal information about the consumer which the business has collected from the consumer" upon receipt of a "verifiable consumer request." A business does not have to comply with a request to delete, among other reasons, "if it is reasonably necessary for the business" to "complete the transaction for which the personal information was collected," which may include performance of contracts (e.g., payment of employees). Moreover, employers may refuse to delete information in order to 'comply with federal, state, or local laws, comply with a court order or subpoena to provide information' or to "exercise or defend legal claims."
Right to correct
Employers must respond to verifiable requests of an employee to correct "inaccurate personal information about the [employee], taking into account the nature of the personal information and the purposes of processing of the personal information." Although employees would have the right to request correction of certain incorrect information in their records (such as an incorrect name or address), the exception provides employers with considerable discretion as to what is deemed "inaccurate" given the "nature of the personal information" involved and the purposes of processing that information. If a business is not the source of the information, it does not have to take the requestor's assertion of inaccuracy as sufficient.
Procedural and Practical Considerations
The CCPA imposes procedural requirements regarding complying with DARs, including requests from current or former employees. The employer must respond to requests to delete, correct, or know by acknowledging receipt of the request no later than 10 business days after receiving the request. Businesses must first verify or authenticate the identity of the individual making the request. The CCPA (as amended by the CPRA) states that an entity must use "commercially reasonable methods" for authentication in conjunction with a consumer request "that [are] reasonable in light of the nature of the personal information requested." An entity cannot verify an individual based on the request for sensitive information, such as a social security number.
Employers should also establish a means for individuals to make DARs for Employee Personal Information. Having a separate portal or website for such requests is useful because it will aid the employer to identify what is a request for Employee Personal Information and not a request from an existing portal for other consumers (e.g., a link in a customer facing website). A separate portal for such requests is also advisable given the sensitivity of the employment relationship. For similar reasons, employers should consider having DARs requesting Employee Personal Information be handled by personnel acquainted with sensitive workplace issues (such as the HR department), as opposed to the privacy team. Although there is a very limited private right of action under the CCPA, the legal team should also be involved in vetting DARs.
Regulations promulgated under the CCPA (including by the California Attorney General and subsequently by the CPPA) require that a business respond to requests to know, correct, and delete within 45 days of the request. With notice to the employee in this period, a business may extend this deadline once by an additional 45 days "where reasonably necessary."
What Businesses Can Do To Comply
In advance of receiving DARs for Employee Personal Information, businesses subject to the CCPA should ensure that they have policies and procedures in place for their relevant personnel responding to DARs.
Personnel should be acquainted with the entity's practices for collecting personal information for job applicants, employees, and independent contractors, and be aware of where such information is maintained and stored.
Personnel should also be aware of the deadlines for compliance with the requests, as well as the potential reasons for refusing requests.
Preparation of privacy policies, internal compliance policies and procedures, and data inventories are necessary prerequisites for compliance with employee DARs under the CCPA.
Employers should also be alert to changes in procedures involving requests issued through future regulations by the Agency and consult labor and employment counsel regarding coordination of responses to DARs with California labor law.
This post was originally published on the OneTrust DataGuidance platform.