The California Privacy Rights Act (CPRA) is coming fast and even companies currently complying with the California Consumer Privacy Act (CCPA) will face new challenges, including the protection of human resource (HR) data, something previously exempt under the CCPA.
Before the CPRA comes into effect, HR professionals need to be prepared to understand and comply with this new legislation. While employers’ were previously obligated to provide disclosure notices, they will now be required to provide their employees with the right to access, correct, and delete data.
Explore what employers need to consider to be compliant with CPRA.
2. 2
Speakers
Jerel Pacis Agatep
Associate, Data Privacy & Workplace
Monitoring,
BakerHostetler
Andrew Scott
Global Privacy Manager,
TrustArc
Joseph J. Lazzarotti
Privacy, Data Security and Social Media
Practice Group Leader,
Jackson Lewis P.C.
3. 3
Legal Disclaimer
The information provided during this webinar does not,
and is not intended to, constitute legal advice.
Instead, all information, content, and materials presented
during this webinar are for general informational purposes only.
4. 4
CCPA Overview and its Impact on Employee Personal Information
What changes to look for in Service Agreements with Vendors (e.g., PEOs,
Staffing Agencies, and Benefit/Insurance Providers)
Agenda
Harmonization with Other State Frameworks
How to Prepare/Operationalize for CPRA
Questions & Answers
6. 6
Potential Impacts on Organizations
● Compliance with CCPA
○ Fines for non-compliance
● Optics
○ More opportunities to build or lose trust with brand
● Employee Confidence
○ Providing employees with confidence to raise complaints without retaliation
○ Making employees aware of their rights and security of their data
● Increased Cross-Functional Collaboration
○ Communication must increase between Legal, HR, and Technology Departments regarding
privacy matters (e.g., understanding automated employment decisions, increased training
with responding to complaints/requests)
● Impacting In-House Resources
○ Need to reassess data flows, consult outside counsel, seek new technical solutions,
implement new controls, regularly assess the effectiveness of the controls, and create new
roles
● Corporate Governance
○ Increased need to establish a privacy stakeholder and consider privacy not as a cost but as
core business strategy
● Global Regulatory Environment (Interoperability)
7. 7
CCPA, CPRA, and CPPA Overview
CCPA
California
Consumer Privacy Act
of 2018
California State Law –
Legislative Action
Intended to enhance
privacy rights and
consumer protection for
residents of California
January 1, 2020 – July 1, 2023
CPRA
California
Privacy Rights Act
of 2020
California State
Referendum – Voter Action
CCPA amendment that
addresses issues and gaps
created by initial CCPA
January 1, 2023
CPPA
California Privacy
Protection Agency
Established through the
CPRA
Consists of a 5 Member
Board that directs an
Agency on matters of
enforcement, regulations,
education
January 1, 2023
What does it
stand for?
Origins
Effective
Intent
8. 8
CCPA’s Definition of Personal Information
CCPA Section 1798.140 (v) (1):
“ ‘Personal information’ means information that identifies, relates to, describes, is reasonably
capable of being associated with, or could reasonably be linked, directly or indirectly, with a
particular consumer or household. Personal information includes, but is not limited to, the
following if it identifies, relates to, describes, is reasonably capable of being associated with, or
could be reasonably linked, directly or indirectly, with a particular consumer or household:
. . .
(I) Professional or employment-related information. …”
*Personal Information does not include consumer information that is deidentified or aggregate
consumer information or publicly available information or lawfully obtained. See CCPA Section
1798.140 (v) (2)-(3).
9. 9
Employment-Related Information is Personal Information
“ ‘Employment-related information’ means personal information that is collected by the
business about a natural person for the reasons identified in Civil Code section 1798.145,
subdivision ([m])(1). The collection of employment-related information, including for the purpose
of administering employment benefits, shall be considered a Business Purpose.” CCPA
Regulations (recently renumbered): Section 7001 (k).
This could include job applicant, employee of, owner of, director of, officer of, medical staff
member of, or independent contractor. See CCPA Section 1798.145 (m)(1).
A Business Purpose means the use of personal information for the business’ operational
purposes, or other notified purposes, or for the service provider or contractor’s operational
purposes, as defined by the regulations. CCPA Business Purpose: Section 1798.140 (e):
10. 10
Why are we just now talking about Employment-Related
Information?
October 2019
AB 25 Signed
Exempts Employment
Personal Information &
B2B Information until
1/1/21
June 2018
AB 375 Signed
Establishes CCPA
January 2020
CCPA Operative
July 2020
CCPA Enforcement
Authority
September 2020
AB 1281 extends
Employment Personal
Information & B2B
Exemption
until 1/1/23
November 2020
CPRA Approved by
California voters
January 2023
CPRA Operative
July 2023
CPRA Enforcement
Authority
August 2022
Extension for
Exemptions of
Employment PI &
B2B Did Not Pass
11. 11
Employee Rights Under CPRA
1 Right to access 2
Right to
correction 3
Right to
deletion 4
Right to opt out
of the sale or
share of data
5 Right to limit the use of sensitive
personal information
Right to no
retaliation
6
Previously under CCPA, personal information collected in the
employment-context were not subject to certain CCPA requirements,
including CCPA Rights (i.e., Right to Know, Delete, Opt-Out of Sale,
Nondiscrimination). Under CPRA, employees now have full consumer rights.
12. 12
Balancing CPRA with Other California Employment Laws
Right to Know
● The California Labor Code has several laws affording workforce members the “right to know” certain types of workforce member information
the employer has collected, including but not limited to
○ (1) Personnel File (Cal. Labor Code § 1198.5)
○ (2) All Documents Signed (Labor Code § 432) and
○ (3) Payroll Records (Labor Code § 226).
● However, the CCPA, amended by the CPRA, may be broader in scope and may have new and different obligations for employers that do not
exist under the current Labor Code, including possible additional PI in scope (e.g., geolocation, biometric, internet activity, inferences drawn,
etc.) and different timelines for compliance with a workforce member’s request.
Right to Delete
● Employers should assess federal, state and local retention requirements pertaining to workforce member PI, including but not limited to the
Age Discrimination in Employment Act, the Americans with Disabilities Act, the Civil Rights Act of 1964 (Title VII), the Fair Labor Standards Act,
the Family Medical Leave Act, the Occupational Health and Safety Act, California Government Code § 12946, and California Labor Code § 226 to
determine potential exemptions to a deletion request under CCPA §1798.105 (d)(8)’s “to comply with a legal obligation.”
Right to Opt Out of Sale or Share
● Employers should not only reassess their disclosure agreements with vendors but also ascertain whether their vendors are service providers,
contractors or third parties under the CPRA, as disclosure of workforce member PI may be viewed as a “sale” under certain circumstances.
13. 13
Exemptions Impact on CPRA
● More than two times in a 12-month period
● “Disproportionate effort”
● Conflict with federal/state law
● Fraud/abuse
● Right to correct
○ Accuracy
● Right to delete
○ Archives and back up
○ Deidentified/aggregate
● Right to limit
● Attorney client privilege (?)
14. 14
What changes to look for in Service Agreements
with Vendors (e.g., PEOs, Staffing Agencies, and
Benefit/Insurance Providers)
15. 15
Identify Your Vendors
Service Provider: “A person that processes personal information on behalf of a business and that receives from or
on behalf of the business consumer’s personal information for a business purpose…” (CCPA 1798.140) (ag)(1)
○ Must have Contract Requirements in place pursuant to CCPA 1798.140 (ag)(1) & §7051
■ Prohibition on contracting for Cross-Contextual Behavioral Advertising or
Combining Personal Information from other sources
■ Use Limitation, Purpose Limitation, Disclosure Limitation, and Grant Right to Audit
Contractor: “A person to whom the business makes available a consumer’s personal information for a business
purpose…” CCPA 1798.140 (J)(1)
○ All contractual prohibitions under “Service Provider,” including §7051
○ Certification from contractor that contractor understands the required contractual
prohibition and will comply with them
Third Party: “ Is neither a service provider, contractor, nor a business with whom the consumer intentionally
interacts and that collects personal information from the consumer as part of the current interaction with the
business.” 1798.140 (ai)
○ likely combines non-public data from multiple sources being combined
○ Grants right to the business to take reasonable and appropriate steps to ensure
consistent use of data under CCPA and the regulations
16. 16
What is a “sale”?
Is a California employee’s personal information being disclosed to a vendor for “monetary or other
valuable consideration”?
● Monetary Consideration = Money
● Other valuable consideration = other “valuable” exchanges, such as swapping services for personal information
○ cookies
○ pixels
○ other online trackers may constitute a “sale” under CCPA
Ask Yourself
● Is there a service provider/contractor agreement?
● Did the employee direct the transfer of personal information
● Is the personal information being transferred to alert a third party that the employee has submitted an opt-out request
regarding the sale of their personal information?
● Is the personal information being transferred as apart of a merger, acquisition, bankruptcy, or similar transaction?
What is a “share”?
● Is the California resident’s personal information being disclosed to a vendor for cross-contextual behavioural advertising?
○ Cross-contextual behavioural advertising - targeting ads to a consumer based on the consumer’s personal information
obtained from the consumer’s activity across businesses, websites, apps, or other services
17. 17
CCPA in the News
● On August 24, the Office of the Attorney General (OAG) first settlement under the CCPA, alleging that a
company failed to:
○ Disclose to consumers that it was selling their personal information
○ Process user requests to opt out of sale requests via user-enabled global privacy controls
○ Provide a clear and conspicuous “Do Not Sell My Personal Information” link enabling consumers to
opt -out of the sale of their personal information; and
○ Provide two or more designated methods for submitting requests to opt -out.
● The OAG also alleged Sephora violated California’s Unfair Competition Law by “making false or misleading
statements of facts concerning Defendant’s sale of consumers’ personal information and unfairly
depriving consumers of the ability to opt-out of this sale.”
Beauty Products Company Fined $1.2 Million in California Attorney
General’s First CCPA Enforcement Action
18. 18
CCPA in the News
● Beauty Products Company installed third-party software on its website and app to track online consumer
activity - the OAG notably called it “commercial surveillance.”
● The OAG asserted the software could track all types of data and could build behavioral profiles of users,
allowing Sephora to more effectively target potential customers.
○ By receiving this data, Sephora engaged in selling - benefitting from “other valuable consideration”
in the CCPA’s definition of “sale”.
● The OAG also asserted there were no valid service-provider contracts in place, which is one exception to
“sale” – contractually limiting the third-party tracking companies to processing requirements to establish
them as “service providers” under the CCPA.
● What’s next? CPRA may provide more risk to online tracking activities – bringing the right to opt out of
the sale of personal information AND of the transfer of personal information to a third party for
cross-context behavioral advertising
What Happened?
19. 19
Let’s Talk Red Flags in Vendor Management
● PEOs, Staffing Agencies, and Benefit/Insurance Providers
○ Who owns the data?
○ Can we use “Joint-Controller” ?
● Contracts
○ Provisions that consider when service providers end up combining personal
information?
○ Challenging requirements and provisions?
○ Granting and enforcing rights to audit / vendor assessment
● What Guidance is needed in a future rulemaking package?
○ Sensitive Personal Information
○ Business Purposes
● Practical Solutions
● Predictions for 2023
21. 21
Harmonizing CCPA Requirements with Other Jurisdictions
● Colorado - Colorado Privacy Act (CPA):
○ Goes into effect July 2023
○ To be covered by the law, the “controller” must (i) conduct business in the State of Colorado, (ii)
determines the purposes and means of processing personal data; and (iii) satisfy at least one of
the following requirements:
■ controls or processes the personal data of more than 100,000 Colorado residents per year
■ or derives revenue from selling the personal data of more than 25,000 Colorado residents.
● Connecticut - Connecticut Data Privacy Act (CTDPA):
○ Goes into effect July 2023
○ To be covered by the law, the "controller" must conduct business in Connecticut or produce
products or services that are targeted to residents of Utah and, during the preceding calendar
year, either:
■ during a calendar year, control or process data for at least 75,000 Connecticut residents,
■ or control or process personal data of at least 25,000 Connecticut residents and derive
over 25 percent of gross revenue from the sale of personal data.
The Other States
22. 22
Harmonizing CCPA Requirements with Other Jurisdictions
● Virginia Consumer Data Protection Act (VCDPA):
○ Goes into effect January 2023
○ To be covered by the law, the "controller" must conduct business in Virginia or produce
products or services that are targeted to residents of Virginia and either:
■ during a calendar year, control or process data for at least 100,000 Virginians or
■ control or process personal data of at least 25,000 Virginia residents and derive over 50
percent of gross revenue from the sale of personal data.
● Utah - Utah Consumer Privacy Act (UCPA):
○ Goes into effect December 2023
○ To be covered by the law, the "controller" must conduct business in Utah or produce
products or services that are targeted to residents of Utah and either:
■ during a calendar year, control or process data for at least 100,000 Utah residents, or
■ control or process personal data of at least 25,000 Utah residents and derive over 50
percent of gross revenue from the sale of personal data.
The Other States
24. 24
● Data Inventory
● Operationalize Vendor Management
○ Contract Templates for the Three Categories of Vendors
○ Conduct Assessments via either Third Party Vendors or Internal Audits
(§ 7051 (a)(7) & (c))
○ Ensure Ability to Test Consent Systems and That Opt-Out Requests
are Processed
● Update Privacy Notices (Internal/External)
○ Evaluate when Notice Not Needed for Sensitive PI is collected § 7027m
● Record Retention Practices
● Consult Counsel
● Find Tech-Enabled Privacy Solutions that Cover What You Need
● Update Employee Trainings
● Security Issues
● Show Good Faith by Proactive (§7301)
How to Prepare/Operationalize for CPRA
25. 25
● Further Guidance on Sensitive Personal Information
● Further Guidance on Business Purposes
● Further Guidance on Requirements to Provide Notice
● Geolocation Data Collected on company-devices
● Harmonizing Business obligations to respond and honor to consumer
requests
● Other?
What Further Rulemaking is Needed
28. 28
28
Thank You!
See http://www.trustarc.com/insightseries for the 2022
Privacy Insight Series and past webinar recordings.
If you would like to learn more about how TrustArc can support you with
compliance, please reach out to sales@trustarc.com for a free demo.